certbot 🚀 - DNS CAA query timeout

$:host xiangyang.li
xiangyang.li has address 120.25.157.108
xiangyang.li mail is handled by 5 mail.xiangyang.li.
xiangyang.li mail is handled by 10 mail2.xiangyang.li.

sh4wn on 24 Nov 2015

The server could not connect to the client for DV :: DNS query timed out

Still a DNS timeout probrom?

sh4wn on 24 Nov 2015

I'm updating the title of this because "self-verify" refers to something else in the client. I'm curious why you chose that wording though. Did you see output from the client saying that "Self-verify of challenge failed"? Do you have any logs you can show us?

bmw on 24 Nov 2015

"Self-verify of challenge failed." appeared in the dialog window

sh4wn on 24 Nov 2015

Error

sh4wn on 24 Nov 2015

Logs:

2015-11-24 14:13:12,210:DEBUG:letsencrypt.cli:Root logging level set at 30
2015-11-24 14:13:12,210:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2015-11-24 14:13:12,210:DEBUG:letsencrypt.cli:letsencrypt version: 0.0.0.dev20151123
2015-11-24 14:13:12,210:DEBUG:letsencrypt.cli:Arguments: ['-a', 'manual', '--server', 'https://acme-v01.api.letsencrypt.org/directory', '--agree-dev-preview', '-d', 'xiangyang.li']
2015-11-24 14:13:12,210:DEBUG:letsencrypt.cli:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2015-11-24 14:13:12,214:DEBUG:letsencrypt.cli:Requested authenticator manual and installer None
2015-11-24 14:13:12,219:DEBUG:letsencrypt.display.ops:Single candidate plugin: * manual
Description: Manually configure an HTTP server
Interfaces: IAuthenticator, IPlugin
Entry point: manual = letsencrypt.plugins.manual:Authenticator
Initialized: <letsencrypt.plugins.manual.Authenticator object at 0x41d9710>
Prep: True
2015-11-24 14:13:12,219:DEBUG:letsencrypt.cli:Selected authenticator <letsencrypt.plugins.manual.Authenticator object at 0x41d9710> and installer None
2015-11-24 14:13:12,239:DEBUG:letsencrypt.cli:Picked account: <Account(92eedaddb9a47c274c973e63bc23706d)>
2015-11-24 14:13:12,240:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory. args: (), kwargs: {}
2015-11-24 14:13:12,245:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2015-11-24 14:13:14,992:DEBUG:requests.packages.urllib3.connectionpool:"GET /directory HTTP/1.1" 200 263
2015-11-24 14:13:14,999:DEBUG:root:Received <Response [200]>. Headers: {'Content-Length': '263', 'Expires': 'Tue, 24 Nov 2015 14:13:14 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 24 Nov 2015 14:13:14 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': '4hA8RFgf1T9AnwY1h7E6F096U3Ezfn-j08G94UAw1yQ'}. Content: '{"new-authz":"https://acme-v01.api.letsencrypt.org/acme/new-authz","new-cert":"https://acme-v01.api.letsencrypt.org/acme/new-cert","new-reg":"https://acme-v01.api.letsencrypt.org/acme/new-reg","revoke-cert":"https://acme-v01.api.letsencrypt.org/acme/revoke-cert"}'
2015-11-24 14:13:14,999:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '263', 'Expires': 'Tue, 24 Nov 2015 14:13:14 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 24 Nov 2015 14:13:14 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': '4hA8RFgf1T9AnwY1h7E6F096U3Ezfn-j08G94UAw1yQ'}): '{"new-authz":"https://acme-v01.api.letsencrypt.org/acme/new-authz","new-cert":"https://acme-v01.api.letsencrypt.org/acme/new-cert","new-reg":"https://acme-v01.api.letsencrypt.org/acme/new-reg","revoke-cert":"https://acme-v01.api.letsencrypt.org/acme/revoke-cert"}'
2015-11-24 14:13:15,036:INFO:letsencrypt.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0070_key-letsencrypt.pem
2015-11-24 14:13:15,040:INFO:letsencrypt.crypto_util:Creating CSR: /etc/letsencrypt/csr/0023_csr-letsencrypt.pem
2015-11-24 14:13:15,040:DEBUG:letsencrypt.client:CSR: CSR(file='/etc/letsencrypt/csr/0023_csr-letsencrypt.pem', data='0\x82\x02\x850\x82\x01m\x02\x000\x171\x150\x13\x06\x03U\x04\x03\x0c\x0cxiangyang.li0\x82\x01"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\n\x02\x82\x01\x01\x00\xc8S\xea|\x06\xcbl5!\x00\xe7Z\xcfp\xfe\xd3\xe8Z"vYw\xfb\t\xa3\x90&$\xd7Ax\xac\xe1\xc4\xad\x01\xc0I\xd2\x1a\xba\x18\xd5)\xfe\xb9\xafO\x13k\xac\xe8\xc6\x8d\xbe]\x84#\xb1\x9d{jU\x11n\xd4\x95\xdfH\xc8\xd7\xce\x91\x14\x8aBM\xd3)\x85\xc8j\xb0\x97\xab\xff\x84\xff\xfd\xf2\x9d3vH\xda.\x1en\x1b\xb6\xb1\xe7PO20\x11\x84U\x97\x89\xdc|\x0b\x18\xc16\xac\x84F\xf8\x97X\xf3\xf1\xbc}N\x9b"W\x93\xaa\x82P\xba\xff\xe5\xed;\xe8\xae{\x01\xdf"\x1b`c7\xf1\xdb\x02\xb7\xfa\xe9,\xa1\xa0\x1c\xb1\x05\x12\xb9\x84\x97\xcac\xf1/\xf8\xba<\xb3\xc4|\x97\x03\xa7\xf5\xaa\x01 \xc16p\x97E\xc0(U\xfc=\xc1x\xf7\xef\x8co\xf8\x81\xfd@lX\xbc\x82\xa1\xc5\x85x]\x89\xb9\x11\xd2\t\xda\xd6\xac\xb4\xe1\x1a\xa6\x04\xb2\x9bu\xae\x8aD_\xceF\xb9\xb6\xb5\xf2\xf2\x8a]i.%\x88\xf5c\xa0~\xaa=\xd8>\n\xb8\x8b\x02\x03\x01\x00\x01\xa0*0(\x06\t*\x86H\x86\xf7\r\x01\t\x0e1\x1b0\x190\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0cxiangyang.li0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00X\xa8\x928E5$V\x05\xd5\xd7\x02N\x1f\x84u?\x03\xcbx\x99\x9a\xd8\xcd4\x99\x8b\x1d\x8b\',R\x85\xec1\x07\xda\x9e!4\xb9j\xc0x\x7fQ-3\x90w\xf4\xb4"G\xa4\x12<c\x15\xa3\x91\x8a~\xe0s\xaf!\xe1{\xbd\x11\xc5A`\xf5m\xf65\x8b\x82\xab\x83\xbb1\x8a4kL\xe4\xc77\xfb\x14~\x81%\x9a\x88\x1flF{\xdf\x82@\xa9\xf4)\x9c\xd8\xa4\xf9[\x8c|,\xd9!\xb2\xbf\x85\xc7\x84\xf7\xd3\xa1\xc0=\xcb\x88C-\xd2T\xf9\xea\x96\\\xdc1\x94\x1c\xb7\xf1\xe4+\xa7\xcey\xdb%\xeb\x1c\xa4S\xd5\xf2\\\xa10\xc9\x9cC\x07%v\xa6S(\xc6;\x90\xd4\x81,\x15\xda\xcc\xb5\xe0\xf3\x07VT\x0f\x19\xbe.~\xb7\xfc\xd50\x8bG\xcb\x8a9+\xcbe \x83\xf9#f\xa8\x16$%\x0b\x0fV\x87\xbc\xccwm\x7f\x87\xe1\xceS7\x81\x00\xdd\xa2\xae\xaeQ\x1f\xe6\xfey\xaf7\xces\x98_x.\x8e\xcf\x14Vn\x1fQIB9\xdf\xcb\xa8', form='der'), domains: ['xiangyang.li']
2015-11-24 14:13:15,040:DEBUG:root:Requesting fresh nonce
2015-11-24 14:13:15,040:DEBUG:root:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {}
2015-11-24 14:13:15,042:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2015-11-24 14:13:23,583:DEBUG:requests.packages.urllib3.connectionpool:"HEAD /acme/new-authz HTTP/1.1" 405 0
2015-11-24 14:13:23,587:DEBUG:root:Received <Response [405]>. Headers: {'Content-Length': '0', 'Pragma': 'no-cache', 'Expires': 'Tue, 24 Nov 2015 14:13:23 GMT', 'Server': 'nginx', 'Connection': 'keep-alive', 'Allow': 'POST', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 24 Nov 2015 14:13:23 GMT', 'Content-Type': 'application/problem+json', 'Replay-Nonce': '08W9xxjdjJf9R4RoROqBOubbSQ7UWQOoe6Ka-w6kbJI'}. Content: ''
2015-11-24 14:13:23,588:DEBUG:acme.client:Storing nonce: '\xd3\xc5\xbd\xc7\x18\xdd\x8c\x97\xfdG\x84hD\xea\x81:\xe6\xdbI\x0e\xd4Y\x03\xa8{\xa2\x9a\xfb\x0e\xa4l\x92'
2015-11-24 14:13:23,588:DEBUG:acme.jose.json_util:Omitted empty fields: expires=None, challenges=None, combinations=None, status=None
2015-11-24 14:13:23,588:DEBUG:acme.client:Serialized JSON: {"identifier": {"type": "dns", "value": "xiangyang.li"}, "resource": "new-authz"}
2015-11-24 14:13:23,590:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), typ=None, jwk=None, x5u=None, kid=None, alg=None, cty=None, x5tS256=None, jku=None, x5t=None
2015-11-24 14:13:23,592:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), nonce=None, x5u=None, typ=None, kid=None, cty=None, x5tS256=None, jku=None, x5t=None
2015-11-24 14:13:23,593:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {'data': '{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "pOpcSu2ynUl02RqT6Ws0uOYtU3pXX9Mg9j6iN3cDIte7R1e3O__GJx7D7y0srwyQe35K__DgLrVr3xlyycod_3glnyjs2kjrFF2vSQDsLbqmhJ9gAf2_VjeuR3I59mCLzusjPJ9fUa1ng-FRVziH_mV_MEa0Jnk7zde7GrweIVaEcg4WwCSZxaqV64nFFsAUQVlIFHdJzwVGQtRt8BqqwzzxrWa82SkPhL4B2iCD6BRGo4pe5qhRz1axlK2BPwbly3yrKstxhRMPm-uWh_suPiytKyUkfhYryN0c-qLBASOkUsO0F9aB9Am89Q60GPlMHiLzzj8Ok93gyhy3AQ4Fow"}}, "protected": "eyJub25jZSI6ICIwOFc5eHhqZGpKZjlSNFJvUk9xQk91YmJTUTdVV1FPb2U2S2EtdzZrYkpJIn0", "payload": "eyJpZGVudGlmaWVyIjogeyJ0eXBlIjogImRucyIsICJ2YWx1ZSI6ICJ4aWFuZ3lhbmcubGkifSwgInJlc291cmNlIjogIm5ldy1hdXRoeiJ9", "signature": "IyaYahnYliZNkAkyBOAIdJLyrbACgv_OrTHII2aBAmEFjcOkBWdpssDWVGTxiWS4vnqzylC0f9Ie_n6A3nTKjdamWZ1eXNru4lGowvJhW7xE_PhCXoXXk6V_z9OEv2VHszxtzjdxjylbbeERO9Ur3zFmAr4YVRe6zRMg1OhDwjisdNdEYPmAx78RCPDvA2luqT-TbOk3th2ws9ocUHeX0lEN4cBrAgFJNzXNoayeQV9zI74B7H4urVebYqGLt95y-3Cttp2rdllyHTWBqLGHQAyO5jza8CtILliLa3DXfWpNUMg_RiABWE3oNs4tGcao_dGuavrTRN8Hac3PiT71dg"}'}
2015-11-24 14:13:23,594:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2015-11-24 14:13:26,344:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/new-authz HTTP/1.1" 201 563
2015-11-24 14:13:26,346:DEBUG:root:Received <Response [201]>. Headers: {'Content-Length': '563', 'Expires': 'Tue, 24 Nov 2015 14:13:25 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Location': 'https://acme-v01.api.letsencrypt.org/acme/authz/KAphY01rRkKqZIEXfPDf2GIl_HBEynK0LG73MECe63c', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 24 Nov 2015 14:13:25 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'I7t_h3arloTpsmu678YjTmVGK3QOz6VMi12NvR9qRtE'}. Content: '{"identifier":{"type":"dns","value":"xiangyang.li"},"status":"pending","expires":"2015-12-01T14:13:25.561750763Z","challenges":[{"type":"tls-sni-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/KAphY01rRkKqZIEXfPDf2GIl_HBEynK0LG73MECe63c/465989","token":"99_3Ao-Z56pA6X46KcQZMCV1Q1NK-uWY-KS_MpDR4-U"},{"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/KAphY01rRkKqZIEXfPDf2GIl_HBEynK0LG73MECe63c/465990","token":"lC6qkcenn5Pkc46s55N6Kip5Z_M3OtQ5DFP3BRI2P58"}],"combinations":[[1],[0]]}'
2015-11-24 14:13:26,347:DEBUG:acme.client:Storing nonce: '#\xbb\x7f\x87v\xab\x96\x84\xe9\xb2k\xba\xef\xc6#NeF+t\x0e\xcf\xa5L\x8b]\x8d\xbd\x1fjF\xd1'
2015-11-24 14:13:26,347:DEBUG:acme.client:Received response <Response [201]> (headers: {'Content-Length': '563', 'Expires': 'Tue, 24 Nov 2015 14:13:25 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Location': 'https://acme-v01.api.letsencrypt.org/acme/authz/KAphY01rRkKqZIEXfPDf2GIl_HBEynK0LG73MECe63c', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 24 Nov 2015 14:13:25 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'I7t_h3arloTpsmu678YjTmVGK3QOz6VMi12NvR9qRtE'}): '{"identifier":{"type":"dns","value":"xiangyang.li"},"status":"pending","expires":"2015-12-01T14:13:25.561750763Z","challenges":[{"type":"tls-sni-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/KAphY01rRkKqZIEXfPDf2GIl_HBEynK0LG73MECe63c/465989","token":"99_3Ao-Z56pA6X46KcQZMCV1Q1NK-uWY-KS_MpDR4-U"},{"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/KAphY01rRkKqZIEXfPDf2GIl_HBEynK0LG73MECe63c/465990","token":"lC6qkcenn5Pkc46s55N6Kip5Z_M3OtQ5DFP3BRI2P58"}],"combinations":[[1],[0]]}'
2015-11-24 14:13:26,348:INFO:letsencrypt.auth_handler:Performing the following challenges:
2015-11-24 14:13:26,348:INFO:letsencrypt.auth_handler:http-01 challenge for xiangyang.li
2015-11-24 14:13:34,332:DEBUG:acme.challenges:Verifying http-01 at http://xiangyang.li/.well-known/acme-challenge/lC6qkcenn5Pkc46s55N6Kip5Z_M3OtQ5DFP3BRI2P58...
2015-11-24 14:13:34,334:INFO:requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): xiangyang.li
2015-11-24 14:13:34,336:DEBUG:requests.packages.urllib3.connectionpool:"GET /.well-known/acme-challenge/lC6qkcenn5Pkc46s55N6Kip5Z_M3OtQ5DFP3BRI2P58 HTTP/1.1" 200 87
2015-11-24 14:13:34,337:DEBUG:acme.challenges:Received <Response [200]>: 428vNeAyIyoWSDXaWh_-EH1znUkSas4IyE-sd4DLUMU.rnNNBB8d3thj3ldMCA7JTU_hSEARhmOaiiaHYnFmxs8. Headers: {'Date': 'Tue, 24 Nov 2015 14:13:34 GMT', 'Content-Length': '87', 'Content-Type': 'text/plain; charset=utf-8', 'Connection': 'keep-alive', 'Server': 'nginx/1.8.0'}
2015-11-24 14:13:34,337:DEBUG:acme.challenges:Wrong Content-Type: found 'text/plain; charset=utf-8', expected 'text/plain'
2015-11-24 14:13:34,337:WARNING:letsencrypt.plugins.manual:Self-verify of challenge failed.
2015-11-24 14:13:34,346:INFO:letsencrypt.auth_handler:Waiting for verification...
2015-11-24 14:13:34,346:DEBUG:acme.client:Serialized JSON: {"keyAuthorization": "lC6qkcenn5Pkc46s55N6Kip5Z_M3OtQ5DFP3BRI2P58.rnNNBB8d3thj3ldMCA7JTU_hSEARhmOaiiaHYnFmxs8", "type": "http-01", "resource": "challenge"}
2015-11-24 14:13:34,348:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), typ=None, jwk=None, x5u=None, kid=None, alg=None, cty=None, x5tS256=None, jku=None, x5t=None
2015-11-24 14:13:34,351:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), nonce=None, x5u=None, typ=None, kid=None, cty=None, x5tS256=None, jku=None, x5t=None
2015-11-24 14:13:34,351:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/challenge/KAphY01rRkKqZIEXfPDf2GIl_HBEynK0LG73MECe63c/465990. args: (), kwargs: {'data': '{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "pOpcSu2ynUl02RqT6Ws0uOYtU3pXX9Mg9j6iN3cDIte7R1e3O__GJx7D7y0srwyQe35K__DgLrVr3xlyycod_3glnyjs2kjrFF2vSQDsLbqmhJ9gAf2_VjeuR3I59mCLzusjPJ9fUa1ng-FRVziH_mV_MEa0Jnk7zde7GrweIVaEcg4WwCSZxaqV64nFFsAUQVlIFHdJzwVGQtRt8BqqwzzxrWa82SkPhL4B2iCD6BRGo4pe5qhRz1axlK2BPwbly3yrKstxhRMPm-uWh_suPiytKyUkfhYryN0c-qLBASOkUsO0F9aB9Am89Q60GPlMHiLzzj8Ok93gyhy3AQ4Fow"}}, "protected": "eyJub25jZSI6ICJJN3RfaDNhcmxvVHBzbXU2NzhZalRtVkdLM1FPejZWTWkxMk52UjlxUnRFIn0", "payload": "eyJrZXlBdXRob3JpemF0aW9uIjogImxDNnFrY2VubjVQa2M0NnM1NU42S2lwNVpfTTNPdFE1REZQM0JSSTJQNTgucm5OTkJCOGQzdGhqM2xkTUNBN0pUVV9oU0VBUmhtT2FpaWFIWW5GbXhzOCIsICJ0eXBlIjogImh0dHAtMDEiLCAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIn0", "signature": "J2I6A9CxBYYm3ICJrYYRbBRKD_GjQxBWe-KRC_F56mWMWu5hhbtfxEFo03g1mg7IkvZ3kAzgPlZzS_lQ5zj2iSkOKDyn5ictp0E-R1h4mUbd7Ld9DV2gCrz3MzvdMPohQ9gx31DkKQrAXfuL0Rj7kSGI_upuZuu1uPmhj6O8AFNlH3XnT7BLZ1-JgfwoJ2w2i1GnlNOUJuwKPiNT93sAnRq-klpts-AhbfUgKbpApntKsLaNs2CnkoXLSjP8xOxPd0AYBR2LEdYBmTWDhF8rueJTMfGLxlTM7TLlj3CjYlRKkbO89JvafIL9WZe3__JKGHgrlsN_NRjct8XFGce3hA"}'}
2015-11-24 14:13:34,352:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2015-11-24 14:13:36,525:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/challenge/KAphY01rRkKqZIEXfPDf2GIl_HBEynK0LG73MECe63c/465990 HTTP/1.1" 202 311
2015-11-24 14:13:36,528:DEBUG:root:Received <Response [202]>. Headers: {'Content-Length': '311', 'Expires': 'Tue, 24 Nov 2015 14:13:36 GMT', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/authz/KAphY01rRkKqZIEXfPDf2GIl_HBEynK0LG73MECe63c>;rel="up"', 'Location': 'https://acme-v01.api.letsencrypt.org/acme/challenge/KAphY01rRkKqZIEXfPDf2GIl_HBEynK0LG73MECe63c/465990', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 24 Nov 2015 14:13:36 GMT', 'Content-Type': 'application/json', 'Replay-Nonce': 'ymBlRisGwtVwIYuepQtVFxVMZeLKW_VCPKEeWWxeXUI'}. Content: '{"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/KAphY01rRkKqZIEXfPDf2GIl_HBEynK0LG73MECe63c/465990","token":"lC6qkcenn5Pkc46s55N6Kip5Z_M3OtQ5DFP3BRI2P58","keyAuthorization":"lC6qkcenn5Pkc46s55N6Kip5Z_M3OtQ5DFP3BRI2P58.rnNNBB8d3thj3ldMCA7JTU_hSEARhmOaiiaHYnFmxs8"}'
2015-11-24 14:13:36,529:DEBUG:acme.client:Storing nonce: '\xca`eF+\x06\xc2\xd5p!\x8b\x9e\xa5\x0bU\x17\x15Le\xe2\xca[\xf5B<\xa1\x1eYl^]B'
2015-11-24 14:13:36,529:DEBUG:acme.client:Received response <Response [202]> (headers: {'Content-Length': '311', 'Expires': 'Tue, 24 Nov 2015 14:13:36 GMT', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/authz/KAphY01rRkKqZIEXfPDf2GIl_HBEynK0LG73MECe63c>;rel="up"', 'Location': 'https://acme-v01.api.letsencrypt.org/acme/challenge/KAphY01rRkKqZIEXfPDf2GIl_HBEynK0LG73MECe63c/465990', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 24 Nov 2015 14:13:36 GMT', 'Content-Type': 'application/json', 'Replay-Nonce': 'ymBlRisGwtVwIYuepQtVFxVMZeLKW_VCPKEeWWxeXUI'}): '{"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/KAphY01rRkKqZIEXfPDf2GIl_HBEynK0LG73MECe63c/465990","token":"lC6qkcenn5Pkc46s55N6Kip5Z_M3OtQ5DFP3BRI2P58","keyAuthorization":"lC6qkcenn5Pkc46s55N6Kip5Z_M3OtQ5DFP3BRI2P58.rnNNBB8d3thj3ldMCA7JTU_hSEARhmOaiiaHYnFmxs8"}'
2015-11-24 14:13:38,139:INFO:letsencrypt.auth_handler:Cleaning up challenges
2015-11-24 14:13:38,143:DEBUG:letsencrypt.cli:Exiting abnormally:
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/cli.py", line 1206, in main
    return args.func(args, config, plugins)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/cli.py", line 500, in obtain_cert
    _auth_from_domains(le_client, config, domains)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/cli.py", line 325, in _auth_from_domains
    lineage = le_client.obtain_and_enroll_certificate(domains)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/client.py", line 283, in obtain_and_enroll_certificate
    certr, chain, key, _ = self.obtain_certificate(domains)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/client.py", line 266, in obtain_certificate
    return self._obtain_certificate(domains, csr) + (key, csr)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/client.py", line 224, in _obtain_certificate
    authzr = self.auth_handler.get_authorizations(domains)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/auth_handler.py", line 84, in get_authorizations
    self._respond(cont_resp, dv_resp, best_effort)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/auth_handler.py", line 142, in _respond
    self._poll_challenges(chall_update, best_effort)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/auth_handler.py", line 182, in _poll_challenges
    time.sleep(min_sleep)
KeyboardInterrupt

sh4wn on 24 Nov 2015

after i fix the wrong content-type("text/plain; charset=utf-8") problem,
the logs become:

2015-11-24 14:22:23,353:DEBUG:letsencrypt.cli:Root logging level set at 30
2015-11-24 14:22:23,353:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2015-11-24 14:22:23,353:DEBUG:letsencrypt.cli:letsencrypt version: 0.0.0.dev20151123
2015-11-24 14:22:23,353:DEBUG:letsencrypt.cli:Arguments: ['-a', 'manual', '--server', 'https://acme-v01.api.letsencrypt.org/directory', '--agree-dev-preview', '-d', 'xiangyang.li']
2015-11-24 14:22:23,353:DEBUG:letsencrypt.cli:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,Plug
inEntryPoint#standalone)
2015-11-24 14:22:23,356:DEBUG:letsencrypt.cli:Requested authenticator manual and installer None
2015-11-24 14:22:23,362:DEBUG:letsencrypt.display.ops:Single candidate plugin: * manual
Description: Manually configure an HTTP server
Interfaces: IAuthenticator, IPlugin
Entry point: manual = letsencrypt.plugins.manual:Authenticator
Initialized: <letsencrypt.plugins.manual.Authenticator object at 0x4056710>
Prep: True
2015-11-24 14:22:23,363:DEBUG:letsencrypt.cli:Selected authenticator <letsencrypt.plugins.manual.Authenticator object at 0x4056710> and installer None
2015-11-24 14:22:23,381:DEBUG:letsencrypt.cli:Picked account: <Account(92eedaddb9a47c274c973e63bc23706d)>
2015-11-24 14:22:23,381:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory. args: (), kwargs: {}
2015-11-24 14:22:23,387:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2015-11-24 14:22:25,137:DEBUG:requests.packages.urllib3.connectionpool:"GET /directory HTTP/1.1" 200 263
2015-11-24 14:22:25,139:DEBUG:root:Received <Response [200]>. Headers: {'Content-Length': '263', 'Expires': 'Tue, 24 Nov 2015 14:22:24 GMT', 'Strict-Transport-Security': 'max-age=60
4800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 24 Nov 2015 14:22:24 GMT', 'X-Frame-Optio
ns': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'I4Bii-oMyOLHtRe2zt8em1htUx0lrI5c8aRbvV_27CY'}. Content: '{"new-authz":"https://acme-v01.api.letsencrypt.org/acme/ne
w-authz","new-cert":"https://acme-v01.api.letsencrypt.org/acme/new-cert","new-reg":"https://acme-v01.api.letsencrypt.org/acme/new-reg","revoke-cert":"https://acme-v01.api.letsencryp
t.org/acme/revoke-cert"}'
2015-11-24 14:22:25,140:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '263', 'Expires': 'Tue, 24 Nov 2015 14:22:24 GMT', 'Strict-Transport-Securi
ty': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 24 Nov 2015 14:22:24 GMT'
, 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'I4Bii-oMyOLHtRe2zt8em1htUx0lrI5c8aRbvV_27CY'}): '{"new-authz":"https://acme-v01.api.letsencrypt.org
/acme/new-authz","new-cert":"https://acme-v01.api.letsencrypt.org/acme/new-cert","new-reg":"https://acme-v01.api.letsencrypt.org/acme/new-reg","revoke-cert":"https://acme-v01.api.le
tsencrypt.org/acme/revoke-cert"}'
2015-11-24 14:22:25,501:INFO:letsencrypt.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0072_key-letsencrypt.pem
2015-11-24 14:22:25,504:INFO:letsencrypt.crypto_util:Creating CSR: /etc/letsencrypt/csr/0025_csr-letsencrypt.pem
2015-11-24 14:22:25,505:DEBUG:letsencrypt.client:CSR: CSR(file='/etc/letsencrypt/csr/0025_csr-letsencrypt.pem', data='0\x82\x02\x850\x82\x01m\x02\x000\x171\x150\x13\x06\x03U\x04\x03
\x0c\x0cxiangyang.li0\x82\x01"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\n\x02\x82\x01\x01\x00\xe6\x8d7\xc6_\x15^\'\xfa@\x16I\x17tQp\x86\xbfj\xd0\x13
.\xf8N\xbav\xa1\xb1\x00\tZw\xf8\xcfsqB\x1f\x1c\x1e \xa7\x9b\x01\xbd\x96\x1b4W\xb2\x14}.\r\xe2U\xf1\xe3qm\xa8\xe7\x06[g\xef\xad\xfe\xaa\xacP\x94\x04Jdg\xc1\xe1\x7f\x156\x1a\xc3ZJV\xf
2\x8f@-@\x1eA\x88\x83F\xb0\xc3>\x8f\xe4kd\x07\x97\')\xef\xcb\xb6T\x96\x88\xf6;`A\x1e\xaf\xf9\x94\xa1\xb0l\'\xae(\x10\x07\xddv\xac\xfd\xaf\x8f\xef\xd1\x80\x00\xdb\x90\r]\xa2,a\xff%\x
18\x07{\xa2\x12\x8f\xb8\x16w|\xcc\x8e\xc9nKK\xf1\x86P\xfd\x11\xc2\xad|\x90\x8ev\xc4\xa0L\x04z\xa6\x94\x01\xf6m\xac\xca!\xd7\xcfP\xcb\xa1\x0f\x14|\xec\x01\x9d\x14$@`\xa9\x01\xae\xc4\
xf9\x02\xf2\xcat\xa2\x95o\xee\xffrgg\xe0\x82;\xbd$\x04a\x06\x96\x98\xf7\xd0\xb2\xf1\xf3\x1c\xf9H4CC{\x80\x8d\xe6\xd2R\xca\xe1\x95_K\xd2=\xbf7\x02\x03\x01\x00\x01\xa0*0(\x06\t*\x86H\
x86\xf7\r\x01\t\x0e1\x1b0\x190\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0cxiangyang.li0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00q\x88\xbf\xa9\xa5\xb7\x1c\xd6)q\
xbb9\x1e\xc9eg\xe1eG@N\x0b\xa9\x19\xc4\xd6\x86c\xf64\xf3\xcb\'p\xa9\x84Ya\xcb\xea\x7f\xdd\xb8\xa6h`/\x83\x14D\x9f\xa4,\x18\x0c=KR\x10\x97\x85\x17\xf7\x8dC\xd1\xee\xafj\xed)R\x82\xd5
O\xa1V\xf0\x00(n126,\xc6\x17Nn\x16q`\xe8\xe8\x0c\x10\xfb\r\xa3\x9cOt\xe4\x7fv\x1b\xf0\x7f\xafT\xf8\xaf%=\x0f\xcb\x90\'\xf5\xf4?ww\xee\x82\xc3\x18\xd0]c\x90\xd9Z\xae\xd8\xfe\xc7Ue\x0
c\xa1\xc9\xc1\xbdA\x9e\x96+\x8c\xb8\xc8\x06$+e$)\x12-\xf0\xbe\xbe\xf8\r;\xa4\xeb\x7f\xb3\xb9\xea\xfb\xd4\xbd\xa8\xa0\x8d\x08\xfeT\xbc\x06\x0e\xbd\x1d\xab\xcdiB\x0b\x9e3Lp\xcfb\xfa\x
1bJ\xb8\xf3u\xbfk\x9e4\xe5\xa0\xc1\xa6\x02B9K\xe6\x85\xbeL\xed\xb2\xc3vJ\x1f\xa9\xfe\x7f\x81\xacu>\xdd\n\x9c~\'\x13\xbb\xa9\xc5\xf4\xf9\xd1\x04\xed\xe2H\xe6\xb3\t\xc3\xd9\x8aM3g', f
orm='der'), domains: ['xiangyang.li']
2015-11-24 14:22:25,505:DEBUG:root:Requesting fresh nonce
2015-11-24 14:22:25,505:DEBUG:root:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {}
2015-11-24 14:22:25,506:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2015-11-24 14:22:26,701:DEBUG:requests.packages.urllib3.connectionpool:"HEAD /acme/new-authz HTTP/1.1" 405 0
2015-11-24 14:22:26,703:DEBUG:root:Received <Response [405]>. Headers: {'Content-Length': '0', 'Pragma': 'no-cache', 'Expires': 'Tue, 24 Nov 2015 14:22:26 GMT', 'Server': 'nginx', '
Connection': 'keep-alive', 'Allow': 'POST', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 24 Nov 2015 14:22:26 GMT', 'Content-Type': 'application/problem+json', 'R
eplay-Nonce': '9RUZLPYLxfxit8QJ9jff9KdJIBJg_uVCdQN7Cd9yY-I'}. Content: ''
2015-11-24 14:22:26,704:DEBUG:acme.client:Storing nonce: '\xf5\x15\x19,\xf6\x0b\xc5\xfcb\xb7\xc4\t\xf67\xdf\xf4\xa7I \x12`\xfe\xe5Bu\x03{\t\xdfrc\xe2'
2015-11-24 14:22:26,705:DEBUG:acme.jose.json_util:Omitted empty fields: expires=None, challenges=None, combinations=None, status=None
2015-11-24 14:22:26,705:DEBUG:acme.client:Serialized JSON: {"identifier": {"type": "dns", "value": "xiangyang.li"}, "resource": "new-authz"}
2015-11-24 14:22:26,706:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), typ=None, jwk=None, x5u=None, kid=None, alg=None, cty=None, x5tS256=None, jku=None, x5t=None
2015-11-24 14:22:26,709:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), typ=None, x5u=None, kid=None, cty=None, x5tS256=None, jku=None, x5t=None, nonce=None
2015-11-24 14:22:26,709:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {'data': '{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "pOpcSu2ynUl02RqT6Ws0uOYtU3pXX9Mg9j6iN3cDIte7R1e3O__GJx7D7y0srwyQe35K__DgLrVr3xlyycod_3glnyjs2kjrFF2vSQDsLbqmhJ9gAf2_VjeuR3I59mCLzusjPJ9fUa1ng-FRVziH_mV_MEa0Jnk7zde7GrweIVaEcg4WwCSZxaqV64nFFsAUQVlIFHdJzwVGQtRt8BqqwzzxrWa82SkPhL4B2iCD6BRGo4pe5qhRz1axlK2BPwbly3yrKstxhRMPm-uWh_suPiytKyUkfhYryN0c-qLBASOkUsO0F9aB9Am89Q60GPlMHiLzzj8Ok93gyhy3AQ4Fow"}}, "protected": "eyJub25jZSI6ICI5UlVaTFBZTHhmeGl0OFFKOWpmZjlLZEpJQkpnX3VWQ2RRTjdDZDl5WS1JIn0", "payload": "eyJpZGVudGlmaWVyIjogeyJ0eXBlIjogImRucyIsICJ2YWx1ZSI6ICJ4aWFuZ3lhbmcubGkifSwgInJlc291cmNlIjogIm5ldy1hdXRoeiJ9", "signature": "YrRCrim4gb_cYrwbTvEW_6kkpSyKG-E9XsCfjoSwrQ_SAUmgsN4WIm9Smt3b7RgT_gJ1aqDLDAxl32RK1PRqvE4DkGKE8c1o7Hi0XYr-Hi2U0idEd4SbNYGwyKCTgZ37_MfbDjnyR4kl500cJOiCGAtWhMqLXwHlNxNbG8L1EwiJN-O9bR_eM9nXhQb1EL_3V-xgDJjvX1XRn7aWJnJUxxIiZ6C6AVJAvW_nnYdTglYiP1klnauNm4BG2jz8G0cnBXogY2D4ugp1KsFHElWbmyrizbPSOqO9r5bJSKltFy8VGSrrGx-l9sbDw3M5wYYLDN8_KS6gLMUyfB_8xafFSQ"}'}
2015-11-24 14:22:26,710:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2015-11-24 14:22:27,933:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/new-authz HTTP/1.1" 201 563
2015-11-24 14:22:27,936:DEBUG:root:Received <Response [201]>. Headers: {'Content-Length': '563', 'Expires': 'Tue, 24 Nov 2015 14:22:27 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Location': 'https://acme-v01.api.letsencrypt.org/acme/authz/kMwKHIEC19ddrnVzxqpvcaPMAeZGHrKqIUUdun6vTQM', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 24 Nov 2015 14:22:27 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'y7910VH86UAs6-0W2Z31nZqRlYhn1xCFqfAsorT634E'}. Content: '{"identifier":{"type":"dns","value":"xiangyang.li"},"status":"pending","expires":"2015-12-01T14:22:27.693728974Z","challenges":[{"type":"tls-sni-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/kMwKHIEC19ddrnVzxqpvcaPMAeZGHrKqIUUdun6vTQM/466215","token":"woUgf06nyHVpCocbiN8rVuftU5tOeOTZn-BuWAzJGck"},{"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/kMwKHIEC19ddrnVzxqpvcaPMAeZGHrKqIUUdun6vTQM/466216","token":"ruRU13bq-c2ry83Egfc6gHYOInnRNSQH7JTZjPnMk4Y"}],"combinations":[[1],[0]]}'
2015-11-24 14:22:27,937:DEBUG:acme.client:Storing nonce: '\xcb\xbfu\xd1Q\xfc\xe9@,\xeb\xed\x16\xd9\x9d\xf5\x9d\x9a\x91\x95\x88g\xd7\x10\x85\xa9\xf0,\xa2\xb4\xfa\xdf\x81'
2015-11-24 14:22:27,937:DEBUG:acme.client:Received response <Response [201]> (headers: {'Content-Length': '563', 'Expires': 'Tue, 24 Nov 2015 14:22:27 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Location': 'https://acme-v01.api.letsencrypt.org/acme/authz/kMwKHIEC19ddrnVzxqpvcaPMAeZGHrKqIUUdun6vTQM', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 24 Nov 2015 14:22:27 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'y7910VH86UAs6-0W2Z31nZqRlYhn1xCFqfAsorT634E'}): '{"identifier":{"type":"dns","value":"xiangyang.li"},"status":"pending","expires":"2015-12-01T14:22:27.693728974Z","challenges":[{"type":"tls-sni-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/kMwKHIEC19ddrnVzxqpvcaPMAeZGHrKqIUUdun6vTQM/466215","token":"woUgf06nyHVpCocbiN8rVuftU5tOeOTZn-BuWAzJGck"},{"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/kMwKHIEC19ddrnVzxqpvcaPMAeZGHrKqIUUdun6vTQM/466216","token":"ruRU13bq-c2ry83Egfc6gHYOInnRNSQH7JTZjPnMk4Y"}],"combinations":[[1],[0]]}'
2015-11-24 14:22:27,938:INFO:letsencrypt.auth_handler:Performing the following challenges:
2015-11-24 14:22:27,938:INFO:letsencrypt.auth_handler:http-01 challenge for xiangyang.li
2015-11-24 14:22:56,303:DEBUG:acme.challenges:Verifying http-01 at http://xiangyang.li/.well-known/acme-challenge/ruRU13bq-c2ry83Egfc6gHYOInnRNSQH7JTZjPnMk4Y...
2015-11-24 14:22:56,305:INFO:requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): xiangyang.li
2015-11-24 14:22:56,309:DEBUG:requests.packages.urllib3.connectionpool:"GET /.well-known/acme-challenge/ruRU13bq-c2ry83Egfc6gHYOInnRNSQH7JTZjPnMk4Y HTTP/1.1" 200 87
2015-11-24 14:22:56,310:DEBUG:acme.challenges:Received <Response [200]>: ruRU13bq-c2ry83Egfc6gHYOInnRNSQH7JTZjPnMk4Y.rnNNBB8d3thj3ldMCA7JTU_hSEARhmOaiiaHYnFmxs8. Headers: {'Date': 'Tue, 24 Nov 2015 14:22:56 GMT', 'Content-Length': '87', 'Content-Type': 'text/plain', 'Connection': 'keep-alive', 'Server': 'nginx/1.8.0'}
2015-11-24 14:22:56,310:INFO:letsencrypt.auth_handler:Waiting for verification...
2015-11-24 14:22:56,310:DEBUG:acme.client:Serialized JSON: {"keyAuthorization": "ruRU13bq-c2ry83Egfc6gHYOInnRNSQH7JTZjPnMk4Y.rnNNBB8d3thj3ldMCA7JTU_hSEARhmOaiiaHYnFmxs8", "type": "http-01", "resource": "challenge"}
2015-11-24 14:22:56,311:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), typ=None, jwk=None, x5u=None, kid=None, alg=None, cty=None, x5tS256=None, jku=None, x5t=None
2015-11-24 14:22:56,314:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), typ=None, x5u=None, kid=None, cty=None, x5tS256=None, jku=None, x5t=None, nonce=None
2015-11-24 14:22:56,314:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/challenge/kMwKHIEC19ddrnVzxqpvcaPMAeZGHrKqIUUdun6vTQM/466216. args: (), kwargs: {'data': '{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "pOpcSu2ynUl02RqT6Ws0uOYtU3pXX9Mg9j6iN3cDIte7R1e3O__GJx7D7y0srwyQe35K__DgLrVr3xlyycod_3glnyjs2kjrFF2vSQDsLbqmhJ9gAf2_VjeuR3I59mCLzusjPJ9fUa1ng-FRVziH_mV_MEa0Jnk7zde7GrweIVaEcg4WwCSZxaqV64nFFsAUQVlIFHdJzwVGQtRt8BqqwzzxrWa82SkPhL4B2iCD6BRGo4pe5qhRz1axlK2BPwbly3yrKstxhRMPm-uWh_suPiytKyUkfhYryN0c-qLBASOkUsO0F9aB9Am89Q60GPlMHiLzzj8Ok93gyhy3AQ4Fow"}}, "protected": "eyJub25jZSI6ICJ5NzkxMFZIODZVQXM2LTBXMlozMW5acVJsWWhuMXhDRnFmQXNvclQ2MzRFIn0", "payload": "eyJrZXlBdXRob3JpemF0aW9uIjogInJ1UlUxM2JxLWMycnk4M0VnZmM2Z0hZT0lublJOU1FIN0pUWmpQbk1rNFkucm5OTkJCOGQzdGhqM2xkTUNBN0pUVV9oU0VBUmhtT2FpaWFIWW5GbXhzOCIsICJ0eXBlIjogImh0dHAtMDEiLCAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIn0", "signature": "ZSk08lVt8A8eJKFHxloUVJNXrqnYdepSL8wg3I_rp_jR-GnF_tiyQeoovLnbm4Hn3Wlb7tvgCGRh_FUJkvsbQ9jQ35jQ9ddwBNtBjKm1_cUkq8X6QM0EA2Wss97sE8Z7c3mfRceO8KcLRywkhpFcvsAKVj_pulCzBH6SCau7eLCxC2030ciA7PlT32GbItPUcYViWu_Tpy-olaEdL5y-eLh361iJLc6JgdPa4NPFHJItHPyDLS4Br3obA4mAHtaS4ddnfCD6Jsv6XdC9PHpgCz-x2hnx4XXbEiz8FFqPwhrebXS-bmNnUjTy900TFMsGv4Z7OhK4Jq5BjZvZpP0zEw"}'}
2015-11-24 14:22:56,316:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2015-11-24 14:22:57,543:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/challenge/kMwKHIEC19ddrnVzxqpvcaPMAeZGHrKqIUUdun6vTQM/466216 HTTP/1.1" 202 311
2015-11-24 14:22:57,546:DEBUG:root:Received <Response [202]>. Headers: {'Content-Length': '311', 'Expires': 'Tue, 24 Nov 2015 14:22:57 GMT', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/authz/kMwKHIEC19ddrnVzxqpvcaPMAeZGHrKqIUUdun6vTQM>;rel="up"', 'Location': 'https://acme-v01.api.letsencrypt.org/acme/challenge/kMwKHIEC19ddrnVzxqpvcaPMAeZGHrKqIUUdun6vTQM/466216', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 24 Nov 2015 14:22:57 GMT', 'Content-Type': 'application/json', 'Replay-Nonce': 'lENqqE7N4umFrWZFrrt3ZLAVbLfrwz_GwhnWvmWKQjQ'}. Content: '{"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/kMwKHIEC19ddrnVzxqpvcaPMAeZGHrKqIUUdun6vTQM/466216","token":"ruRU13bq-c2ry83Egfc6gHYOInnRNSQH7JTZjPnMk4Y","keyAuthorization":"ruRU13bq-c2ry83Egfc6gHYOInnRNSQH7JTZjPnMk4Y.rnNNBB8d3thj3ldMCA7JTU_hSEARhmOaiiaHYnFmxs8"}'
2015-11-24 14:22:57,547:DEBUG:acme.client:Storing nonce: '\x94Cj\xa8N\xcd\xe2\xe9\x85\xadfE\xae\xbbwd\xb0\x15l\xb7\xeb\xc3?\xc6\xc2\x19\xd6\xbee\x8aB4'
2015-11-24 14:22:57,547:DEBUG:acme.client:Received response <Response [202]> (headers: {'Content-Length': '311', 'Expires': 'Tue, 24 Nov 2015 14:22:57 GMT', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/authz/kMwKHIEC19ddrnVzxqpvcaPMAeZGHrKqIUUdun6vTQM>;rel="up"', 'Location': 'https://acme-v01.api.letsencrypt.org/acme/challenge/kMwKHIEC19ddrnVzxqpvcaPMAeZGHrKqIUUdun6vTQM/466216', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 24 Nov 2015 14:22:57 GMT', 'Content-Type': 'application/json', 'Replay-Nonce': 'lENqqE7N4umFrWZFrrt3ZLAVbLfrwz_GwhnWvmWKQjQ'}): '{"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/kMwKHIEC19ddrnVzxqpvcaPMAeZGHrKqIUUdun6vTQM/466216","token":"ruRU13bq-c2ry83Egfc6gHYOInnRNSQH7JTZjPnMk4Y","keyAuthorization":"ruRU13bq-c2ry83Egfc6gHYOInnRNSQH7JTZjPnMk4Y.rnNNBB8d3thj3ldMCA7JTU_hSEARhmOaiiaHYnFmxs8"}'
2015-11-24 14:23:00,551:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/kMwKHIEC19ddrnVzxqpvcaPMAeZGHrKqIUUdun6vTQM. args: (), kwargs: {}
2015-11-24 14:23:00,554:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2015-11-24 14:23:02,484:DEBUG:requests.packages.urllib3.connectionpool:"GET /acme/authz/kMwKHIEC19ddrnVzxqpvcaPMAeZGHrKqIUUdun6vTQM HTTP/1.1" 200 662
2015-11-24 14:23:02,486:DEBUG:root:Received <Response [200]>. Headers: {'Content-Length': '662', 'Expires': 'Tue, 24 Nov 2015 14:23:02 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 24 Nov 2015 14:23:02 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'J-OCo7UootOR4nWOLg1uUXh09kL0a_8lTjRHUB1TL_Y'}. Content: '{"identifier":{"type":"dns","value":"xiangyang.li"},"status":"pending","expires":"2015-12-01T14:22:27Z","challenges":[{"type":"tls-sni-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/kMwKHIEC19ddrnVzxqpvcaPMAeZGHrKqIUUdun6vTQM/466215","token":"woUgf06nyHVpCocbiN8rVuftU5tOeOTZn-BuWAzJGck"},{"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/kMwKHIEC19ddrnVzxqpvcaPMAeZGHrKqIUUdun6vTQM/466216","token":"ruRU13bq-c2ry83Egfc6gHYOInnRNSQH7JTZjPnMk4Y","keyAuthorization":"ruRU13bq-c2ry83Egfc6gHYOInnRNSQH7JTZjPnMk4Y.rnNNBB8d3thj3ldMCA7JTU_hSEARhmOaiiaHYnFmxs8"}],"combinations":[[1],[0]]}'
2015-11-24 14:23:02,487:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '662', 'Expires': 'Tue, 24 Nov 2015 14:23:02 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 24 Nov 2015 14:23:02 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'J-OCo7UootOR4nWOLg1uUXh09kL0a_8lTjRHUB1TL_Y'}): '{"identifier":{"type":"dns","value":"xiangyang.li"},"status":"pending","expires":"2015-12-01T14:22:27Z","challenges":[{"type":"tls-sni-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/kMwKHIEC19ddrnVzxqpvcaPMAeZGHrKqIUUdun6vTQM/466215","token":"woUgf06nyHVpCocbiN8rVuftU5tOeOTZn-BuWAzJGck"},{"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/kMwKHIEC19ddrnVzxqpvcaPMAeZGHrKqIUUdun6vTQM/466216","token":"ruRU13bq-c2ry83Egfc6gHYOInnRNSQH7JTZjPnMk4Y","keyAuthorization":"ruRU13bq-c2ry83Egfc6gHYOInnRNSQH7JTZjPnMk4Y.rnNNBB8d3thj3ldMCA7JTU_hSEARhmOaiiaHYnFmxs8"}],"combinations":[[1],[0]]}'
2015-11-24 14:23:05,491:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/kMwKHIEC19ddrnVzxqpvcaPMAeZGHrKqIUUdun6vTQM. args: (), kwargs: {}
2015-11-24 14:23:05,492:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2015-11-24 14:23:06,818:DEBUG:requests.packages.urllib3.connectionpool:"GET /acme/authz/kMwKHIEC19ddrnVzxqpvcaPMAeZGHrKqIUUdun6vTQM HTTP/1.1" 200 662
2015-11-24 14:23:06,820:DEBUG:root:Received <Response [200]>. Headers: {'Content-Length': '662', 'Expires': 'Tue, 24 Nov 2015 14:23:06 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 24 Nov 2015 14:23:06 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': '-kI25KAZvGwZAEwZHYiyyKvuR6QfQao49UnM58OcSMU'}. Content: '{"identifier":{"type":"dns","value":"xiangyang.li"},"status":"pending","expires":"2015-12-01T14:22:27Z","challenges":[{"type":"tls-sni-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/kMwKHIEC19ddrnVzxqpvcaPMAeZGHrKqIUUdun6vTQM/466215","token":"woUgf06nyHVpCocbiN8rVuftU5tOeOTZn-BuWAzJGck"},{"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/kMwKHIEC19ddrnVzxqpvcaPMAeZGHrKqIUUdun6vTQM/466216","token":"ruRU13bq-c2ry83Egfc6gHYOInnRNSQH7JTZjPnMk4Y","keyAuthorization":"ruRU13bq-c2ry83Egfc6gHYOInnRNSQH7JTZjPnMk4Y.rnNNBB8d3thj3ldMCA7JTU_hSEARhmOaiiaHYnFmxs8"}],"combinations":[[1],[0]]}'
2015-11-24 14:23:06,821:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '662', 'Expires': 'Tue, 24 Nov 2015 14:23:06 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 24 Nov 2015 14:23:06 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': '-kI25KAZvGwZAEwZHYiyyKvuR6QfQao49UnM58OcSMU'}): '{"identifier":{"type":"dns","value":"xiangyang.li"},"status":"pending","expires":"2015-12-01T14:22:27Z","challenges":[{"type":"tls-sni-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/kMwKHIEC19ddrnVzxqpvcaPMAeZGHrKqIUUdun6vTQM/466215","token":"woUgf06nyHVpCocbiN8rVuftU5tOeOTZn-BuWAzJGck"},{"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/kMwKHIEC19ddrnVzxqpvcaPMAeZGHrKqIUUdun6vTQM/466216","token":"ruRU13bq-c2ry83Egfc6gHYOInnRNSQH7JTZjPnMk4Y","keyAuthorization":"ruRU13bq-c2ry83Egfc6gHYOInnRNSQH7JTZjPnMk4Y.rnNNBB8d3thj3ldMCA7JTU_hSEARhmOaiiaHYnFmxs8"}],"combinations":[[1],[0]]}'
2015-11-24 14:23:09,825:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/kMwKHIEC19ddrnVzxqpvcaPMAeZGHrKqIUUdun6vTQM. args: (), kwargs: {}
2015-11-24 14:23:09,827:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2015-11-24 14:23:13,516:DEBUG:requests.packages.urllib3.connectionpool:"GET /acme/authz/kMwKHIEC19ddrnVzxqpvcaPMAeZGHrKqIUUdun6vTQM HTTP/1.1" 200 940
2015-11-24 14:23:13,518:DEBUG:root:Received <Response [200]>. Headers: {'Content-Length': '940', 'Expires': 'Tue, 24 Nov 2015 14:23:13 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 24 Nov 2015 14:23:13 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': '40Y-_Q9XVakvU0tCdbYwMckr_i-NVU3neFdavrpq2CE'}. Content: '{"identifier":{"type":"dns","value":"xiangyang.li"},"status":"invalid","expires":"2015-12-01T14:22:27Z","challenges":[{"type":"tls-sni-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/kMwKHIEC19ddrnVzxqpvcaPMAeZGHrKqIUUdun6vTQM/466215","token":"woUgf06nyHVpCocbiN8rVuftU5tOeOTZn-BuWAzJGck"},{"type":"http-01","status":"invalid","error":{"type":"urn:acme:error:connection","detail":"DNS query timed out"},"uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/kMwKHIEC19ddrnVzxqpvcaPMAeZGHrKqIUUdun6vTQM/466216","token":"ruRU13bq-c2ry83Egfc6gHYOInnRNSQH7JTZjPnMk4Y","keyAuthorization":"ruRU13bq-c2ry83Egfc6gHYOInnRNSQH7JTZjPnMk4Y.rnNNBB8d3thj3ldMCA7JTU_hSEARhmOaiiaHYnFmxs8","validationRecord":[{"url":"http://xiangyang.li/.well-known/acme-challenge/ruRU13bq-c2ry83Egfc6gHYOInnRNSQH7JTZjPnMk4Y","hostname":"xiangyang.li","port":"80","addressesResolved":null,"addressUsed":""}]}],"combinations":[[1],[0]]}'
2015-11-24 14:23:13,519:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '940', 'Expires': 'Tue, 24 Nov 2015 14:23:13 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 24 Nov 2015 14:23:13 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': '40Y-_Q9XVakvU0tCdbYwMckr_i-NVU3neFdavrpq2CE'}): '{"identifier":{"type":"dns","value":"xiangyang.li"},"status":"invalid","expires":"2015-12-01T14:22:27Z","challenges":[{"type":"tls-sni-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/kMwKHIEC19ddrnVzxqpvcaPMAeZGHrKqIUUdun6vTQM/466215","token":"woUgf06nyHVpCocbiN8rVuftU5tOeOTZn-BuWAzJGck"},{"type":"http-01","status":"invalid","error":{"type":"urn:acme:error:connection","detail":"DNS query timed out"},"uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/kMwKHIEC19ddrnVzxqpvcaPMAeZGHrKqIUUdun6vTQM/466216","token":"ruRU13bq-c2ry83Egfc6gHYOInnRNSQH7JTZjPnMk4Y","keyAuthorization":"ruRU13bq-c2ry83Egfc6gHYOInnRNSQH7JTZjPnMk4Y.rnNNBB8d3thj3ldMCA7JTU_hSEARhmOaiiaHYnFmxs8","validationRecord":[{"url":"http://xiangyang.li/.well-known/acme-challenge/ruRU13bq-c2ry83Egfc6gHYOInnRNSQH7JTZjPnMk4Y","hostname":"xiangyang.li","port":"80","addressesResolved":null,"addressUsed":""}]}],"combinations":[[1],[0]]}'
2015-11-24 14:23:13,520:INFO:letsencrypt.reporter:Reporting to user: The following 'connection' errors were reported by the server:

Domains: xiangyang.li
Error: The server could not connect to the client for DV
To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client.
2015-11-24 14:23:13,520:INFO:letsencrypt.auth_handler:Cleaning up challenges
2015-11-24 14:23:13,521:DEBUG:letsencrypt.cli:Exiting abnormally:
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/cli.py", line 1206, in main
    return args.func(args, config, plugins)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/cli.py", line 500, in obtain_cert
    _auth_from_domains(le_client, config, domains)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/cli.py", line 325, in _auth_from_domains
    lineage = le_client.obtain_and_enroll_certificate(domains)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/client.py", line 283, in obtain_and_enroll_certificate
    certr, chain, key, _ = self.obtain_certificate(domains)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/client.py", line 266, in obtain_certificate
    return self._obtain_certificate(domains, csr) + (key, csr)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/client.py", line 224, in _obtain_certificate
    authzr = self.auth_handler.get_authorizations(domains)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/auth_handler.py", line 84, in get_authorizations
    self._respond(cont_resp, dv_resp, best_effort)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/auth_handler.py", line 142, in _respond
    self._poll_challenges(chall_update, best_effort)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/auth_handler.py", line 204, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. xiangyang.li (http-01): connection :: The server could not connect to the client for DV :: DNS query timed out

sh4wn on 24 Nov 2015

This appears to be a boulder problem. The "Self-verify" message is the client trying to validate the challenge itself before it notifies boulder that the challenge has been set up.

The restriction on Content-Type has recently been removed from the ACME spec. The self-validation code currently still requires this, but we only show a warning that "Self-verify of challenge failed" but continue to notify boulder that the challenge has been set up.

After fixing the Content-Type, the client was able to successfully validate the challenge, but boulder still failed to connect. I've notified the boulder team of this issue and hopefully we can get back to you shortly.

bmw on 24 Nov 2015

One more thing. How many times have you ran the client and seen this message?

IMPORTANT NOTES:
 - The following 'connection' errors were reported by the server:

   Domains: xiangyang.li
   Error: The server could not connect to the client for DV

There is a known issue with boulder timing out on some TLDs, but this has been fixed by running Let's Encrypt a second time.

bmw on 24 Nov 2015

almost 5 times

sh4wn on 24 Nov 2015

Note that "server could not connect to client" means a successful DNS lookup, but the TCP connection failed.

jsha on 24 Nov 2015

@jsha, I believe that is incorrect.

Looking at the full error message in the original post, we see:

connection :: The server could not connect to the client for DV :: DNS query timed out

Breaking this down:

connection - problem type from boulder
"The server could not connect to the client for DV" - description of the problem type from ACME spec
"DNS query timed out" - problem details from boulder

Perhaps the error message under important notes should include the problem details as well.

bmw on 24 Nov 2015

Yes, in general the problem details should be echoed to the user. I'm not sure the description from the ACME spec is ever more useful than the detail provided by the server.

jsha on 24 Nov 2015

I agree. I think both could be useful, but problem details will almost certainly have the most value. I created #1614 to track that issue.

bmw on 24 Nov 2015

Still got 'DNS query timed out'. Is there anything new about this?

sh4wn on 27 Nov 2015

I also encountered this error and my nameserver is also DNSPod lke you. After I switch back to name.com (register), I never have DNS timeout again. So you can also try to switch to another nameserver if possible, as a temporary solution.

lainme on 1 Dec 2015

@lainme Yes,my nameserver is DNSPod. and i know it will work if i change it to the default nameserver(in my case ns1.iwantmyname.net). But i don't want to change it everytime i renew the certificate.

sh4wn on 2 Dec 2015

I changed my nameserver to a.dnspod.com,the error become:

Failed authorization procedure. xiangyang.li (http-01): urn:acme:error:connection :: The server could not connect to the client for DV :: Server failure at resolver

IMPORTANT NOTES:
 - The following 'urn:acme:error:connection' errors were reported by
   the server:

   Domains: xiangyang.li
   Error: The server could not connect to the client for DV

sh4wn on 3 Dec 2015

Same problem here. I also use DNSPod.

a-m-s on 4 Dec 2015

Same problem. DNSPod.
I switch back to godaddy.com, then it's fine.

liuyanghejerry on 4 Dec 2015

The same.
Is there a solution to get let's encrypt work with DNSPod?

yamada95 on 4 Dec 2015

try asking dnspod to fix 111.30.132.180 180.153.9.189 101.226.30.224 which do not answer to queries about
xiangyang.li. At least letsencrypt would get DNS timeouts less often.

Or maybe they have capacity problems and/or Great Firewall is causing hiccups.

Safari77 on 5 Dec 2015

I got the same problem. But my nameserver is hichina.

lp19851119 on 8 Dec 2015

Same problem here with DNSPod.

JokerQyou on 9 Dec 2015

Hi guys, I just saw an explanation by DNPod employee here, who said they are aware of this issue and the solution will come out recently.

JokerQyou on 9 Dec 2015

@lp19851119 same here from wanwang.aliyun.com . hichina is also from wanwang. Wanwang was purchased by Alibaba. I guess if your DNS resolver is in domestic China mainland, then that will occur. People can try to use other open DNS resolver and test.

xros on 10 Dec 2015

@lp19851119 @xros I'm seeing the same issue in Australia with multiple domains using NetRegistry nameservers. My self hosted nameserver ones are fine, as are many others.

thatsamguy on 10 Dec 2015

@JokerQyou: Would you mind translating what the DNSPod employee said on that thread? I can't read it, and it would be good to know what the issue is.

Thanks,
Jacob

jsha on 10 Dec 2015

@jsha After a series of tests and experiments, DNSPod is trying to make the nameserver compatible with Letsencrypt by responding type CAA DNS requests, and preserving cases of domains in DNS requests.

nirocfz on 11 Dec 2015

Excellent, thanks for the info!

jsha on 11 Dec 2015

Same problem with CloudXNS(mainland China). 🌚

imWildCat on 15 Dec 2015

So some public name servers available for letsencrypt now? My CA is out of date now.

xros on 16 Dec 2015

My domain using DNSPod just worked yesterday.

JokerQyou on 18 Dec 2015

@JokerQyou Me too. I tried it this morning and it worked.

sh4wn on 18 Dec 2015

I switched to use dns.he.net . It works with letsencrypt.

But sad thing is that I can not open my site pages from the mainland of China very smoothly.

Half of the time it is with DNS error when opening pages.

The Chinese government seems always to force people to use their DNS servers or you will lose clients/customers from its country -- 1.4 Billion people....

What should we do?

xros on 26 Dec 2015

I think DNSPod now works with LE, I've successfully signed two domains
without any error a few days ago.

On Sun, Dec 27, 2015, 06:25 xros [email protected] wrote:

I switched to use dns.he.net . It works with letsencrypt.

But sad thing is that I can not open my site pages from the mainland of
China very smoothly.

Half of the time it is with DNS error when opening pages.

The Chinese government seems always to force people to use their DNS
servers or you will lose clients/customers from its country -- 1.4 Billion
people....

What should we do?

—
Reply to this email directly or view it on GitHub
https://github.com/letsencrypt/letsencrypt/issues/1610#issuecomment-167368882
.

JokerQyou on 27 Dec 2015

@JokerQyou DNSPod is governed by the Mainland of China. It supports LE from 18/12/2015. Hopefully it works but it might be censored.

xros on 28 Dec 2015

I did not understand some of your reply, what is censored? Well some
content will be blocked, and DNS queries will fail for some domains, that
is true. But I don't see the reason to block a personal website. I
suggested a working DNS service provider inside China, and you can pick one
among all the available providers around the world.

On Mon, Dec 28, 2015, 16:41 xros [email protected] wrote:

@JokerQyou https://github.com/JokerQyou DNSPod is governed by the
Mainland of China. It supports LE from 18/12/2015. Hopefully it works but
it might be censored.

—
Reply to this email directly or view it on GitHub
https://github.com/letsencrypt/letsencrypt/issues/1610#issuecomment-167513340
.

JokerQyou on 28 Dec 2015

Same problem with wanwang.aliyun.com today(mainland China).

Failed authorization procedure. www.xxx.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS query timed out, xxx.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS query timed out

//nginx and "/.well-known/" is ok.

meilihao on 29 Dec 2015

I don't think this is a China-specific problem, but likely a bug in Boulder. Please see the related issue https://github.com/letsencrypt/boulder/issues/1334

riobard on 5 Jan 2016

I also hold domains whose authoritative name servers were set to dns*.hichina.com (aka. wanwang / wanwang.aliyun.com).

Earlier today I tried the acme challenge and again failed.

However, I noticed that the error message prompted by the client was changed (did some re-formatting to suit the convenience of reading):

Failed authorization procedure.
example.cn (http-01):
urn:acme:error:connection
:: The server could not connect to the client to verify the domain
:: DNS query timed out during CAA-record lookup of example.cn

IMPORTANT NOTES:
 - The following 'urn:acme:error:connection' errors were reported by
   the server:

   Domains: example.cn
   Error: The server could not connect to the client to verify the
   domain

Then I switched one of my domains' authoritative name server to DNSPod and, after waiting for some minutes (to wait the cache really being flushed), I tried again and succeeded.

Given that, I think

The boulder team has cleared up their error message by specifically pointing out that the failure is raised during CAA-record lookup.
As the DNSPod's employee stated out in this thread, they have made DNSPod compatible with LE mainly by adding the (optional, as described in RFC 6844) CAA-record query support.

So, for those who still suffering the "DNS query timeout" issue, a possible workaround is, switching their resolver to a service provider that support CAA-record query (like DNSPod).

Further more, if LE (or the acme challenge) has no plan to remove the dependency of CAA-record verification procedure, we can close this issue now.

Correct me if I misunderstood something.

oldsharp on 6 Jan 2016

Reliance on CAA-record as a hard requirement is a bad idea. None of the major DNS service providers (Route 53 etc) I know supports adding CAA records, yet the failure of responding to CAA queries blocks the issuance of certificates. CAA is not mandatory, and it will unlikely to be widely adopted. Let's Encrypt should not rely on CAA records, or at least make it an optional ACME challenge for people who think it's a good idea.

riobard on 6 Jan 2016

@thatsamguy My NetRegistry domains aren't working either.

They're using a version of PowerDNS that times out on CAA queries. The LetsEncrypt client naturally assumes that the server is down because the CAA timeout is indistinguishable from a regular timeout.

I've logged a ticket with them, no response for a whole week so far.

ghost on 17 Jan 2016

👍3

@bmw i had the same timeout issue and it worked trying the 2nd time. the issue seems to be reproduceable with somehow exotic TLDs like ".run".

webermax on 22 Mar 2016

I get the same error with a .io

TheDeadCode on 25 Mar 2016

I'm running into the same problem with a .com domain, and GoDaddy's DNS server. I see references to Boulder, but it's not clear whether the problem was fixed. Do I need to upgrade to a new client version?

Requesting root privileges to run with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt certonly --apache --renew-by-default --domains dividendinformation.com, www.dividendinformation.com
Failed authorization procedure. www.dividendinformation.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: query timed out looking up A for www.dividendinformation.com

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: www.dividendinformation.com
Type: connection
Detail: DNS problem: query timed out looking up A for
www.dividendinformation.com

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

cberner on 29 Mar 2016

I'm seeing this same issue as cberner mentioned above, on a .com address using AWS/Route53 DNS.

Moeser on 29 Mar 2016

@moeser @cberner, based on the timing, I think you may have run into a validation outage we had last night (PDT). Can you try again now?

jsha on 29 Mar 2016

Works now. Thanks!

cberner on 29 Mar 2016

works, thanks.

Moeser on 29 Mar 2016

the same problem in aliyun

jason19659 on 28 Apr 2016

I also have the same problem with a .cn domain running in China on a Aliyun server

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: xxxxx.cn
Type: connection
Detail: DNS problem: query timed out looking up CAA for xxxxx.cn

The server is not fast but not slow to respond either and the domain name resolves to the correct IP.

dhalyk on 8 Jul 2016

@pde @bmw Do you want to close this issue? I'm not aware of any CAA related issues at present and if there are folks encountering some they should open a issue on the Boulder repo for troubleshooting. Definitely not a Certbot problem :-)

cpu on 2 Dec 2016

I can confirm that it's no longer an issue and should be closed
(especially seeing as it was a problem with Boulder and not
le-client/certbot).

On 3/12/16 12:46 am, Daniel McCarney wrote:
>

@pde https://github.com/pde @bmw https://github.com/bmw Do you
want to close this issue? I'm not aware of any CAA related issues at
present and if there are folks encountering some they should open a
issue on the Boulder https://github.com/letsencrypt/boulder repo for
troubleshooting. Definitely not a Certbot problem :-)

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/certbot/certbot/issues/1610#issuecomment-264463176,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AFdX7vdUHeJvCiVC6q5PgEvMR9ViQ_-6ks5rEChGgaJpZM4GoOJT.

ghost on 2 Dec 2016

Great!

pde on 2 Dec 2016

Certbot: DNS CAA query timeout

Most helpful comment

All 55 comments

Related issues