Hestia can't find DNS record for webmail.domain

hi,

would like to enable SSL for one of our mail domains: webmail.direxyst.hu
Oddly, I always get a "Dns record does not exist for webmail: Screenshot by Lightshot
But if I do a dig on the server, it returns the desired A record:

Idézetblokk
root@hestia:~# dig webmail.direxyst.hu
; <<>> DiG 9.18.28-0ubuntu0.20.04.1-Ubuntu <<>> webmail.direxyst.hu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54261
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;webmail.direxyst.hu. IN A
;; ANSWER SECTION:
webmail.direxyst.hu. 1800 IN A 185.80.50.84
;; Query time: 16 msec
;; SERVER: 185.43.204.1#53(185.43.204.1) (UDP)
;; WHEN: Fri Aug 30 08:15:10 CEST 2024
;; MSG SIZE rcvd: 64

What do I miss here?

Hi @Jess,

Show the output of these commands:

nslookup webmail.direxyst.hu
nslookup webmail.direxyst.hu 1.1.1.1

Hi @sahsanu,

root@hestia:/# nslookup webmail.direxyst.hu
Server: 185.43.204.1
Address: 185.43.204.1#53

Non-authoritative answer:
Name: webmail.direxyst.hu
Address: 185.80.50.84

root@hestia:/# nslookup webmail.direxyst.hu 1.1.1.1
;; communications error to 1.1.1.1#53: timed out
;; communications error to 1.1.1.1#53: timed out
;; communications error to 1.1.1.1#53: timed out
;; no servers could be reached

That’s strange

This part is working fine and it is resolving the domain so you shouldn’t get that error.

The part of the script that is checking it is this:

if ! nslookup "${identifier}" > /dev/null 2>&1; then
    # Attempt against Cloudflare DNS
    if ! nslookup "${identifier}" 1.1.1.1 > /dev/null 2>&1; then
        check_result "$E_NOTEXIST" "DNS record for $identifier doesn't exist"
    fi
fi

In your case, the script shouldn’t try to execute nslookup "${identifier}" 1.1.1.1 because the first part nslookup "${identifier}" is working (at least it is now).

Try to issue the certificate again.

Regarding the error when using nslookup using external DNS resolver like 1.1.1.1, it could be a firewall rule. Show the output of this command:

iptables -S

Already tried quite a few times, without success…

-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N f2b-wordpress
-N fail2ban-FTP
-N fail2ban-HESTIA
-N fail2ban-MAIL
-N fail2ban-RECIDIVE
-N fail2ban-SSH
-N fail2ban-WEB
-N hestia
-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-wordpress
-A INPUT -p tcp -m tcp --dport 8083 -j fail2ban-HESTIA
-A INPUT -p tcp -m multiport --dports 25,465,587,110,995,143,993 -j fail2ban-MAIL
-A INPUT -p tcp -m tcp --dport 21 -j fail2ban-FTP
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH
-A INPUT -p tcp -m multiport --dports 1:65535 -j fail2ban-RECIDIVE
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-WEB
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 185.80.50.84/32 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -s 195.228.200.158/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 78.142.18.92/32 -p tcp -j DROP
-A INPUT -s 103.153.42.104/32 -p tcp -j DROP
-A INPUT -s 67.222.131.158/32 -p tcp -j DROP
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 21,12000:12100 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 25,465,587 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 110,995 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 143,993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8083 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A f2b-wordpress -s 154.38.180.32/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-wordpress -s 51.68.231.81/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-wordpress -s 34.32.176.136/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-wordpress -s 69.253.168.183/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-wordpress -s 194.233.87.73/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-wordpress -s 80.189.86.236/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-wordpress -j RETURN
-A fail2ban-FTP -j RETURN
-A fail2ban-HESTIA -j RETURN
-A fail2ban-MAIL -j RETURN
-A fail2ban-RECIDIVE -s 193.32.162.89/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 193.32.162.23/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 94.156.177.84/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 132.148.135.82/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 51.83.227.40/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 80.94.95.215/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 194.169.175.65/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 80.94.95.239/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-WEB -j RETURN

That’s strange.

I can’t see any rule blocking outbound connections to port 53 or 1.1.1.1, do you know if your hosting provider is enabling any external firewall?

You could debug the command (as root):

Note: replace HereTheUser by the actual user.

sudo bash -x /usr/local/hestia/bin/v-add-letsencrypt-domain HereTheUser direxyst.hu '' yes 2>&1 | tee /tmp/debug_lets

To share the output, use this command and share the url you will get:

Note: if you don’t have netcat (nc) installed, you can use this command to install it: apt install netcat-openbsd

cat /tmp/debug_lets | nc p.27a.net 9999

Well I’ve successfully added a few other mail domains with SSL without any problem, so I doubt there would be any outside block.
The debug was more than detailed, at the end, all I got by running the command is this:
root@hestia:/# cat /tmp/debug_lets | nc p.27a.net 9999
https://p.27a.net/22iee

Ooh, okay… I see what happened here, nice

What I see is that it issued a certificate for your mail domain.

What the heck… yes it did now… Have no idea what happened, but thank you!

Great! But it’s strange the error you got when using Web UI and also is strange that you can’t execute nslookup using 1.1.1.1 as DNS resolver.