Letsencrypt expired, and dns errors


#41

yes, correct…


#42

ailinabox/management/status_checks.py

System

:heavy_multiplication_x: SSH Login (ssh) is running but is not publicly accessible at 76.10.176.225:22.
:heavy_multiplication_x: Public DNS (nsd4) is not running (port 53).
:heavy_multiplication_x: Incoming Mail (SMTP/postfix) is running but is not publicly accessible at 76.10.176.225:25.
:heavy_multiplication_x:

:heavy_multiplication_x: HTTP Web (nginx) is running but is not publicly accessible at 76.10.176.225:80.
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
:heavy_multiplication_x: HTTPS Web (nginx) is running but is not publicly accessible at 76.10.176.225:443.
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
✓ SSH disallows password-based login.
✓ System software is up to date.

etwork

✓ Firewall is active.
✓ Outbound mail (SMTP port 25) is not blocked.
✓ IP address is not blacklisted by zen.spamhaus.org.

box.f2f10.com

:heavy_multiplication_x: Nameserver glue records are incorrect. The ns1.box.f2f10.com and ns2.box.f2f10.com nameservers must be configured at
your domain name registrar as having the IP address 76.10.176.225. They currently report addresses of [Not Set]/[Not
Set]. It may take several hours for public DNS to update after a change.
:heavy_multiplication_x: This domain must resolve to your box’s IP address (76.10.176.225) in public DNS but it currently resolves to [Not
Set]. It may take several hours for public DNS to update after a change. This problem may result from other issues
listed above.
✓ Reverse DNS is set correctly at ISP. [76.10.176.225 ↦ box.f2f10.com]
✓ Hostmaster contact address exists as a mail alias. [hostmaster@box.f2f10.com ↦ administrator@box.f2f10.com]
✓ Domain’s email is directed to this domain. [box.f2f10.com has no MX record, which is ok]
✓ Postmaster contact address exists as a mail alias. [postmaster@box.f2f10.com ↦ administrator@box.f2f10.com]
✓ Domain is not blacklisted by dbl.spamhaus.org.
:heavy_multiplication_x: The TLS (SSL) certificate has a problem: The certificate has expired or is not yet valid. It is valid from 2017-09-13
06:02:00 to 2017-12-12 06:02:00.


#43

I am also able to do an nslookup using your server as well, so port 53 is fine too.


#44

what’s your “dig” or “nslookup” look like? are you able to get my ns1.box.f2f10.com for the answers?


#45

All open ports I found on that IP as well there for you.


#46

here is the nmap output of that scan referenced above for you:

https://hastebin.com/ronemumibo.xml


#47

so, everything cool from outside world, then?

It’s a weird… things are well untill Dec 12 that Cert Expired things…then I noticed that dns thing…


#48

I am now getting results from your DNS server. Check out the below link:

https://mxtoolbox.com/SuperTool.aspx?action=mx%3Af2f10.com&run=toolpage

I was not getting that before, so your MiaB is now responding to DNS requests now. Are you still getting the message on the webpage?

Just noticed you are in Canada, I’m over in Alberta. Nice to see another Canadian MiaB users on here.


#49

HI cwilkins…nice to meet you here as well!!! :slight_smile:
however, it seems the issue still are here,

sudo mailinabox/management/status_checks.py

System

:heavy_multiplication_x: SSH Login (ssh) is running but is not publicly accessible at 76.10.176.225:22.
:heavy_multiplication_x: Public DNS (nsd4) is not running (port 53).

,
box.f2f10.com

:heavy_multiplication_x: Nameserver glue records are incorrect. The ns1.box.f2f10.com and ns2.box.f2f10.com nameservers must be configured at
your domain name registrar as having the IP address 76.10.176.225. They currently report addresses of [Not Set]/[Not
Set]. It may take several hours for public DNS to update after a change.
:heavy_multiplication_x: This domain must resolve to your box’s IP address (76.10.176.225) in public DNS but it currently resolves to [Not
Set]. It may take several hours for public DNS to update after a change. This problem may result from other issues
listed above.
✓ Reverse DNS is set correctly at ISP. [76.10.176.225 ↦ box.f2f10.com]
✓ Hostmaster contact address exists as a mail alias. [hostmaster@box.f2f10.com ↦ administrator@box.f2f10.com]
✓ Domain’s email is directed to this domain. [box.f2f10.com has no MX record, which is ok]
✓ Postmaster contact address exists as a mail alias. [postmaster@box.f2f10.com ↦ administrator@box.f2f10.com]
✓ Domain is not blacklisted by dbl.spamhaus.org.
:heavy_multiplication_x: The TLS (SSL) certificate has a problem: The certificate has expired or is not yet valid. It is valid from 2017-09-13
06:02:00 to 2017-12-12 06:02:00.

@box:~$ sudo netstat -plnu | grep named
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
udp 0 0 127.0.0.1:53 0.0.0.0:* 4494/named
@box:~$ sudo netstat -plnt | grep named
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 4494/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 4494/named


#50

sudo mailinabox/management/ssl_certificates.py
No TLS certificates could be provisoned at this time:

box.f2f10.com: DNS isn’t configured properly for this domain: DNS resolution failed (A: All nameservers failed to answer the query box.f2f10.com. IN A: Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered SERVFAIL).
f2f10.com: DNS isn’t configured properly for this domain: DNS resolution failed (A: All nameservers failed to answer the query f2f10.com. IN A: Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered SERVFAIL).
www.f2f10.com: DNS isn’t configured properly for this domain: DNS resolution failed (A: All nameservers failed to answer the query www.f2f10.com. IN A: Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered SERVFAIL).
voicestream.ca: DNS isn’t configured properly for this domain: DNS resolution failed (A: All nameservers failed to answer the query voicestream.ca. IN A: Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered SERVFAIL).
www.voicestream.ca: DNS isn’t configured properly for this domain: DNS resolution failed (A: All nameservers failed to answer the query www.voicestream.ca. IN A: Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered SERVFAIL).


#51

Local DNS (bind9) is not running (port 53).
:heavy_multiplication_x: Local DNS Control (bind9/rndc) is not running (port 953).
:heavy_multiplication_x: SSH Login (ssh) is running but is not publicly accessible at 76.10.176.225:22.
:heavy_multiplication_x: Public DNS (nsd4) is not running (port 53).

so, we have all these bind9 and nsd all on 53? what’s the relationship of all these? who’s taking care of what?


#52

I do have those nameservers in /etc/nsd/zones/box.f2f10.com.txt…


#53

coming back to very beginning…

noticed Cert Issue, then, tried to manually update Cert and noticed this DNS issue…


#54

It looks like that we may need “nsd” running on udp 53…


#55

and, for the moment, we have this “named” on UDP 53 and this is “bind9” ???

@box:~$ sudo netstat -plnu | grep named
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
udp 0 0 127.0.0.1:53 0.0.0.0: 4494/named*
@box:~$ sudo netstat -plnt | grep named
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 4494/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 4494/named


#56

what’s “named” for? for “bind9” or “nsd4” ???


#57

Ok, well now that I can see your DNS is responding as expected, that is a good sign.

Wait… Ok I remember something that screwed me up the last time I did this. So in pfSense I was running into an issue around NAT reflection. When you try to resolve your domain name from behind a NAT router the queries fail. So in pfSense I had to set my NAT to Proxy mode. One sec, let me see if I can find it. I assume opnSense has the same feature.


#58

sudo netstat -plnt | grep named

sudo netstat -plnu | grep named

Can you help do above see UDP 53 and TCP 53?


#59

root@box:~# sudo netstat -plnt | grep named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 19849/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 19849/named

root@box:~# sudo netstat -plnu | grep named
udp 0 0 127.0.0.1:53 0.0.0.0:* 19849/named

That is what I see on my box.

Your DNS is responding to the outside world. It’s just inside your firewall that is having the trouble. Were you able to find a setting around NAT reflection on opnSense?

Take a look at this link… Based on the above troubleshooting I still suspect it is a firewall issue around Nat reflection.

https://www.google.ca/search?q=nat+reflection+opnsense+site:forum.opnsense.org&safe=active&rlz=1C1CHZL_enCA767CA767&sa=X&ved=0ahUKEwjUrfLHxYrYAhUE2oMKHUOABwYQrQIIPygEMAI&biw=1366&bih=637


#60

ok, I admit now that I have my topology like this since Oct 25 2017…

Prior to that, I have my openWRT router with 4 vlans for primary routing and with OpnSense on those 4 vlans as well; however, all DMZ traffic like MAIB will still go through OpenWRT. Only the rest of internet facing traffic will be redirected to my OpnSense with VPN provider setting so they to VPN Provider’s network. These worked well.

Since Oct 25,2017, I took openWRT out of map and put everything on OpnSense… I made sure that all setting are correct to have MAIB functioning… Until Dec 12 2017…

What do I try to find out whether it’s OpnSense or MAIB is causing issue for that LETSENCRYPT thing and DNS thing?