testing@ett.healthit.gov fails to resolve cert

[Thomas OReilly]

currently seeing an issue with the test address tes...@ett.healthit.gov.  When trying to send to this address, it seems that the DNS server for tes...@ett.healthit.gov gets hung while trying to retrieve an address cert.  This causes intermittent failures since the sending operation times out before trying to pull the org cert:

     $ dig testing.ett.healthit.gov cert @rh202ns2.355.dhhs.gov.
     ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.13 <<>> testing.ett.healthit.gov cert @rh202ns2.355.dhhs.gov.
     ;; global options: +cmd
     ;; connection timed out; no servers could be reached

I also noticed that the site for the CRL for this address is non-responsive.  I am not even able to telnet to port 80 on ca.directca.org.

Thanks!

Thomas

[Katie Crenshaw]

Hi - Thanks for reaching out. This has been logged for review and a member of the team will reach out in the near future. 

[kylem...@gmail.com]

I would add that I am also seeing this same issue. In particular, the D2, D3, and D4 tests of the Certification Discovery Tests are regularly failing because of this (the other CDT cases seem to work). I've tried testing them with two different HISPs (Updox and DataMotion) and seeing the same types of errors with either system. This is something of a certification blocker for any vendor preparing to test h.1. 

Kyle

[Sai Valluripalli]

Kyle,

What is the error you are experiencing? When I do a dig on the DNS I can get the certs fine. 

--
You received this message because you are subscribed to the Google Groups "Edge Test Tool (ETT)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to edge-test-too...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/edge-test-tool/6a0c240f-9dd6-4d6a-b9bc-a626d2215fecn%40googlegroups.com.

[kylem...@gmail.com]

I'm approaching it from the use case of a developer attempting to demonstrate compliance for the h.1 criteria to achieve ONC certification. I'm going in each HISP and trying to send to those respective (e.g., D2 - trying to send to d...@domain1.dcdt31.healthit.gov). When I try it, the HISPs are not able to lookup/discover d.2, d.3, and d.4. It gives some error that it can't find this address/not a Direct address or something like that. 

I can occasionally get it to work, but like Thomas says above, it seems to get hung trying to retrieve the address cert. I don't know more than that experience - I don't have access to logs for these systems. 

But the fact that 2 different well-established HISPs are having this problem, at least from my experience, indicates something is likely amiss. I am curious if the other certified HISPs can do the D2, D3, D4 cert discovery consistently. 

[Sai Valluripalli]

You should work with your HISP to find the root cause. From the ETT perspective, the certs are accessible from DNS. If there is a specific case where it always fails, please let us know.

Thanks

[Katie Crenshaw]

Hello - please let us know if you are still experiencing issues.