My domain is: webmail.bendoregon.com
Rackspace is having issues reissuing my SSL for webmail.bendoregon.com. My DNS settings are correct according to them. Their support team keeps sending me "unpause" requests, as if it is something on my end. They host the webmail, I just manage the DNS redirect from my domain. Is there something that is triggering this pause? specifically? I am just trying to help...this issue has been going on for a month now.
Thanks for any input.
No, your DNS config has faulty delegation. This is likely the reason for the cert request to fail. See the Warnings section at: webmail.bendoregon.com | DNSViz
Let's Encrypt walks the authoritative DNS tree. It may choose any path so each must produce a correct result. Your delegation problems cause queries to your DNS to get a reply of SERVFAIL
That is another problem. The "unpause" is sent by Let's Encrypt when the ACME Client (the program that requests the cert) makes a very large number of failed requests without succeeding. Well-behaved ACME Clients should never do that. One issue is that it never reported the failures that preceded the account being paused. And, another is that it continued trying so frequently to get paused.
The pause rate limit is described here: Rate Limits - Let's Encrypt
A general explanation of "zombie clients" is here: How We Reduced the Impact of Zombie Clients - Let's Encrypt
Hey thanks for detailed reply and assistance. I run bendoregon.com and rackspace handles the webmail server pl-07.webmail.emailsrvr.com. They told me to to have the following DNS entry
webmail.bendoregon.com 14400 CNAME pl-07.webmail.emailsrvr.com .
Which I do. Unfortunately they have outsourced their tech support to india I believe and I am not having much luck over the past month. Is there anything I can do I my end with the DNS settings? or are there any suggestions I can send them to help remedy this situation? I figured they haven't corrected the error which is why it keeps getting paused and bounced to me. Any additional help would be much welcome.
Thank you for your time.
Refer them to the dnsviz link I provided. Whoever is managing the DNS should be able to fix that.
Mind you, it has nothing to do with the CNAME specifically. The DNS name servers at your registrar are not the same ones as in the domain's zone. These are described at that link in the Warnings section (snip below). I don't know which one is wrong but they need to match.
yeah thanks, thats on me. Pretty sure I got it fixed. Thanks so much
I wouldn't tell Rackspace it is fixed quite yet. Testing tools still show failure and they look directly at your DNS servers (they don't use a resolver with a cache). Maybe your DNS servers take a bit to apply these changes. Or, if you modified at the registrar maybe them.
You can check by re-running that dnsviz test
Also try looking for an A record for your domain at: https://unboundtest.com
The current failure doesn't show any result at the top which it will (like 'dig' does) when it works. Look at the bottom for timeout and SERVFAIL errors
yeah I'm not saying anything. their tech support is problematic at best. the webmail portal isn't even working which I think they messed up trying to fix the certificate issue. I ran the unboundtest and am seeing the errors..hoping even thing is correct...just giving it some time for the DNS propagate
I fixed the warnings regarding the NS delegation issue between ns1.server-603576.bendoregon.com and ns1.bendoregon.com...the unbound SERVFAIL errors appear to be a IP6 issue. My server doesn't run IP6...is that or would that be an issue? Rackspace got back to me and basically said they don't know what the issue is and can't fix it at this time....so any help would be much appreciated
Troubling someone whom professionally provides these services wouldn't know what's wrong.
Ensure if you aren't using IPv6 networking that there isn't an AAAA record in the DNS. If there is and you're not responding on it, ACME might not failover to IPv4 in time before the timeout.
Yes, I see that in the dnsviz results.
Why do you say that? I still see problems with the ns1 and ns2 bendoregon.com name servers. But, neither of those use IPv6. Who operates these name servers? Is that you or RackSpace?
dnsviz still reports serious Errors related to those name servers. See: webmail.bendoregon.com | DNSViz So does unboundtest
For example, a dig using that ns1 gives a reply but using ns2 gets refused
# NS1
dig A webmail.bendoregon.com @ns1.bendoregon.com
;; ANSWER SECTION:
webmail.bendoregon.com. 14400 IN CNAME pl-07.webmail.emailsrvr.com.
# NS2
dig A webmail.bendoregon.com @ns2.bendoregon.com
; <<>> DiG 9.18.39-0ubuntu0.22.04.2-Ubuntu <<>> A webmail.bendoregon.com @ns2.bendoregon.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 5028
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
Let's Encrypt walks the authoritative dns tree and may choose any path. Each path must give a correct reply.