_acme-challenge duplicate hostnames

I saw some posts on here about duplicate hostnames, but the things I've tried to do to prevent it, hasn't worked. This automated cert renewal has been working fine, and now if doesn't OS and certbot version haven't changed. Thanks for any help.

My domain is: ply-freeipa-02.ipa.prd.localnet.io

I ran this command:

certbot certonly -v --manual --preferred-chain "ISRG Root X1" --preferred-challenges dns --manual-public-ip-logging-ok --manual-auth-hook 'ipa dnsrecord-mod _acme-challenge.ply-freeipa-02 --txt-rec=oSDAnDkBKVJNpnVacCpIbxt6iot_r-rAnAafaLFzl6M; sleep 10' -d ply-freeipa02.ipa.prd.localnet.io --agree-tos --email "<my-email>" --expand -n

It produced this output:

Domain: ply-freeipa-02.ipa.prd.localnet.ioipa.prd.localnet.io
Type:   dns
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.ply-freeipa-02.ipa.prd.localnet.ioipa.prd.localnet.io - check that a DNS record exists for this domain
Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
AuthorizationError: Some challenges have failed.

My web server is (include version): NA

The operating system my web server runs on is (include version): NA

My hosting provider, if applicable, is: local FreeIPA

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NA

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.11.0

Here is a list of issued certificates crt.sh | ply-freeipa-02.ipa.prd.localnet.io, the latest being 2022-07-11

Looks like you have a DNS issue:

And from https://dnsviz.net/
ply-freeipa-02.ipa.prd.localnet.io | DNSViz

And nslookup isn't happy either with DNS.

$ nslookup
> ply-freeipa-02.ipa.prd.localnet.io
;; Got SERVFAIL reply from 75.75.75.75, trying next server
Server:         74.82.42.42
Address:        74.82.42.42#53

** server can't find ply-freeipa-02.ipa.prd.localnet.io: NXDOMAIN
> set q=soa
> ply-freeipa-02.ipa.prd.localnet.io
;; Got SERVFAIL reply from 127.0.0.1, trying next server
;; Got SERVFAIL reply from 75.75.75.75, trying next server
Server:         74.82.42.42
Address:        74.82.42.42#53

** server can't find ply-freeipa-02.ipa.prd.localnet.io: NXDOMAIN
> ipa.prd.localnet.io
Server:         127.0.0.1
Address:        127.0.0.1#53

** server can't find ipa.prd.localnet.io: NXDOMAIN
> prd.localnet.io
Server:         127.0.0.1
Address:        127.0.0.1#53

** server can't find prd.localnet.io: NXDOMAIN
> localnet.io
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
localnet.io
        origin = ns1.voyant.com
        mail addr = hostmaster.voyant.com
        serial = 2022071100
        refresh = 28800
        retry = 7200
        expire = 604800
        minimum = 86400

Authoritative answers can be found from:
> server ns1.voyant.com
Default server: ns1.voyant.com
Address: 137.192.240.3#53
> localnet.io
Server:         ns1.voyant.com
Address:        137.192.240.3#53

localnet.io
        origin = ns1.voyant.com
        mail addr = hostmaster.voyant.com
        serial = 2022071100
        refresh = 28800
        retry = 7200
        expire = 604800
        minimum = 86400
> prd.localnet.io
Server:         ns1.voyant.com
Address:        137.192.240.3#53

*** Can't find prd.localnet.io: No answer
> ipa.prd.localnet.io
Server:         ns1.voyant.com
Address:        137.192.240.3#53

Non-authoritative answer:
*** Can't find ipa.prd.localnet.io: No answer

Authoritative answers can be found from:
ipa.prd.localnet.io     nameserver = ply-freeipa-dns01.ipa.prd.localnet.io.
ipa.prd.localnet.io     nameserver = ply-freeipa-dns02.ipa.prd.localnet.io.
ply-freeipa-dns02.ipa.prd.localnet.io   internet address = 137.192.1.143
ply-freeipa-dns01.ipa.prd.localnet.io   internet address = 137.192.1.142
> server ply-freeipa-dns01.ipa.prd.localnet.io
couldn't get address for 'ply-freeipa-dns01.ipa.prd.localnet.io': not found
> ipa.prd.localnet.io
Server:         ns1.voyant.com
Address:        137.192.240.3#53

Non-authoritative answer:
*** Can't find ipa.prd.localnet.io: No answer

Authoritative answers can be found from:
ipa.prd.localnet.io     nameserver = ply-freeipa-dns01.ipa.prd.localnet.io.
ipa.prd.localnet.io     nameserver = ply-freeipa-dns02.ipa.prd.localnet.io.
ply-freeipa-dns02.ipa.prd.localnet.io   internet address = 137.192.1.143
ply-freeipa-dns01.ipa.prd.localnet.io   internet address = 137.192.1.142
>
> server ply-freeipa-dns01.ipa.prd.localnet.io
couldn't get address for 'ply-freeipa-dns01.ipa.prd.localnet.io': not found
> server ply-freeipa-dns02.ipa.prd.localnet.io
couldn't get address for 'ply-freeipa-dns02.ipa.prd.localnet.io': not found
>

Since these are Domain Validation (DV) certificates the Domain Name System (DNS) is used extensively in the validation process as well a allowing us to assist here on Let's Encrypt community.
DNS Queries need to give consistent results from any location on the Internet, all your authoritative DNS Servers for the Domain need to also give consistent results as well.

Testing and debugging are best done using the Staging Environment as the Rate Limits are much higher. Rate Limits are per week (rolling).

3 Likes

Thank you Bruce, for the quick reply. I am looking into DNS issues now.

4 Likes

Testing and debugging are best done using the Staging Environment as the Rate Limits are much higher. Rate Limits are per week (rolling).

2 Likes

This ended up being a DNSSEC issue. Thank you for the help.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.