_acme-challenge with multiple nameservers

I have been experimenting with getting Let’s Encrypt to use wildcard certificates and have been using the win-acme tool with the Dreamhost plugin.

I bought a new domain from Dreamhost, got the Api-Key and set it all up.

The process (sort of) works. The challenge is made an a TXT record is correctly created. Then the request to authorize and it usually fails.

The reason is that Dreamhost have 3 nameservers and when the record is added, it must add it to one server, then have a background process to sync.

So, if the ACME authorization process does not find it on the nameserver #1, it rejects it… but the TXT file is present on the nameserver #2 or #3.

If another attempt it made, the code changes and sometimes it finds the TXT, but it’s the previous code… or maybe it just gets lucky and hits the right server.

Dreamhost cannot be the only DNS provider with an API that has background processes to synchronize the DNS records between nameservers and so surely the ACME authorization process should attempt to look for the record on ALL nameservers for a domain? This would solve the problem and be more resilient on their side.

At the moment, I’m thinking all I can do is add a 5 or 10 minute sleep process after adding the record into the plugin and let it wait until that’s done, or is someone aware of another solution? Bearing in mind I won’t know which nameserver will receive the update.

1 Like

Hi @GBSM

that’s

how the Domain Name System (DNS) works. Different name servers, one is the primary.

If the data of the primary is changed, the other name servers must be updated.

It’s only a problem of your name server provider, nothing else.

Other name server providers do that in 10 seconds. If your name server provider requires 10 minutes, you

  • accept it
  • switch to another dns provider.
1 Like

Or:

  • Use a different client (like acme.sh) that has a configurable --dnssleep parameter which you can set to whatever you want.
1 Like

Thanks for the replies. I will just have to build in a wait to the process, given all the factors involved.

I still think it is a good suggestion, given you both acknowledge the delays inherent within the way DNS works.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.