_acme-challenges mismatch from dns-rfc2136

While trying to issue a wildcard certificate to a domain, using DNS-RFC2136 (BIND) plugin in a “certonly” request, certbot registers two TXT _acme-challenge entries on my DNS server, and none matches the ACME challenge expected by the server. Therefore it fails verification.

This is happening with both the dns-rfc2136 plugin and a manual hook I’ve been happily using for the past 2+ years. My original certbot was an ancient 0.38 version, which was updated to 1.3.0 as part of a troubleshooting session.

The “certupdate” command is just a wrapper script that does a few things prior and after the certificate is issued.

It is my understanding wildcard certificates are only issued if requested with DNS challenge, so the HTTP based options are a no go for me. Any advices around this DNS challenge are welcome.

Certbot command - certbot.log.txt (218 Bytes)

CLI output - certbot_cli.log.txt (1.1 KB)

BIND logging DDNS output - named_ddns.log.txt (1.4 KB)

BIND logging zone Xfer output - named_zone_xfer.log.txt (837 Bytes)

letsencrypt.log logfile - letsencrypt.log.txt (30.0 KB)

1 Like

Looking at the authorization (https://acme-staging-v02.api.letsencrypt.org/get/authz-v3/43595567), we can see the error:

DNS problem: SERVFAIL looking up TXT for _acme-challenge.hquest.pro.br - the domain’s nameservers may be malfunctioning

Running a test through any one of DNS testing sites (https://letsdebug.net/hquest.pro.br/112378), we can see there’s a problem with the DNSSEC configuration of the domain:

DNS response for hquest.pro.br had fatal DNSSEC issues: validation failure <hquest.pro.br. CAA IN>: no keys have a DS with algorithm RSASHA1-NSEC3-SHA1 from 2001:470:100::2 for key hquest.pro.br. while building chain of trust

1 Like

According to their website, Hurricane Electric’s DNS service doesn’t support DNSSEC. They’ve been “looking into” it for a long time.

[That is not a criticism.]

1 Like

“not supporting” and “having a misconfigured DNS server” are two different things @mnordhoff. A DNS server shouldn’t response with SERVFAIL.

1 Like

HE does not support hosting master DNSSEC entries, however they work just fine as slave. And yep, seems there are more pressing concerns on my zone. Appreciated for the hints - assumed this piece was OK when it is not.


A post was split to a new topic: DNS-01 problem with dehydrated

After fixing the DS record on my upstream provider for this domain, and let a few minutes for the propagation to do its magic, I have it all set now, with brand new/renewed certificates!

Thank you @_az for the hint of the letsdebug website - added it to my links arsenal.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.