ACME DNS Challenge TXT record not found


#1

so basically i want a wildcard certificate for my *.example.com
i have NS records for myserver.com in name.com
my nameserver have a PowerDNS API which only respond to lookup method
so when using cert_bot i put the given TXT to my nameservers to serve them
i can see the TXT records when i dig _acme-challenge.example.com but cert_bot gives me the following error:
Failed authorization procedure. (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: No TXT record found at _acme-challenge.myserver.com

here is my dig -t TXT _acme-challenge.myserver.com output’s answer section:

;; ANSWER SECTION: _acme-challenge.myserver.com. 299 IN TXT "iP8WMczfTCkgxqAQuacure_gHcoQDsM_fZv6JxOLEWo" _acme-challenge.myserver.com. 299 IN TXT "p-4pkrTyrA2rWYTkbyt0uxLnHwxiG9ZT3btkkTZ2qT0"


#2

Hi @danialgood

to find errors, we need informations: So please answer the following questions:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):


#3

First of all thanks for clarifying the secrecy part !

so wildcard domain i am trying to get is *.cdn.cafebazaar.cloud
cert_bot command :
sudo /opt/certbot-auto certonly --server https://acme-v02.api.letsencrypt.org/directory --manual -d *.cdn.cafebazaar.cloud

produced output as mentioned above was
Failed authorization procedure. cdn.cafebazaar.cloud (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: No TXT record found at _acme-challenge.cdn.cafebazaar.cloud
(and an IMPORTANT NOTES section that i think is static and not related to my problem)

by webserver i assume you mean my namservers which there is pdns(4.0.0-alpha2) service running which is connected to a unix backend on Ubuntu 16.04 and i have root shell
i’m using certbot-auto 0.30.2 as client


#4

Mhm, curious, you have two “good looking entries” ( https://check-your-website.server-daten.de/?q=cdn.cafebazaar.cloud ):

The “perhaps wrong” isn’t a problem, it’s emtpy. But nameservers should send “Name error”, nothing else.

The length of the two entries is correct, there are only allowed characters used.

The only vague idea: Your delegation is wrong:

cdn.cafebazaar.cloud
	•  ns1.cdnmng.cafebazaar.cloud
	•  ns2.cdnmng.cafebazaar.cloud
	•  ns3.cdnmng.cafebazaar.cloud
cafebazaar.cloud
	•  ns1dhq.name.com
	•  ns2clp.name.com
	•  ns3jmt.name.com
	•  ns4qxz.name.com

No, checked manual, this looks good. But manual I can’t find your entries, there I have a SOA as answer, not the TXT entry.


#5

I’m not sure what’s wrong. :confused:

DNSViz reports issues that need to be fixed, but only ones that would cause different errors, I think.

http://dnsviz.net/d/_acme-challenge.cdn.cafebazaar.cloud/XFBxNw/dnssec/

unboundtest confirms that your DNS server at 79.175.132.51 does in fact return NODATA:

https://unboundtest.com/m/TXT/_acme-challenge.cdn.cafebazaar.cloud/7C7K5YYQ

$ dig +norecurse _acme-challenge.cdn.cafebazaar.cloud txt @79.175.132.51

; <<>> DiG 9.13.5-1+ubuntu16.04.1+deb.sury.org+2-Ubuntu <<>> +norecurse _acme-challenge.cdn.cafebazaar.cloud txt @79.175.132.51
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43055
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;_acme-challenge.cdn.cafebazaar.cloud. IN TXT

;; AUTHORITY SECTION:
_acme-challenge.cdn.cafebazaar.cloud. 30 IN SOA ns1.cafebazaar.cloud. info.cafebazar.ir. 2017080601 14400 3600 604800 3600

;; Query time: 2222 msec
;; SERVER: 79.175.132.51#53(79.175.132.51)
;; WHEN: Tue Jan 29 15:35:19 UTC 2019
;; MSG SIZE  rcvd: 122

You need to sort out why it’s doing that, or, if it shouldn’t be authoritative for that zone, why it is.

This may not be relevant, but you should really upgrade off that three-year-old alpha. If nothing else, it has security vulnerabilities and a minor EDNS compliance bug (which isn’t relevant to Flag Day).

https://repo.powerdns.com/ has current packages.


#6

Thank you both for looking this up
manually testing this with the command @mnordhoff mentioned i get below result:
`; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> +norecurse _acme-challenge.cdn.cafebazaar.cloud txt @79.175.132.51
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47247
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;_acme-challenge.cdn.cafebazaar.cloud. IN TXT

;; ANSWER SECTION:
_acme-challenge.cdn.cafebazaar.cloud. 300 IN TXT “p-4pkrTyrA2rWYTkbyt0uxLnHwxiG9ZT3btkkTZ2qT0”
_acme-challenge.cdn.cafebazaar.cloud. 300 IN TXT “PmLJsa2OOjMlxhXTtSLUJYDqbh3BrUyY1UOFqjJctOU”

;; Query time: 1699 msec
;; SERVER: 79.175.132.51#53(79.175.132.51)
;; WHEN: Tue Jan 29 19:38:02 +0330 2019
;; MSG SIZE rcvd: 177`
as for the unboundtest i tried with a different valid domain and i see the problem but any idea how to debug this ?

p.s. i look forward to upgrading the pdns; thanks you again for mentioning it


#7

dig +norecurse _acme-challenge.cdn.cafebazaar.cloud txt @79.175.132.51” works for me now too!

Do you know why the response time is so high? It’s not normal for a DNS server to take 1.5 seconds. :face_with_raised_eyebrow:

Edit: I just sent an SOA query and it only took 186 ms.

Edit: By the way, if you’re not using it yet, you can use Certbot’s dns-rfc2136 plugin to make automated DNS changes.

https://certbot-dns-rfc2136.readthedocs.io/en/stable/

https://doc.powerdns.com/authoritative/dnsupdate.html


#8

ok because my backend code only supports lookup queries i had to put txt records in name.com(with acme.sh to be exact and then manually) and then query them from my backend upon the challenge hence the high response time

so i changed it to a sample string, response time got down to 250 ms but still the problem persists


closed #9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.