ACMESharp - HTTP Challenges not Completing Due to DNS Server

ohadrh · June 8, 2017, 8:29am

Please fill out the fields below so we can help you better.

I ran this command:Submit-ACMEChallenge webapi-sazka7 -ChallengeType http-01

It produced this output:
IdentifierPart : ACMESharp.Messages.IdentifierPart
IdentifierType : dns
Identifier : webapi.pre-uat.sazka.cz
Uri : https://acme-v01.api.letsencrypt.org/acme/authz/fEUk6eQ9AbzNAp70aPO3AwnlAXrv1cRqxIgINAlEEFI
Status : invalid
Expires : 6/15/2017 8:08:18 AM
Challenges : {, , }
Combinations : {1, 0, 2}

My web server is (include version): IIS 8.5

The operating system my web server runs on is (include version):Windows Server 2012 R2

My hosting provider, if applicable, is:DNSMADEEASY

I can login to a root shell on my machine (yes or no, or I don’t know):No

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):No

I am receiving that there is a problem resolving the DNS, however the records are resolved by any DNS lookup tool.

Please advise.

rg305 · June 8, 2017, 8:48am

I think this should have included the full name: webapi.pre-uat.sazka.cz

ohadrh · June 8, 2017, 8:58am

This is only the alias not the DNS record, you can see in the response that there is a resolve problem:
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:acme:error:connection”,
“detail”: “DNS problem: SERVFAIL looking up A for webapi.pre-uat.sazka.cz”,
“status”: 400

rg305 · June 8, 2017, 9:06am

There is the problem.
But it doesn't make sense the DNS for your domain is serviced by:
ns10.dnsmadeeasy.com internet address = 208.94.148.4
ns11.dnsmadeeasy.com internet address = 208.80.124.4
ns14.dnsmadeeasy.com internet address = 208.80.127.4
ns14.dnsmadeeasy.com AAAA IPv6 address = 2600:1802:14::1
ns13.dnsmadeeasy.com internet address = 208.80.125.4
ns13.dnsmadeeasy.com AAAA IPv6 address = 2600:1801:13::1
ns12.dnsmadeeasy.com internet address = 208.80.126.4
ns15.dnsmadeeasy.com internet address = 208.94.149.4

I checked all the IPv4 server IPs and they all resolved that name as:
Name: webapi.pre-uat.sazka.cz
Address: 95.129.32.117

I don't know how to proceed - sorry.

sahsanu · June 8, 2017, 9:14am

@ohadrh,

You should review the DNSSEC conf for your domain because it is not configured properly and that can cause the error you are getting.

http://dnssec-debugger.verisignlabs.com/webapi.pre-uat.sazka.cz

http://dnsviz.net/d/webapi.pre-uat.sazka.cz/dnssec/

Cheers,
sahsanu

ohadrh · June 11, 2017, 4:01pm

This is weird, I have delegation for this domain and I manage to get 2 other DNS records verified under the same domain.

How can I check if the problem is on my NS servers or the the person who gave me delegation did not set it correctly?

Thanks,

Ohad.

sahsanu · June 11, 2017, 6:20pm

Hi @ohadrh,

What domains?. because there are certificates issued by Let's Encrypt for msh.sazka.cz (with 1 subdomain), nebe.sazka.cz (with 3 more subdomains) and sazimenasport.sazka.cz and all of them are resolved directly by sazka.cz dns servers. Now, pre-uat.sazka.cz has been delegated and it is resolved by dnsmadeeasy.com name servers but you didn't prepare this child zone to use DNSSEC.

In the first link I provided to you you will see the problems you need to resolve:

No DS records found for pre-uat.sazka.cz in the sazka.cz zone
No DNSKEY records found
No NSEC records in response
No RRSIGs found

Cheers,
sahsanu

mnordhoff · June 11, 2017, 6:54pm

There’s nothing inherently wrong with a signed-to-unsigned delegation. (After all, the root zone is signed, and many other zones aren’t.) The problem is doing it incorrectly, which is, i suppose, what the red errors on DNSViz are about.

ohadrh · June 12, 2017, 7:31am

I managed to to submit a request for info.pre-uat.sazka.cz and gamesrv1.pre-uat.sazka.cz.

You can see the request here:
https://acme-v01.api.letsencrypt.org/acme/authz/N0EQNg_orcrYL3m882vwuNI4mm35hAzmQBt4HlHW1Y4

ahaw021 · June 12, 2017, 7:57am

hi @ohadrh

Neither of your domains seemed to be configured well on your DNS

If i try browse to webapi.pre-uat.sazka.cz I can a timeout.

You are trying to use the HTTP challenge so something needs to be listening for that domain and DNS should be configured to work.

It can be frustrating that a previous challenge worked but I don’t believe if you try to pass it now it would work.

Andrei

ohadrh · June 12, 2017, 8:47am

Hi,

I closed the access to these URLs so you won’t be able to browse.
All of my other delegated domain ( I have about 10 of them ) are configured the same as this one and i managed to generate a certificate for all of them except this one.

This is very weird, haven’t encountered this issue yet.

ahaw021 · June 12, 2017, 9:05am

all good

test the access from somewhere that is allowed and see if you can browse in a browser

Andrei

ohadrh · June 12, 2017, 9:28am

I’ve tested all the endpoint and you can browse to them from all over the world once i allow the connection in the FW ( which I have when i tried to generate the certificate)

I found this on DNSMADEEASY website:
DNS Made Easy does provide support for DNSSEC using our secondary DNS service. We do not provide support for DNSSEC using our primary DNS service at this time. As more resolving name servers implement support for this feature, DNS made Easy will implement DNSSEC compliance on our primary systems as well.

I’ve also tested my other domains which are also hosted on DNSMADEEASY on the dnssec debgger site and all of them have the same issues as pre-uat.sazka.cz but I managed to create a certificate for them.

system · July 12, 2017, 9:28am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.