Hey, guys. I’ve tried everything I could to fix my issue but I still can’t figure out what’s wrong and I think it’s about time I post here for assistance. Before anything, I should say that I’m self-hosting my DNS (the actual delivery. I have records stored in mongodb) and webservers (trying to get dns challenge automated but namecheap wont give me access to API).
Anyway, I’ve had my system use redbird (nodejs) for my web server which handles registering certs via greenlock, if I’m not mistaken, using http challenge. I recently moved to a new apartment and it just happened that my certs expired the day my isp transferred their service to my new place. After I got things set up, I notice redbird could not register my (sub)domains anymore and it kept giving me an E_STATE_INVALID or something about invalid IP. I thought it was weird but I ran it through a few dns lookup tests and the results looked fine. I tried registering using dns challenge, and same thing happened. I could still access my website without https. I also run the TXT records through a few online lookup websites before pressing Enter on certbot to proceed with verifications, which all showed that the TXT records are being shown just fine.
I double and even triple-checked everything and battled with this for a few weeks, but still nothing. If anyone has any idea what I could be doing wrong or where I should be looking, that would be much appreciated. Thanks!
My domain is: eyzi.ch
I ran this command: certbot certonly --manual --preferred-challenge dns -d eyzi.ch *.eyzi.ch
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
CentOS 7.6.1810
My hosting provider, if applicable, is:
Self-hosted
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.37.2
I think that the cause of that belief is that your have 4 nameserver records that all point to the same nameserver. I think that Unbound’s heuristic for “is this nameserver case-insensitive?” gets confused by that.
The result is that Unbound sends a random-cased query to your server, and believes it when it says there’s an empty result.
@_az Thanks! I’ll read through those references and look into it. The DNS server was coded from scratch (with the help of npm’s dnsd module) partly because I just wanted to learn it. I think I have a better idea of what’s going on with it now. It might be because the mongodb lookup I’m doing with it is not case insensitive. Really appreciate your input!
@stevenzhu Oh, is that so? I do have one domain hosted there that I pay annually. I renewed it recently and I’m not sure if that counts as a purchase, per se. I read somewhere that I need to either spend a certain amount of money or purchased a certain number of domains to be allowed access to their API, but I’ll try to reach out to them. Thanks!
@stevenzhu Nice! That’s good to know! Might come in handy down the line.
@_az Looks like handling case insensitivity fixed it! Though, weirdly enough, before I actually fixed it, I tried querying mixed cases on some online dns lookup services and they were still getting the right results. But after the case fix, I got my domain (and two others) working! Thanks a bunch!
