Cannot generate cert with HTTP and DNS challenges

Hey, guys. I’ve tried everything I could to fix my issue but I still can’t figure out what’s wrong and I think it’s about time I post here for assistance. Before anything, I should say that I’m self-hosting my DNS (the actual delivery. I have records stored in mongodb) and webservers (trying to get dns challenge automated but namecheap wont give me access to API).

Anyway, I’ve had my system use redbird (nodejs) for my web server which handles registering certs via greenlock, if I’m not mistaken, using http challenge. I recently moved to a new apartment and it just happened that my certs expired the day my isp transferred their service to my new place. After I got things set up, I notice redbird could not register my (sub)domains anymore and it kept giving me an E_STATE_INVALID or something about invalid IP. I thought it was weird but I ran it through a few dns lookup tests and the results looked fine. I tried registering using dns challenge, and same thing happened. I could still access my website without https. I also run the TXT records through a few online lookup websites before pressing Enter on certbot to proceed with verifications, which all showed that the TXT records are being shown just fine.

I double and even triple-checked everything and battled with this for a few weeks, but still nothing. If anyone has any idea what I could be doing wrong or where I should be looking, that would be much appreciated. Thanks!

My domain is: eyzi.ch

I ran this command: certbot certonly --manual --preferred-challenge dns -d eyzi.ch *.eyzi.ch

It produced this output:
screenshot_11

My web server is (include version):

The operating system my web server runs on is (include version):
CentOS 7.6.1810

My hosting provider, if applicable, is:
Self-hosted

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.37.2

There’s some weirdness with your nameserver software that results in Unbound believing that it supports case-insensitive queries (https://tools.ietf.org/html/rfc4343, https://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00), when in fact, it does not.

I think that the cause of that belief is that your have 4 nameserver records that all point to the same nameserver. I think that Unbound’s heuristic for “is this nameserver case-insensitive?” gets confused by that.

The result is that Unbound sends a random-cased query to your server, and believes it when it says there’s an empty result.

$ dig @ns1.moonlit.works _AcmE-cHAllengE.EyZi.ch txt

; <<>> DiG 9.11.5-P1-1ubuntu2.5-Ubuntu <<>> @ns1.moonlit.works _AcmE-cHAllengE.EyZi.ch txt
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31163
;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;_AcmE-cHAllengE.EyZi.ch.       IN      TXT

;; Query time: 322 msec
;; SERVER: 207.47.220.137#53(207.47.220.137)
;; WHEN: Mon Sep 30 16:02:06 AEST 2019
;; MSG SIZE  rcvd: 41

I’ve also attached a session between Unbound and your nameserver as a packet capture.
eyzi.pcap (4.2 KB)

4 Likes

Why? Did you make any purchases from namecheap in the past year? If so, you should be able to request API access, then contact them via Live Chat…

Thank you

1 Like

Thanks for the replies!

@_az Thanks! I’ll read through those references and look into it. The DNS server was coded from scratch (with the help of npm’s dnsd module) partly because I just wanted to learn it. I think I have a better idea of what’s going on with it now. It might be because the mongodb lookup I’m doing with it is not case insensitive. Really appreciate your input!

@stevenzhu Oh, is that so? I do have one domain hosted there that I pay annually. I renewed it recently and I’m not sure if that counts as a purchase, per se. I read somewhere that I need to either spend a certain amount of money or purchased a certain number of domains to be allowed access to their API, but I’ll try to reach out to them. Thanks!

That’s actually correct, but if you tell them you want API for this purpose, they should be able to Grant you access.

1 Like

@stevenzhu Nice! That’s good to know! Might come in handy down the line.

@_az Looks like handling case insensitivity fixed it! Though, weirdly enough, before I actually fixed it, I tried querying mixed cases on some online dns lookup services and they were still getting the right results. But after the case fix, I got my domain (and two others) working! Thanks a bunch!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.