Certbot challenge goes to wrong ip

elcct · July 27, 2017, 9:42pm

Hello,

Basically it seems like either LE has wrong IP address cached or it uses NS record instead of A to resolve the IP.

My domain is configured correctly (checked with dig against @8.8.8.8, 8.8.4.4, dnscheck.pingdom.com, domain’s nameserver and couple of ISP nameservers) and IP for this domain has not changed for months.

That means I can’t create certificate. What to do?

Thanks

schoen · July 27, 2017, 9:43pm

Hi @elcct,

What’s your domain name?

elcct · July 27, 2017, 9:45pm

The domain is satirer.com, LE goes to 212.47.238.217 which is NS server. That domain has A record that points to 198.27.82.58.

Thanks

schoen · July 27, 2017, 9:48pm

Thanks for sharing the domain name. I don’t know how to read everything here yet because I’m not very accustomed to this format, but there’s a new tool to explain how Let’s Encrypt got the DNS resolution answer that it got, so you can see that here:

https://unboundtest.com/m/A/satirer.com/IEVP5DMN

Does this make matters any clearer to you?

Edit: If you don’t understand this output, we can ask the developer of this tool to explain it, and I can learn something from the explanation too.

elcct · July 27, 2017, 10:13pm

Interesting. Sadly I can’t read where does it get the answer from.

Both name servers ns1.parkomat.co and ns2.parkomat.co respond with:

satirer.com. 3600 IN A 198.27.82.58

So the answer shown in unboundtest.com appears incorrect.

schoen · July 27, 2017, 10:23pm

@jsha, can you help us to understand more about the Unbound test output? It matches perfectly with what the CA itself is doing but I’ve found it a little difficult to understand.

jsha · July 27, 2017, 10:34pm

Can you show us the output of Certbot (or other command) that leads you to believe that Let’s Encrypt is contacting the wrong IP address? Can you tell us what software your authoritative nameservers are running? Do your authoritative nameservers use anycast?

Looking at https://unboundtest.com/m/A/satirer.com/IEVP5DMN, I see that it got a response indicating 212.47.238.217

satirer.com.	3600	IN	A	212.47.238.217

But as Seth pointed out, there’s not enough detail to see from which server it got that answer. The logs there are just the debug-level log output from Unbound, so it isn’t necessarily optimized to make problems easy to figure out to people other than the authors (but sometimes it’s useful).

jsha · July 27, 2017, 10:42pm

I think I’ve found your problem. Your authoritative NS gives out the wrong answer when presented with a mixed-case query:

 $ dig +short A satirer.com @ns2.parkomat.co.
198.27.82.58
 $ dig +short A satirer.COM @ns2.parkomat.co.
212.47.238.217

We use mixed-case queries in our resolver to improve security. You’ll need to replace or patch your authoritative NS software.

elcct · July 27, 2017, 10:42pm

This is output from the Certbot using manual verification:

Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.satirer.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.satirer.com/.well-known/acme-challenge/L9B1UVPJuCquCQ7os9NanIsY-19Kmf8zPdBQoInS8Kk [212.47.238.217]: 404, satirer.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://satirer.com/.well-known/acme-challenge/hWRDQhJpZBBMuy-lp3OxAGNGpSAYYM8kyzW7HM4o9VI [212.47.238.217]: 404

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.satirer.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.satirer.com/.well-known/acme-challenge/L9B1UVPJuCquCQ7os9NanIsY-19Kmf8zPdBQoInS8Kk
   [212.47.238.217]: 404

   Domain: satirer.com
   Type:   unauthorized
   Detail: Invalid response from
   http://satirer.com/.well-known/acme-challenge/hWRDQhJpZBBMuy-lp3OxAGNGpSAYYM8kyzW7HM4o9VI
   [212.47.238.217]: 404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

This is nslookup showing authoritative servers for that domain

root@xxx:~# nslookup
> set querytype=soa
> satirer.com
Server:		127.0.0.1
Address:	127.0.0.1#53

Non-authoritative answer:
satirer.com
	origin = ns1.parkomat.co
	mail addr = admin.satirer.com
	serial = 1501195151
	refresh = 10000
	retry = 2400
	expire = 604800
	minimum = 3600

Authoritative answers can be found from:
satirer.com	nameserver = ns1.parkomat.co.
satirer.com	nameserver = ns2.parkomat.co.
ns1.parkomat.co	internet address = 212.47.238.217
ns2.parkomat.co	internet address = 212.47.238.217

There is no anycast in play. Nameservers are very basic “homegrown” software https://github.com/parkomat/parkomat

elcct · July 27, 2017, 10:43pm

Ahh now that makes sense!

Thank you!

schoen · July 28, 2017, 12:01am

It seems like it would be pretty helpful to get a different mix of output from Unbound for your site—more in some ways but less in others.

Thanks for helping resolve this problem!

elcct · July 28, 2017, 12:13am

I confirm that I was successfully able to obtain a certificate after fixing my DNS server. Also pushed update to github.com/parkomat/parkomat

Thanks again for help

system · August 27, 2017, 12:13am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.