Sounds like dns1.yandex.net just won't work for letsencrypt zone, right?
That's weird because I thought there are a lot of websides managed by their DNS which work with letsencrypt (but I don't have the stats though).
I am awaiting for domain transfer to Google on February 3rd, but anyways would like to understand wtf
That makes no sense at all.
Yandex is authoritative for your DNS zone [not LE].
Do you know how to check that?
We've checked it [more than once].
And from here DNS-01 challenge
"Since Let’s Encrypt follows the DNS standards when looking up TXT records for DNS-01 validation, you can use CNAME records or NS records to delegate answering the challenge to other DNS zones. This can be used to delegate the _acme-challenge subdomain to a validation-specific server or zone. It can also be used if your DNS provider is slow to update, and you want to delegate to a quicker-updating server."
But I need it to be authoritative for LE to get the certificate, isn't so?
From https://unboundtest.com/
"Use this server to make DNS queries against an Unbound instance and get logs. The Unbound instance is configured very similarly to Let's Encrypt's production servers, and is started fresh for each query so there are no caching effects. If you are having trouble diagnosing a DNS problem reported by Let's Encrypt, this may help you debug it. Common problems include: invalid DNSSEC records, failure to implement DNS 0x20 (mixed case), timeouts, and flaky servers.
Once you've made a query, you'll get a URL you can share. Note that URLs are currently only persisted in memory, so they are likely to disappear after a few hours or days when the server is restarted. Source code on GitHub. View the Unbound config."
Yes, but you seem to NOT understand how to get an authoritative answer.
Let's review:
How do you do #1?
Try:
nslookup -q=ns trood.com. a.gtld-servers.net
Then make your requests to those servers.
For example this is what I did.
$ nslookup -q=ns trood.com. a.gtld-servers.net.
Server: a.gtld-servers.net.
Address: 192.5.6.30#53
Non-authoritative answer:
*** Can't find trood.com.: No answer
Authoritative answers can be found from:
trood.com nameserver = dns1.yandex.net.
trood.com nameserver = dns2.yandex.net.
$ nslookup -q=ns trood.com. dns1.yandex.net.
Server: dns1.yandex.net.
Address: 213.180.204.213#53
trood.com nameserver = dns1.yandex.net.
trood.com nameserver = dns2.yandex.net.
Here is a list of issued certificates crt.sh | em.trood.com, the latest being 2023-01-30.
It appears that this certificate is the presently being served crt.sh | 8538376070
And the server seems well SSL Server Test: em.trood.com (Powered by Qualys SSL Labs)
Thank you, I got it.
So when I don't set this server explicitly, nslookup just don't show authoritative servers for my zone,- that's how I understand this
What I don't understand is why did not letsencrypt approve the DNS. What's even worse - it just started working, while I've changed nothing.
Looks like DNS propagation took longer in terms of authoritative networks - but maybe I misunderstand.
Thank you very much,
It just started working, I've got the certificate, unfortunately I don't know how. Perhaps DNS propagation nuances.
The certbot logs may show the reason it failed.
I don't see how that is "worse".
It used to fail with "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.em.trood.com - check that a DNS record exists for this domain"
Of course it's great to have the things working, but it's bad not to have the clear understanding why.
I'll believe that that was DNS propagation time. If you agree, I believe I should close the issue.
Thank you very much for the assistance!
I have seen no proof of it being anything else.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.