Certificate renewal fail: HTTP-01 using DNS wildcard

posixx · May 31, 2021, 2:46pm

Hello,

We use win-acme version 2.1.15.1008 using https://acme-v02.api.letsencrypt.org/. Site on IIS already has active SSL for https://eleo.komma.dev. We have a wildcard DNS A-record to this webserver. When renewal is ran we see:

2021-05-31 09:00:02.169 +02:00 [INF] Renewing certificate for [IIS] eleo.komma.dev, (any host)
2021-05-31 09:00:03.662 +02:00 [INF] [eleo.komma.dev] Authorizing...
2021-05-31 09:00:03.663 +02:00 [INF] [eleo.komma.dev] Authorizing using http-01 validation (SelfHosting)
2021-05-31 09:00:09.078 +02:00 [ERR] [eleo.komma.dev] Authorization result: invalid
2021-05-31 09:00:09.082 +02:00 [ERR] [eleo.komma.dev] {
"type": "urn:ietf:params:acme:error:dns",
"detail": "No valid IP addresses found for eleo.komma.dev",
"status": 400
}
2021-05-31 09:00:09.107 +02:00 [ERR] Renewal for [IIS] eleo.komma.dev, (any host) failed, will retry on next run

But there is a valid A-record as it is a wilcard A record. I even could install the certificate on the website so it should work?

Osiris · May 31, 2021, 7:06pm

It's quite strange.. Let's Encrypt uses the DNS resolver unbound, so a crewmember of LE has set up unboundtest.com to debug resolver issues by matching the LE production servers unbound-configuration pretty well. It fails with the message "message contains bad rrsets" (https://unboundtest.com/m/A/eleo.komma.dev/QSKJHADJ) However, I don't understand why. Many times SERVFAIL errors are due to DNSSEC problems, but two independent sites report no DNSSEC issues (eleo.komma.dev | DNSViz and DNSSEC Analyzer - eleo.komma.dev).

Maybe someone else has a great idea?

petercooperjr · May 31, 2021, 8:47pm

That DNSViz has a line of "NSEC proving non-existence of eleo.komma.dev/A", which makes me think that DNSSEC simultaneously thinks eleo. doesn't exist even though it also knows *. does exist? Wildcard DNS along with a non-wildcard certificate seems like a weird use case, anyhow, though I don't know why it wouldn't work. Is there some reason you're going about what you're doing this way, and maybe there's a better one that your DNS server will like better? I really need to dive deep and learn the intricacies of how DNSSEC works at some point, so I'm not sure I'm being all that helpful, but it sounds like there's something in your setup which is misconfigured (or your DNS server has some kind of bug when dealing with wildcard records?).

Depending on what kind of interface your DNS provider gives you, can you maybe disable DNSSEC and re-enable it, or have them re-sign your zone, or something like that? Or maybe add an explicit eleo. record, even if you're going to have a wildcard result for some other names?

Osiris · May 31, 2021, 9:00pm

That's a common (even expected?) result for wildcard DNS. I can confirm a similar result with one of my own domains and I don't have any trouble getting LE certs at that zone.

posixx · May 31, 2021, 9:50pm

I need this setup due to automatic development site creation. So i removed the DNSSEC signing on DNS sevrer and on the domainname. Let's see tomorrow if renewal works again. Will update this post tomorrow!

Osiris · June 1, 2021, 5:45am

Unboundtest seems to be happy now: https://unboundtest.com/m/A/eleo.komma.dev/SBIJFJ6C

posixx · June 1, 2021, 8:36pm

Indeed, renewal succeeded. So it was a DNSSEC issue..

Thx guys!

Osiris · June 1, 2021, 8:37pm

Which is odd, as two independent sites did not find any issue. Glad it's working now though. Perhaps if you'd add DNSSEC again, hopefully it'll keep working!

system · July 1, 2021, 8:38pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.