Certificate renewal fail: HTTP-01 using DNS wildcard


We use win-acme version using https://acme-v02.api.letsencrypt.org/. Site on IIS already has active SSL for https://eleo.komma.dev. We have a wildcard DNS A-record to this webserver. When renewal is ran we see:

2021-05-31 09:00:02.169 +02:00 [INF] Renewing certificate for [IIS] eleo.komma.dev, (any host)
2021-05-31 09:00:03.662 +02:00 [INF] [eleo.komma.dev] Authorizing...
2021-05-31 09:00:03.663 +02:00 [INF] [eleo.komma.dev] Authorizing using http-01 validation (SelfHosting)
2021-05-31 09:00:09.078 +02:00 [ERR] [eleo.komma.dev] Authorization result: invalid
2021-05-31 09:00:09.082 +02:00 [ERR] [eleo.komma.dev] {
"type": "urn:ietf:params:acme:error:dns",
"detail": "No valid IP addresses found for eleo.komma.dev",
"status": 400
2021-05-31 09:00:09.107 +02:00 [ERR] Renewal for [IIS] eleo.komma.dev, (any host) failed, will retry on next run

But there is a valid A-record as it is a wilcard A record. I even could install the certificate on the website so it should work?

It's quite strange.. Let's Encrypt uses the DNS resolver unbound, so a crewmember of LE has set up unboundtest.com to debug resolver issues by matching the LE production servers unbound-configuration pretty well. It fails with the message "message contains bad rrsets" (https://unboundtest.com/m/A/eleo.komma.dev/QSKJHADJ) However, I don't understand why. Many times SERVFAIL errors are due to DNSSEC problems, but two independent sites report no DNSSEC issues (eleo.komma.dev | DNSViz and DNSSEC Analyzer - eleo.komma.dev).

Maybe someone else has a great idea?

1 Like

That DNSViz has a line of "NSEC proving non-existence of eleo.komma.dev/A", which makes me think that DNSSEC simultaneously thinks eleo. doesn't exist even though it also knows *. does exist? Wildcard DNS along with a non-wildcard certificate seems like a weird use case, anyhow, though I don't know why it wouldn't work. Is there some reason you're going about what you're doing this way, and maybe there's a better one that your DNS server will like better? I really need to dive deep and learn the intricacies of how DNSSEC works at some point, so I'm not sure I'm being all that helpful, but it sounds like there's something in your setup which is misconfigured (or your DNS server has some kind of bug when dealing with wildcard records?).

Depending on what kind of interface your DNS provider gives you, can you maybe disable DNSSEC and re-enable it, or have them re-sign your zone, or something like that? Or maybe add an explicit eleo. record, even if you're going to have a wildcard result for some other names?

That's a common (even expected?) result for wildcard DNS. I can confirm a similar result with one of my own domains and I don't have any trouble getting LE certs at that zone.

1 Like

I need this setup due to automatic development site creation. So i removed the DNSSEC signing on DNS sevrer and on the domainname. Let's see tomorrow if renewal works again. Will update this post tomorrow!

Unboundtest seems to be happy now: https://unboundtest.com/m/A/eleo.komma.dev/SBIJFJ6C

Indeed, renewal succeeded. So it was a DNSSEC issue..

Thx guys!

Which is odd, as two independent sites did not find any issue. Glad it's working now though. Perhaps if you'd add DNSSEC again, hopefully it'll keep working!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.