Dns-01 use cached reply from own letsencrypt ns

Help
#1

My domain is: starline.ru

I ran this command: dehydrated -c

It produced this output:

    # dehydrated -c
    # INFO: Using main config file /etc/dehydrated/config
    Processing *.starline.ru
    Unknown hook 
     + Signing domains...
     + Generating private key...
     + Generating signing request...
     + Requesting new certificate order from CA...
     + Received 1 authorizations URLs from the CA
     + Handling authorization for starline.ru
     + 1 pending challenge(s)
     + Deploying challenge tokens...
    deploy_challenge: deploy_challenge
    deploy_challenge: starline.ru
    deploy_challenge: qaaRC3ntFSPRZTIATXV34ws03WkbR2anG6KakDc3h58
    deploy_challenge: iAyiNX-npIVn9wdFy8I1L09fqNHJUWrDhHdsrFHvd6k
    /etc/bind/zones/starline.ru:8: using RFC1035 TTL semantics
    zone starline.ru/IN: loaded serial 2020053021
    OK
     + Responding to challenge for starline.ru authorization...
    Unknown hook "invalid_challenge"
     + Cleaning challenge tokens...
    clean_challenge: clean_challenge
    clean_challenge: starline.ru
    clean_challenge: qaaRC3ntFSPRZTIATXV34ws03WkbR2anG6KakDc3h58
    clean_challenge: iAyiNX-npIVn9wdFy8I1L09fqNHJUWrDhHdsrFHvd6k
    /etc/bind/zones/starline.ru:8: using RFC1035 TTL semantics
    zone starline.ru/IN: loaded serial 2020053021
    OK
     + Challenge validation has failed :(
    ERROR: Challenge is invalid! (returned: invalid) (result: {
      "type": "dns-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Incorrect TXT record \"8fEexLsOf5dT6GJ3_RDsgeg5auOfIe9quW4QWqgP9Hw\" found at _acme-challenge.starline.ru",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/4913816243/5oW-5w",
      "token": "qaaRC3ntFSPRZTIATXV34ws03WkbR2anG6KakDc3h58"
    })
    exit_hook: exit_hook
    exit_hook: Challenge
    exit_hook: is
    exit_hook: invalid!
    exit_hook: (returned:
    exit_hook: invalid)
    exit_hook: (result:
    exit_hook: {
    exit_hook: "type":
    exit_hook: "dns-01",
    exit_hook: "status":
    exit_hook: "invalid",
    exit_hook: "error":
    exit_hook: {
    exit_hook: "type":
    exit_hook: "urn:ietf:params:acme:error:unauthorized",
    exit_hook: "detail":
    exit_hook: "Incorrect
    exit_hook: TXT
    exit_hook: record
    exit_hook: \"8fEexLsOf5dT6GJ3_RDsgeg5auOfIe9quW4QWqgP9Hw\"
    exit_hook: found
    exit_hook: at
    exit_hook: _acme-challenge.starline.ru",
    exit_hook: "status":
    exit_hook: 403
    exit_hook: },
    exit_hook: "url":
    exit_hook: "https://acme-v02.api.letsencrypt.org/acme/chall-v3/4913816243/5oW-5w",
    exit_hook: "token":
    exit_hook: "qaaRC3ntFSPRZTIATXV34ws03WkbR2anG6KakDc3h58"
    exit_hook: })

Record 8fEexLsOf5dT6GJ3_RDsgeg5auOfIe9quW4QWqgP9Hw is old, TTL is only 1 minute, but letsencrypt use it after hour later. This is repeatable case and this does not allow get a certificate - letsencrypt every challenge use previous record instead current.

1 Like
#2

Hi @rnz

your name servers are buggy - https://check-your-website.server-daten.de/?q=starline.ru

No TCP-connections:

X Fatal error: Nameserver doesn’t support TCP connection: ns2.ultrastar.ru / 87.248.231.171: Timeout
X Fatal error: Nameserver doesn’t support TCP connection: ns3.ultrastar.ru / 80.73.202.138: Timeout
X Fatal error: Nameserver doesn’t support TCP connection: ns3.ultrastar.ru / 87.248.244.66: Timeout

Timeouts checking Echo capitalization and EDNS512:

X Nameserver Timeout checking Echo Capitalization: ns2.ultrastar.ru / 87.248.231.171
X Nameserver Timeout checking Echo Capitalization: ns3.ultrastar.ru / 80.73.202.138
X Nameserver Timeout checking Echo Capitalization: ns3.ultrastar.ru / 87.248.244.66
X Nameserver Timeout checking EDNS512: ns2.ultrastar.ru / 87.248.231.171
X Nameserver Timeout checking EDNS512: ns3.ultrastar.ru / 80.73.202.138
X Nameserver Timeout checking EDNS512: ns3.ultrastar.ru / 87.248.244.66

Same with Unboundtest - there is a complete timeout - https://unboundtest.com/m/TXT/_acme-challenge.starline.ru/SCC7AU2V

Letsencrypt uses an unbound with the same configuration, so that’s critical.

Curious: Your error says: No timeout, instead the old value.

PS: You have a lot of name servers. The ultrastars are bad, the others are good.

Perhaps change your dns setup, so ultrastars isn’t used.

1 Like
#3

Unbound result was too long. Second:

Summary

Query results for TXT _acme-challenge.starline.ru
----- Unbound logs -----
May 30 18:32:34 unbound[3687:0] notice: init module 0: validator
May 30 18:32:34 unbound[3687:0] notice: init module 1: iterator
May 30 18:32:34 unbound[3687:0] info: start of service (unbound 1.10.1).
May 30 18:32:35 unbound[3687:0] info: 127.0.0.1 _acme-challenge.starline.ru. TXT IN
May 30 18:32:35 unbound[3687:0] info: resolving _acme-challenge.starline.ru. TXT IN
May 30 18:32:35 unbound[3687:0] info: priming . IN NS
May 30 18:32:35 unbound[3687:0] info: response for . NS IN
May 30 18:32:35 unbound[3687:0] info: reply from <.> 193.0.14.129#53
May 30 18:32:35 unbound[3687:0] info: query response was ANSWER
May 30 18:32:35 unbound[3687:0] info: priming successful for . NS IN
May 30 18:32:35 unbound[3687:0] info: response for _acme-challenge.starline.ru. TXT IN
May 30 18:32:35 unbound[3687:0] info: reply from <.> 2001:503:c27::2:30#53
May 30 18:32:35 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:35 unbound[3687:0] info: resolving d.dns.ripn.net. AAAA IN
May 30 18:32:35 unbound[3687:0] info: resolving e.dns.ripn.net. AAAA IN
May 30 18:32:35 unbound[3687:0] info: resolving e.dns.ripn.net. A IN
May 30 18:32:35 unbound[3687:0] info: resolving f.dns.ripn.net. A IN
May 30 18:32:35 unbound[3687:0] info: resolving f.dns.ripn.net. AAAA IN
May 30 18:32:35 unbound[3687:0] info: resolving d.dns.ripn.net. A IN
May 30 18:32:35 unbound[3687:0] info: response for f.dns.ripn.net. AAAA IN
May 30 18:32:35 unbound[3687:0] info: reply from <.> 2001:500:a8::e#53
May 30 18:32:35 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:35 unbound[3687:0] info: response for d.dns.ripn.net. A IN
May 30 18:32:35 unbound[3687:0] info: reply from <.> 2001:503:c27::2:30#53
May 30 18:32:35 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:35 unbound[3687:0] info: response for d.dns.ripn.net. AAAA IN
May 30 18:32:35 unbound[3687:0] info: reply from <.> 2001:dc3::35#53
May 30 18:32:35 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:35 unbound[3687:0] info: response for d.dns.ripn.net. AAAA IN
May 30 18:32:35 unbound[3687:0] info: reply from <net.> 2001:500:d937::30#53
May 30 18:32:35 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:35 unbound[3687:0] info: resolving b.dns.ripn.net. AAAA IN
May 30 18:32:35 unbound[3687:0] info: response for b.dns.ripn.net. AAAA IN
May 30 18:32:35 unbound[3687:0] info: reply from <ripn.net.> 2001:678:14:0:193:232:156:17#53
May 30 18:32:35 unbound[3687:0] info: query response was nodata ANSWER
May 30 18:32:35 unbound[3687:0] info: response for f.dns.ripn.net. A IN
May 30 18:32:35 unbound[3687:0] info: reply from <.> 199.7.83.42#53
May 30 18:32:35 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:36 unbound[3687:0] info: response for f.dns.ripn.net. AAAA IN
May 30 18:32:36 unbound[3687:0] info: reply from <net.> 192.31.80.30#53
May 30 18:32:36 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:36 unbound[3687:0] info: response for d.dns.ripn.net. A IN
May 30 18:32:36 unbound[3687:0] info: reply from <net.> 192.5.6.30#53
May 30 18:32:36 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:36 unbound[3687:0] info: resolving a.dns.ripn.net. AAAA IN
May 30 18:32:36 unbound[3687:0] info: response for f.dns.ripn.net. AAAA IN
May 30 18:32:36 unbound[3687:0] info: reply from <ripn.net.> 193.232.142.17#53
May 30 18:32:36 unbound[3687:0] info: query response was nodata ANSWER
May 30 18:32:36 unbound[3687:0] info: response for d.dns.ripn.net. AAAA IN
May 30 18:32:36 unbound[3687:0] info: reply from <ripn.net.> 193.232.142.17#53
May 30 18:32:36 unbound[3687:0] info: query response was nodata ANSWER
May 30 18:32:36 unbound[3687:0] info: response for e.dns.ripn.net. AAAA IN
May 30 18:32:36 unbound[3687:0] info: reply from <.> 2001:500:200::b#53
May 30 18:32:36 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:36 unbound[3687:0] info: response for e.dns.ripn.net. A IN
May 30 18:32:36 unbound[3687:0] info: reply from <.> 2001:7fd::1#53
May 30 18:32:36 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:36 unbound[3687:0] info: response for b.dns.ripn.net. AAAA IN
May 30 18:32:36 unbound[3687:0] info: reply from <ripn.net.> 2001:678:17:0:193:232:128:6#53
May 30 18:32:36 unbound[3687:0] info: query response was ANSWER
May 30 18:32:36 unbound[3687:0] info: response for f.dns.ripn.net. A IN
May 30 18:32:36 unbound[3687:0] info: reply from <net.> 2001:502:7094::30#53
May 30 18:32:36 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:36 unbound[3687:0] info: response for b.dns.ripn.net. AAAA IN
May 30 18:32:36 unbound[3687:0] info: reply from <ripn.net.> 193.232.142.17#53
May 30 18:32:36 unbound[3687:0] info: query response was ANSWER
May 30 18:32:36 unbound[3687:0] info: response for e.dns.ripn.net. A IN
May 30 18:32:36 unbound[3687:0] info: reply from <net.> 192.54.112.30#53
May 30 18:32:36 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:36 unbound[3687:0] info: response for e.dns.ripn.net. AAAA IN
May 30 18:32:36 unbound[3687:0] info: reply from <net.> 2001:502:8cc::30#53
May 30 18:32:36 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:36 unbound[3687:0] info: response for e.dns.ripn.net. A IN
May 30 18:32:36 unbound[3687:0] info: reply from <ripn.net.> 2001:678:15:0:193:232:142:17#53
May 30 18:32:36 unbound[3687:0] info: query response was nodata ANSWER
May 30 18:32:36 unbound[3687:0] info: response for _acme-challenge.starline.ru. TXT IN
May 30 18:32:36 unbound[3687:0] info: reply from <ru.> 193.232.128.6#53
May 30 18:32:36 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:36 unbound[3687:0] info: resolving ns2.ultrastar.ru. AAAA IN
May 30 18:32:36 unbound[3687:0] info: priming . IN NS
May 30 18:32:36 unbound[3687:0] info: resolving ns.ultrastar.ru. AAAA IN
May 30 18:32:36 unbound[3687:0] info: priming . IN NS
May 30 18:32:36 unbound[3687:0] info: resolving ns4-l2.nic.ru. A IN
May 30 18:32:36 unbound[3687:0] info: priming . IN NS
May 30 18:32:36 unbound[3687:0] info: resolving ns4-l2.nic.ru. AAAA IN
May 30 18:32:36 unbound[3687:0] info: priming . IN NS
May 30 18:32:36 unbound[3687:0] info: response for e.dns.ripn.net. AAAA IN
May 30 18:32:36 unbound[3687:0] info: reply from <ripn.net.> 193.232.156.17#53
May 30 18:32:36 unbound[3687:0] info: query response was nodata ANSWER
May 30 18:32:36 unbound[3687:0] info: response for . NS IN
May 30 18:32:36 unbound[3687:0] info: reply from <.> 199.7.91.13#53
May 30 18:32:36 unbound[3687:0] info: query response was ANSWER
May 30 18:32:36 unbound[3687:0] info: priming successful for . NS IN
May 30 18:32:36 unbound[3687:0] info: priming successful for . NS IN
May 30 18:32:36 unbound[3687:0] info: priming successful for . NS IN
May 30 18:32:36 unbound[3687:0] info: priming successful for . NS IN
May 30 18:32:36 unbound[3687:0] info: response for ns4-l2.nic.ru. AAAA IN
May 30 18:32:36 unbound[3687:0] info: reply from <.> 192.203.230.10#53
May 30 18:32:36 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:36 unbound[3687:0] info: response for ns4-l2.nic.ru. A IN
May 30 18:32:36 unbound[3687:0] info: reply from <.> 192.58.128.30#53
May 30 18:32:36 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:36 unbound[3687:0] info: response for ns2.ultrastar.ru. AAAA IN
May 30 18:32:36 unbound[3687:0] info: reply from <.> 2001:500:12::d0d#53
May 30 18:32:36 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:36 unbound[3687:0] info: response for ns.ultrastar.ru. AAAA IN
May 30 18:32:36 unbound[3687:0] info: reply from <.> 2001:500:12::d0d#53
May 30 18:32:36 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:36 unbound[3687:0] info: response for _acme-challenge.starline.ru. TXT IN
May 30 18:32:36 unbound[3687:0] info: reply from <starline.ru.> 2a01:3f1:862::53#53
May 30 18:32:36 unbound[3687:0] info: query response was NXDOMAIN ANSWER
May 30 18:32:36 unbound[3687:0] info: resolving ns8-l2.nic.ru. AAAA IN
May 30 18:32:36 unbound[3687:0] info: resolving ns3.ultrastar.ru. AAAA IN
May 30 18:32:36 unbound[3687:0] info: resolving _acme-challenge.starline.ru. A IN
May 30 18:32:36 unbound[3687:0] info: resolving ns8-l2.nic.ru. A IN
May 30 18:32:36 unbound[3687:0] info: response for e.dns.ripn.net. A IN
May 30 18:32:36 unbound[3687:0] info: reply from <ripn.net.> 193.232.156.17#53
May 30 18:32:36 unbound[3687:0] info: query response was ANSWER
May 30 18:32:36 unbound[3687:0] info: response for e.dns.ripn.net. AAAA IN
May 30 18:32:36 unbound[3687:0] info: reply from <ripn.net.> 2001:678:16:0:194:85:252:62#53
May 30 18:32:36 unbound[3687:0] info: query response was ANSWER
May 30 18:32:36 unbound[3687:0] info: response for f.dns.ripn.net. A IN
May 30 18:32:36 unbound[3687:0] info: reply from <ripn.net.> 2001:678:14:0:193:232:156:17#53
May 30 18:32:36 unbound[3687:0] info: query response was nodata ANSWER
May 30 18:32:36 unbound[3687:0] info: response for e.dns.ripn.net. AAAA IN
May 30 18:32:36 unbound[3687:0] info: reply from <ripn.net.> 2001:678:17:0:193:232:128:6#53
May 30 18:32:36 unbound[3687:0] info: query response was ANSWER
May 30 18:32:36 unbound[3687:0] info: response for a.dns.ripn.net. AAAA IN
May 30 18:32:36 unbound[3687:0] info: reply from <ripn.net.> 193.232.142.17#53
May 30 18:32:36 unbound[3687:0] info: query response was nodata ANSWER
May 30 18:32:36 unbound[3687:0] info: response for d.dns.ripn.net. A IN
May 30 18:32:36 unbound[3687:0] info: reply from <ripn.net.> 193.232.142.17#53
May 30 18:32:36 unbound[3687:0] info: query response was nodata ANSWER
May 30 18:32:36 unbound[3687:0] info: response for a.dns.ripn.net. AAAA IN
May 30 18:32:36 unbound[3687:0] info: reply from <ripn.net.> 2001:678:14:0:193:232:156:17#53
May 30 18:32:36 unbound[3687:0] info: query response was ANSWER
May 30 18:32:36 unbound[3687:0] info: response for f.dns.ripn.net. AAAA IN
May 30 18:32:36 unbound[3687:0] info: reply from <ripn.net.> 193.232.142.17#53
May 30 18:32:36 unbound[3687:0] info: query response was ANSWER
May 30 18:32:37 unbound[3687:0] info: response for f.dns.ripn.net. A IN
May 30 18:32:37 unbound[3687:0] info: reply from <ripn.net.> 2001:678:16:0:194:85:252:62#53
May 30 18:32:37 unbound[3687:0] info: query response was ANSWER
May 30 18:32:37 unbound[3687:0] info: response for d.dns.ripn.net. AAAA IN
May 30 18:32:37 unbound[3687:0] info: reply from <ripn.net.> 193.232.156.17#53
May 30 18:32:37 unbound[3687:0] info: query response was ANSWER
May 30 18:32:37 unbound[3687:0] info: response for d.dns.ripn.net. AAAA IN
May 30 18:32:37 unbound[3687:0] info: reply from <ripn.net.> 2001:678:14:0:193:232:156:17#53
May 30 18:32:37 unbound[3687:0] info: query response was ANSWER
May 30 18:32:37 unbound[3687:0] info: response for d.dns.ripn.net. A IN
May 30 18:32:37 unbound[3687:0] info: reply from <ripn.net.> 2001:678:15:0:193:232:142:17#53
May 30 18:32:37 unbound[3687:0] info: query response was ANSWER
May 30 18:32:37 unbound[3687:0] info: response for ns4-l2.nic.ru. A IN
May 30 18:32:37 unbound[3687:0] info: reply from <ru.> 2001:678:16:0:194:85:252:62#53
May 30 18:32:37 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:37 unbound[3687:0] info: response for f.dns.ripn.net. AAAA IN
May 30 18:32:37 unbound[3687:0] info: reply from <ripn.net.> 193.232.142.17#53
May 30 18:32:37 unbound[3687:0] info: query response was ANSWER
May 30 18:32:37 unbound[3687:0] info: response for a.dns.ripn.net. AAAA IN
May 30 18:32:37 unbound[3687:0] info: reply from <ripn.net.> 193.232.128.6#53
May 30 18:32:37 unbound[3687:0] info: query response was ANSWER
May 30 18:32:37 unbound[3687:0] info: response for ns4-l2.nic.ru. AAAA IN
May 30 18:32:37 unbound[3687:0] info: reply from <ru.> 193.232.128.6#53
May 30 18:32:37 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:37 unbound[3687:0] info: response for ns3.ultrastar.ru. AAAA IN
May 30 18:32:37 unbound[3687:0] info: reply from <ru.> 193.232.156.17#53
May 30 18:32:37 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:37 unbound[3687:0] info: response for ns2.ultrastar.ru. AAAA IN
May 30 18:32:37 unbound[3687:0] info: reply from <ru.> 193.232.128.6#53
May 30 18:32:37 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:37 unbound[3687:0] info: response for ns.ultrastar.ru. AAAA IN
May 30 18:32:37 unbound[3687:0] info: reply from <ru.> 2001:678:18:0:194:190:124:17#53
May 30 18:32:37 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:37 unbound[3687:0] info: response for ns8-l2.nic.ru. AAAA IN
May 30 18:32:37 unbound[3687:0] info: reply from <ru.> 2001:678:17:0:193:232:128:6#53
May 30 18:32:37 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:37 unbound[3687:0] info: response for ns4-l2.nic.ru. AAAA IN
May 30 18:32:37 unbound[3687:0] info: reply from <nic.ru.> 2a02:2090:e800:9000:31:177:67:100#53
May 30 18:32:37 unbound[3687:0] info: query response was ANSWER
May 30 18:32:37 unbound[3687:0] info: response for ns4-l2.nic.ru. A IN
May 30 18:32:37 unbound[3687:0] info: reply from <nic.ru.> 2a02:2090:e800:9000:31:177:67:100#53
May 30 18:32:37 unbound[3687:0] info: query response was ANSWER
May 30 18:32:37 unbound[3687:0] info: response for ns4-l2.nic.ru. AAAA IN
May 30 18:32:37 unbound[3687:0] info: reply from <nic.ru.> 2a02:2090:e800:9000:31:177:67:100#53
May 30 18:32:37 unbound[3687:0] info: query response was nodata ANSWER
May 30 18:32:37 unbound[3687:0] info: response for _acme-challenge.starline.ru. A IN
May 30 18:32:37 unbound[3687:0] info: reply from <starline.ru.> 194.58.196.62#53
May 30 18:32:37 unbound[3687:0] info: query response was NXDOMAIN ANSWER
May 30 18:32:37 unbound[3687:0] info: response for _acme-challenge.starline.ru. A IN
May 30 18:32:37 unbound[3687:0] info: reply from <starline.ru.> 185.42.137.111#53
May 30 18:32:37 unbound[3687:0] info: query response was NXDOMAIN ANSWER
May 30 18:32:37 unbound[3687:0] info: prime trust anchor
May 30 18:32:37 unbound[3687:0] info: generate keytag query _ta-4f66. NULL IN
May 30 18:32:37 unbound[3687:0] info: resolving . DNSKEY IN
May 30 18:32:37 unbound[3687:0] info: priming . IN NS
May 30 18:32:37 unbound[3687:0] info: resolving _ta-4f66. NULL IN
May 30 18:32:37 unbound[3687:0] info: priming . IN NS
May 30 18:32:37 unbound[3687:0] info: response for . NS IN
May 30 18:32:37 unbound[3687:0] info: reply from <.> 2001:503:ba3e::2:30#53
May 30 18:32:37 unbound[3687:0] info: query response was ANSWER
May 30 18:32:37 unbound[3687:0] info: priming successful for . NS IN
May 30 18:32:37 unbound[3687:0] info: priming successful for . NS IN
May 30 18:32:37 unbound[3687:0] info: response for . DNSKEY IN
May 30 18:32:37 unbound[3687:0] info: reply from <.> 192.58.128.30#53
May 30 18:32:37 unbound[3687:0] info: query response was ANSWER
May 30 18:32:37 unbound[3687:0] info: validate keys with anchor(DS): sec_status_secure
May 30 18:32:37 unbound[3687:0] info: Successfully primed trust anchor . DNSKEY IN
May 30 18:32:37 unbound[3687:0] info: resolving ru. DS IN
May 30 18:32:37 unbound[3687:0] info: response for _ta-4f66. NULL IN
May 30 18:32:37 unbound[3687:0] info: reply from <.> 2001:500:2f::f#53
May 30 18:32:37 unbound[3687:0] info: query response was NXDOMAIN ANSWER
May 30 18:32:37 unbound[3687:0] info: response for ru. DS IN
May 30 18:32:37 unbound[3687:0] info: reply from <.> 2001:500:2f::f#53
May 30 18:32:37 unbound[3687:0] info: query response was ANSWER
May 30 18:32:37 unbound[3687:0] info: validated DS ru. DS IN
May 30 18:32:37 unbound[3687:0] info: resolving ru. DNSKEY IN
May 30 18:32:37 unbound[3687:0] info: response for ru. DNSKEY IN
May 30 18:32:37 unbound[3687:0] info: reply from <.> 2001:7fe::53#53
May 30 18:32:37 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:37 unbound[3687:0] info: response for ns8-l2.nic.ru. A IN
May 30 18:32:37 unbound[3687:0] info: reply from <ru.> 193.232.156.17#53
May 30 18:32:37 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:38 unbound[3687:0] info: response for ns8-l2.nic.ru. A IN
May 30 18:32:38 unbound[3687:0] info: reply from <nic.ru.> 185.42.137.111#53
May 30 18:32:38 unbound[3687:0] info: query response was ANSWER
May 30 18:32:38 unbound[3687:0] info: response for ru. DNSKEY IN
May 30 18:32:38 unbound[3687:0] info: reply from <ru.> 2001:678:14:0:193:232:156:17#53
May 30 18:32:38 unbound[3687:0] info: query response was ANSWER
May 30 18:32:38 unbound[3687:0] info: Capsforid: timeouts, starting fallback
May 30 18:32:39 unbound[3687:0] info: response for ru. DNSKEY IN
May 30 18:32:39 unbound[3687:0] info: reply from <ru.> 193.232.128.6#53
May 30 18:32:39 unbound[3687:0] info: query response was ANSWER
May 30 18:32:39 unbound[3687:0] info: validated DNSKEY ru. DNSKEY IN
May 30 18:32:39 unbound[3687:0] info: resolving starline.ru. DS IN
May 30 18:32:39 unbound[3687:0] info: priming . IN NS
May 30 18:32:39 unbound[3687:0] info: response for . NS IN
May 30 18:32:39 unbound[3687:0] info: reply from <.> 2001:dc3::35#53
May 30 18:32:39 unbound[3687:0] info: query response was ANSWER
May 30 18:32:39 unbound[3687:0] info: priming successful for . NS IN
May 30 18:32:39 unbound[3687:0] info: response for starline.ru. DS IN
May 30 18:32:39 unbound[3687:0] info: reply from <.> 199.9.14.201#53
May 30 18:32:39 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:39 unbound[3687:0] info: resolving d.dns.ripn.net. AAAA IN
May 30 18:32:39 unbound[3687:0] info: resolving b.dns.ripn.net. AAAA IN
May 30 18:32:39 unbound[3687:0] info: resolving f.dns.ripn.net. AAAA IN
May 30 18:32:39 unbound[3687:0] info: resolving f.dns.ripn.net. A IN
May 30 18:32:39 unbound[3687:0] info: response for b.dns.ripn.net. AAAA IN
May 30 18:32:39 unbound[3687:0] info: reply from <.> 192.5.5.241#53
May 30 18:32:39 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:39 unbound[3687:0] info: response for f.dns.ripn.net. AAAA IN
May 30 18:32:39 unbound[3687:0] info: reply from <.> 2001:503:c27::2:30#53
May 30 18:32:39 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:39 unbound[3687:0] info: response for b.dns.ripn.net. AAAA IN
May 30 18:32:39 unbound[3687:0] info: reply from <net.> 192.52.178.30#53
May 30 18:32:39 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:39 unbound[3687:0] info: resolving a.dns.ripn.net. AAAA IN
May 30 18:32:39 unbound[3687:0] info: response for d.dns.ripn.net. AAAA IN
May 30 18:32:39 unbound[3687:0] info: reply from <.> 192.33.4.12#53
May 30 18:32:39 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:39 unbound[3687:0] info: response for f.dns.ripn.net. A IN
May 30 18:32:39 unbound[3687:0] info: reply from <.> 198.97.190.53#53
May 30 18:32:39 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:39 unbound[3687:0] info: response for f.dns.ripn.net. AAAA IN
May 30 18:32:39 unbound[3687:0] info: reply from <net.> 192.26.92.30#53
May 30 18:32:39 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:39 unbound[3687:0] info: response for d.dns.ripn.net. AAAA IN
May 30 18:32:39 unbound[3687:0] info: reply from <net.> 192.5.6.30#53
May 30 18:32:39 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:39 unbound[3687:0] info: response for d.dns.ripn.net. AAAA IN
May 30 18:32:39 unbound[3687:0] info: reply from <ripn.net.> 2001:678:15:0:193:232:142:17#53
May 30 18:32:39 unbound[3687:0] info: query response was nodata ANSWER
May 30 18:32:39 unbound[3687:0] info: response for a.dns.ripn.net. AAAA IN
May 30 18:32:39 unbound[3687:0] info: reply from <ripn.net.> 2001:678:15:0:193:232:142:17#53
May 30 18:32:39 unbound[3687:0] info: query response was nodata ANSWER
May 30 18:32:39 unbound[3687:0] info: response for d.dns.ripn.net. AAAA IN
May 30 18:32:39 unbound[3687:0] info: reply from <ripn.net.> 2001:678:14:0:193:232:156:17#53
May 30 18:32:39 unbound[3687:0] info: query response was ANSWER
May 30 18:32:39 unbound[3687:0] info: response for b.dns.ripn.net. AAAA IN
May 30 18:32:39 unbound[3687:0] info: reply from <ripn.net.> 193.232.128.6#53
May 30 18:32:39 unbound[3687:0] info: query response was nodata ANSWER
May 30 18:32:39 unbound[3687:0] info: response for f.dns.ripn.net. A IN
May 30 18:32:39 unbound[3687:0] info: reply from <net.> 2001:502:8cc::30#53
May 30 18:32:39 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:39 unbound[3687:0] info: response for f.dns.ripn.net. A IN
May 30 18:32:39 unbound[3687:0] info: reply from <ripn.net.> 2001:678:14:0:193:232:156:17#53
May 30 18:32:39 unbound[3687:0] info: query response was nodata ANSWER
May 30 18:32:39 unbound[3687:0] info: response for f.dns.ripn.net. AAAA IN
May 30 18:32:39 unbound[3687:0] info: reply from <ripn.net.> 193.232.142.17#53
May 30 18:32:39 unbound[3687:0] info: query response was nodata ANSWER
May 30 18:32:39 unbound[3687:0] info: response for f.dns.ripn.net. AAAA IN
May 30 18:32:39 unbound[3687:0] info: reply from <ripn.net.> 2001:678:14:0:193:232:156:17#53
May 30 18:32:39 unbound[3687:0] info: query response was ANSWER
May 30 18:32:39 unbound[3687:0] info: response for f.dns.ripn.net. AAAA IN
May 30 18:32:39 unbound[3687:0] info: reply from <ripn.net.> 2001:678:14:0:193:232:156:17#53
May 30 18:32:39 unbound[3687:0] info: query response was ANSWER
May 30 18:32:39 unbound[3687:0] info: response for a.dns.ripn.net. AAAA IN
May 30 18:32:39 unbound[3687:0] info: reply from <ripn.net.> 193.232.142.17#53
May 30 18:32:39 unbound[3687:0] info: query response was ANSWER
May 30 18:32:39 unbound[3687:0] info: response for d.dns.ripn.net. AAAA IN
May 30 18:32:39 unbound[3687:0] info: reply from <ripn.net.> 193.232.142.17#53
May 30 18:32:39 unbound[3687:0] info: query response was ANSWER
May 30 18:32:39 unbound[3687:0] info: response for b.dns.ripn.net. AAAA IN
May 30 18:32:39 unbound[3687:0] info: reply from <ripn.net.> 2001:678:15:0:193:232:142:17#53
May 30 18:32:39 unbound[3687:0] info: query response was ANSWER
May 30 18:32:39 unbound[3687:0] info: response for f.dns.ripn.net. A IN
May 30 18:32:39 unbound[3687:0] info: reply from <ripn.net.> 193.232.142.17#53
May 30 18:32:39 unbound[3687:0] info: query response was ANSWER
May 30 18:32:39 unbound[3687:0] info: response for a.dns.ripn.net. AAAA IN
May 30 18:32:39 unbound[3687:0] info: reply from <ripn.net.> 193.232.142.17#53
May 30 18:32:39 unbound[3687:0] info: query response was ANSWER
May 30 18:32:39 unbound[3687:0] info: response for b.dns.ripn.net. AAAA IN
May 30 18:32:39 unbound[3687:0] info: reply from <ripn.net.> 193.232.142.17#53
May 30 18:32:39 unbound[3687:0] info: query response was ANSWER
May 30 18:32:39 unbound[3687:0] info: Capsforid: timeouts, starting fallback
May 30 18:32:40 unbound[3687:0] info: Capsforid: timeouts, starting fallback
May 30 18:32:40 unbound[3687:0] info: Capsforid: timeouts, starting fallback
May 30 18:32:40 unbound[3687:0] info: Capsforid: timeouts, starting fallback
May 30 18:32:40 unbound[3687:0] info: resolving a.dns.ripn.net. AAAA IN
May 30 18:32:40 unbound[3687:0] info: priming . IN NS
May 30 18:32:40 unbound[3687:0] info: resolving e.dns.ripn.net. A IN
May 30 18:32:40 unbound[3687:0] info: priming . IN NS
May 30 18:32:40 unbound[3687:0] info: resolving e.dns.ripn.net. AAAA IN
May 30 18:32:40 unbound[3687:0] info: priming . IN NS
May 30 18:32:40 unbound[3687:0] info: response for . NS IN
May 30 18:32:40 unbound[3687:0] info: reply from <.> 192.33.4.12#53
May 30 18:32:40 unbound[3687:0] info: query response was ANSWER
May 30 18:32:40 unbound[3687:0] info: priming successful for . NS IN
May 30 18:32:40 unbound[3687:0] info: priming successful for . NS IN
May 30 18:32:40 unbound[3687:0] info: priming successful for . NS IN
May 30 18:32:40 unbound[3687:0] info: response for a.dns.ripn.net. AAAA IN
May 30 18:32:40 unbound[3687:0] info: reply from <.> 2001:500:2d::d#53
May 30 18:32:40 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:40 unbound[3687:0] info: response for e.dns.ripn.net. AAAA IN
May 30 18:32:40 unbound[3687:0] info: reply from <.> 2001:dc3::35#53
May 30 18:32:40 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:40 unbound[3687:0] info: response for e.dns.ripn.net. A IN
May 30 18:32:40 unbound[3687:0] info: reply from <.> 199.9.14.201#53
May 30 18:32:40 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:40 unbound[3687:0] info: response for a.dns.ripn.net. AAAA IN
May 30 18:32:40 unbound[3687:0] info: reply from <net.> 192.26.92.30#53
May 30 18:32:40 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:40 unbound[3687:0] info: resolving d.dns.ripn.net. AAAA IN
May 30 18:32:40 unbound[3687:0] info: resolving b.dns.ripn.net. AAAA IN
May 30 18:32:41 unbound[3687:0] info: response for e.dns.ripn.net. AAAA IN
May 30 18:32:41 unbound[3687:0] info: reply from <net.> 192.35.51.30#53
May 30 18:32:41 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:41 unbound[3687:0] info: response for e.dns.ripn.net. AAAA IN
May 30 18:32:41 unbound[3687:0] info: reply from <ripn.net.> 193.232.142.17#53
May 30 18:32:41 unbound[3687:0] info: query response was nodata ANSWER
May 30 18:32:41 unbound[3687:0] info: response for b.dns.ripn.net. AAAA IN
May 30 18:32:41 unbound[3687:0] info: reply from <ripn.net.> 193.232.142.17#53
May 30 18:32:41 unbound[3687:0] info: query response was nodata ANSWER
May 30 18:32:41 unbound[3687:0] info: response for d.dns.ripn.net. AAAA IN
May 30 18:32:41 unbound[3687:0] info: reply from <ripn.net.> 193.232.142.17#53
May 30 18:32:41 unbound[3687:0] info: query response was nodata ANSWER
May 30 18:32:41 unbound[3687:0] info: response for a.dns.ripn.net. AAAA IN
May 30 18:32:41 unbound[3687:0] info: reply from <ripn.net.> 193.232.142.17#53
May 30 18:32:41 unbound[3687:0] info: query response was nodata ANSWER
May 30 18:32:41 unbound[3687:0] info: response for d.dns.ripn.net. AAAA IN
May 30 18:32:41 unbound[3687:0] info: reply from <ripn.net.> 2001:678:14:0:193:232:156:17#53
May 30 18:32:41 unbound[3687:0] info: query response was ANSWER
May 30 18:32:41 unbound[3687:0] info: response for b.dns.ripn.net. AAAA IN
May 30 18:32:41 unbound[3687:0] info: reply from <ripn.net.> 2001:678:14:0:193:232:156:17#53
May 30 18:32:41 unbound[3687:0] info: query response was ANSWER
May 30 18:32:41 unbound[3687:0] info: response for b.dns.ripn.net. AAAA IN
May 30 18:32:41 unbound[3687:0] info: reply from <ripn.net.> 2001:678:14:0:193:232:156:17#53
May 30 18:32:41 unbound[3687:0] info: query response was ANSWER
May 30 18:32:41 unbound[3687:0] info: response for e.dns.ripn.net. AAAA IN
May 30 18:32:41 unbound[3687:0] info: reply from <ripn.net.> 193.232.142.17#53
May 30 18:32:41 unbound[3687:0] info: query response was ANSWER
May 30 18:32:41 unbound[3687:0] info: response for a.dns.ripn.net. AAAA IN
May 30 18:32:41 unbound[3687:0] info: reply from <ripn.net.> 193.232.142.17#53
May 30 18:32:41 unbound[3687:0] info: query response was ANSWER
May 30 18:32:41 unbound[3687:0] info: response for d.dns.ripn.net. AAAA IN
May 30 18:32:41 unbound[3687:0] info: reply from <ripn.net.> 193.232.142.17#53
May 30 18:32:41 unbound[3687:0] info: query response was ANSWER
May 30 18:32:41 unbound[3687:0] info: response for a.dns.ripn.net. AAAA IN
May 30 18:32:41 unbound[3687:0] info: reply from <ripn.net.> 2001:678:14:0:193:232:156:17#53
May 30 18:32:41 unbound[3687:0] info: query response was ANSWER
May 30 18:32:41 unbound[3687:0] info: response for ns8-l2.nic.ru. AAAA IN
May 30 18:32:41 unbound[3687:0] info: reply from <nic.ru.> 2a02:2090:ec00:9040:31:177:74:100#53
May 30 18:32:41 unbound[3687:0] info: Capsforid: starting fallback
May 30 18:32:41 unbound[3687:0] info: response for e.dns.ripn.net. AAAA IN
May 30 18:32:41 unbound[3687:0] info: reply from <ripn.net.> 193.232.142.17#53
May 30 18:32:41 unbound[3687:0] info: query response was ANSWER
May 30 18:32:41 unbound[3687:0] info: response for starline.ru. DS IN
May 30 18:32:41 unbound[3687:0] info: reply from <ru.> 2001:678:18:0:194:190:124:17#53
May 30 18:32:41 unbound[3687:0] info: query response was nodata ANSWER
May 30 18:32:41 unbound[3687:0] info: response for ns8-l2.nic.ru. AAAA IN
May 30 18:32:41 unbound[3687:0] info: reply from <nic.ru.> 2a02:2090:ec00:9040:31:177:74:100#53
May 30 18:32:41 unbound[3687:0] info: Capsforid: reply is equal. go to next fallback
May 30 18:32:41 unbound[3687:0] info: response for e.dns.ripn.net. A IN
May 30 18:32:41 unbound[3687:0] info: reply from <net.> 2001:503:231d::2:30#53
May 30 18:32:41 unbound[3687:0] info: query response was REFERRAL
May 30 18:32:41 unbound[3687:0] info: response for ns8-l2.nic.ru. AAAA IN
May 30 18:32:41 unbound[3687:0] info: reply from <nic.ru.> 2a01:3f1:862::53#53
May 30 18:32:41 unbound[3687:0] info: Capsforid: reply is equal. go to next fallback
May 30 18:32:41 unbound[3687:0] info: response for e.dns.ripn.net. A IN
May 30 18:32:41 unbound[3687:0] info: reply from <ripn.net.> 193.232.142.17#53
May 30 18:32:41 unbound[3687:0] info: query response was nodata ANSWER
May 30 18:32:41 unbound[3687:0] info: response for ns8-l2.nic.ru. AAAA IN
May 30 18:32:41 unbound[3687:0] info: reply from <nic.ru.> 2a02:2090:e800:9000:31:177:67:100#53
May 30 18:32:41 unbound[3687:0] info: Capsforid: reply is equal. go to next fallback
May 30 18:32:41 unbound[3687:0] info: response for e.dns.ripn.net. A IN
May 30 18:32:41 unbound[3687:0] info: reply from <ripn.net.> 2001:678:18:0:194:190:124:17#53
May 30 18:32:41 unbound[3687:0] info: query response was ANSWER
May 30 18:32:41 unbound[3687:0] info: response for starline.ru. DS IN
May 30 18:32:41 unbound[3687:0] info: reply from <ru.> 193.232.156.17#53
May 30 18:32:41 unbound[3687:0] info: query response was nodata ANSWER
May 30 18:32:41 unbound[3687:0] info: NSEC3s for the referral proved no DS.
May 30 18:32:41 unbound[3687:0] info: Verified that unsigned response is INSECURE
May 30 18:32:43 unbound[3687:0] info: response for ns8-l2.nic.ru. AAAA IN
May 30 18:32:43 unbound[3687:0] info: reply from <nic.ru.> 2a02:2090:e800:9000:31:177:67:100#53
May 30 18:32:43 unbound[3687:0] info: Capsforid: reply is equal. go to next fallback
May 30 18:32:43 unbound[3687:0] info: response for ns8-l2.nic.ru. AAAA IN
May 30 18:32:43 unbound[3687:0] info: reply from <nic.ru.> 2a02:2090:e400:7000:31:177:85:186#53
May 30 18:32:43 unbound[3687:0] info: Capsforid: reply is equal. go to next fallback
May 30 18:32:43 unbound[3687:0] info: response for ns8-l2.nic.ru. AAAA IN
May 30 18:32:43 unbound[3687:0] info: reply from <nic.ru.> 2a01:3f0:400::62#53
May 30 18:32:43 unbound[3687:0] info: Capsforid: reply is equal. go to next fallback
May 30 18:32:44 unbound[3687:0] info: response for ns8-l2.nic.ru. AAAA IN
May 30 18:32:44 unbound[3687:0] info: reply from <nic.ru.> 2a02:2090:ec00:9040:31:177:74:100#53
May 30 18:32:44 unbound[3687:0] info: Capsforid: reply is equal. go to next fallback
May 30 18:32:44 unbound[3687:0] info: response for ns8-l2.nic.ru. AAAA IN
May 30 18:32:44 unbound[3687:0] info: reply from <nic.ru.> 194.58.196.62#53
May 30 18:32:44 unbound[3687:0] info: Capsforid: reply is equal. go to next fallback
May 30 18:32:44 unbound[3687:0] info: response for ns8-l2.nic.ru. AAAA IN
May 30 18:32:44 unbound[3687:0] info: reply from <nic.ru.> 2a01:3f1:862::53#53
May 30 18:32:44 unbound[3687:0] info: Capsforid: reply is equal. go to next fallback
May 30 18:32:44 unbound[3687:0] info: response for ns8-l2.nic.ru. AAAA IN
May 30 18:32:44 unbound[3687:0] info: reply from <nic.ru.> 2a02:2090:e400:7000:31:177:85:186#53
May 30 18:32:44 unbound[3687:0] info: Capsforid: reply is equal. go to next fallback
May 30 18:32:44 unbound[3687:0] info: response for ns8-l2.nic.ru. AAAA IN
May 30 18:32:44 unbound[3687:0] info: reply from <nic.ru.> 2a01:3f1:862::53#53
May 30 18:32:44 unbound[3687:0] info: Capsforid: reply is equal. go to next fallback

Error running query: read udp 127.0.0.1:51636->127.0.0.1:1053: i/o timeout

1 Like
#4

Thank you! This ns have very old and overmisconfigured configuration…

1 Like
#5

I fix this timeout, but steel see same status - letsencrypt use cached status and not get current _acme record:

# dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
Unknown hook "startup_hook"
Processing *.starline.ru
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for starline.ru
 + 1 pending challenge(s)
 + Deploying challenge tokens...
deploy_challenge: deploy_challenge
deploy_challenge: starline.ru
deploy_challenge: kVBNg8AS1kPTWq41v3ObymhyJz2uhuVV0eSkrv54n2c
deploy_challenge: WkHHXgrYDRJYe5Y0EjbolrXQ4KCFjRPooCsr9dxw714
/etc/bind/zones/starline.ru:8: using RFC1035 TTL semantics
zone starline.ru/IN: loaded serial 2020053022
OK
 + Responding to challenge for starline.ru authorization...
Unknown hook "invalid_challenge"
 + Cleaning challenge tokens...
clean_challenge: clean_challenge
clean_challenge: starline.ru
clean_challenge: kVBNg8AS1kPTWq41v3ObymhyJz2uhuVV0eSkrv54n2c
clean_challenge: WkHHXgrYDRJYe5Y0EjbolrXQ4KCFjRPooCsr9dxw714
/etc/bind/zones/starline.ru:8: using RFC1035 TTL semantics
zone starline.ru/IN: loaded serial 2020053022
OK
 + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "dns-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:dns",
    "detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.starline.ru - check that a DNS record exists for this domain",
    "status": 400
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/4914972807/19UHtA",
  "token": "kVBNg8AS1kPTWq41v3ObymhyJz2uhuVV0eSkrv54n2c"
})
exit_hook: exit_hook
exit_hook: Challenge
exit_hook: is
exit_hook: invalid!
exit_hook: (returned:
exit_hook: invalid)
exit_hook: (result:
exit_hook: {
exit_hook: "type":
exit_hook: "dns-01",
exit_hook: "status":
exit_hook: "invalid",
exit_hook: "error":
exit_hook: {
exit_hook: "type":
exit_hook: "urn:ietf:params:acme:error:dns",
exit_hook: "detail":
exit_hook: "DNS
exit_hook: problem:
exit_hook: NXDOMAIN
exit_hook: looking
exit_hook: up
exit_hook: TXT
exit_hook: for
exit_hook: _acme-challenge.starline.ru
exit_hook: -
exit_hook: check
exit_hook: that
exit_hook: a
exit_hook: DNS
exit_hook: record
exit_hook: exists
exit_hook: for
exit_hook: this
exit_hook: domain",
exit_hook: "status":
exit_hook: 400
exit_hook: },
exit_hook: "url":
exit_hook: "https://acme-v02.api.letsencrypt.org/acme/chall-v3/4914972807/19UHtA",
exit_hook: "token":
exit_hook: "kVBNg8AS1kPTWq41v3ObymhyJz2uhuVV0eSkrv54n2c"
exit_hook: })
1 Like
#6

https://www.whatsmydns.net/#TXT/_acme-challenge.starline.ru

most dns servers can’t see (but some can) your txt record

#7

In my hook, i remove _acme-challenge record before and after challenge:

...
case "$1" in
    "deploy_challenge")
        for a in $@; do echo "${1}: ${a}"; done

        sed -i.bak "s/.*; serial/$(printf '%.0s ' {0..13}) $(date +%Y%m%d%H) ; serial/g" $ZFILE
        sed -i "/^_acme-challenge .*/d" $ZFILE
        echo "_acme-challenge ${TTL} IN TXT \"${4}\"" >> $ZFILE

        $CHECKZONE $ZONE $ZFILE
        if [ $? -ne 0 ]; then
          echo 'Error'
          exit
        fi

        $SYSTEMCTL reload bind9.service
        sleep 10;
        ;;

    "clean_challenge")
        for a in $@; do echo "${1}: ${a}"; done

        sed -i "s/.*; serial/$(printf '%.0s ' {0..13}) $(date +%Y%m%d%H) ; serial/g" $ZFILE
        sed -i "/^_acme-challenge .*${4}/d" $ZFILE

        $CHECKZONE $ZONE $ZFILE
        if [ $? -ne 0 ]; then
          echo 'Error'
          exit
        fi

        $SYSTEMCTL reload bind9.service
        ;;
...

Also this record “lDJiRgdkykehHDcNpP00VRWekURF5fj3Ry1HLkdL-cY” is old (3 times ago before I post this) but some ns-servers still show it

#8

Checking your ip addresses manual

ns8-l2.nic.ru has the old value:

:~$ dig TXT _acme-challenge.starline.ru. @91.217.21.1

; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> TXT _acme-challenge.starline.ru. @91.217.21.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9205
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 7, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_acme-challenge.starline.ru. IN TXT

;; ANSWER SECTION:
acme-challenge.starline.ru. 60 IN TXT "iTW56-Etrv3MrqjwHZgReswRqrIh_3rYpsuIMz636I"

;; AUTHORITY SECTION:
starline.ru. 3600 IN NS ns8-l2.nic.ru.
starline.ru. 3600 IN NS ns3.ultrastar.ru.
starline.ru. 3600 IN NS ns.ultrastar.ru.
starline.ru. 3600 IN NS ns4-cloud.nic.ru.
starline.ru. 3600 IN NS ns2.ultrastar.ru.
starline.ru. 3600 IN NS ns4-l2.nic.ru.
starline.ru. 3600 IN NS ns8-cloud.nic.ru.

;; Query time: 60 msec
;; SERVER: 91.217.21.1#53(91.217.21.1)
;; WHEN: Sun May 31 00:25:56 CEST 2020
;; MSG SIZE rcvd: 269

Looks like your name server updates don’t work.

And both T-adresses (87.248.236.18, 80.73.202.138) don’t answer again.

1 Like
#9

I do not think so.

$ dig TXT starline.ru. @ns3.ultrastar.ru.

; <<>> DiG 9.11.3-1ubuntu1.7-Ubuntu <<>> TXT starline.ru. @ns3.ultrastar.ru.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39728
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 5
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;starline.ru.			IN	TXT

;; ANSWER SECTION:
starline.ru.		3600	IN	TXT	"v=spf1 a mx ip4:185.129.96.76 ip4:185.129.96.77 include:smtp.userecho.com ~all"
starline.ru.		3600	IN	TXT	"yandex-verification: 26c3108f3d61e2cc"

;; AUTHORITY SECTION:
starline.ru.		3600	IN	NS	ns4-l2.nic.ru.
starline.ru.		3600	IN	NS	ns.ultrastar.ru.
starline.ru.		3600	IN	NS	ns4-cloud.nic.ru.
starline.ru.		3600	IN	NS	ns2.ultrastar.ru.
starline.ru.		3600	IN	NS	ns3.ultrastar.ru.
starline.ru.		3600	IN	NS	ns8-l2.nic.ru.
starline.ru.		3600	IN	NS	ns8-cloud.nic.ru.

;; ADDITIONAL SECTION:
ns.ultrastar.ru.	86400	IN	A	185.129.96.4
ns2.ultrastar.ru.	86400	IN	A	185.129.96.4
ns3.ultrastar.ru.	86400	IN	A	185.129.96.4
ns4-cloud.NIC.ru.	5093	IN	A	185.42.137.111

;; Query time: 39 msec
;; SERVER: 185.129.96.4#53(185.129.96.4)
;; WHEN: Sat May 30 23:31:59 UTC 2020
;; MSG SIZE  rcvd: 416

$ dig TXT starline.ru. @ns8-l2.nic.ru.

; <<>> DiG 9.11.3-1ubuntu1.7-Ubuntu <<>> TXT starline.ru. @ns8-l2.nic.ru.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20669
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;starline.ru.			IN	TXT

;; ANSWER SECTION:
starline.ru.		3600	IN	TXT	"yandex-verification: 26c3108f3d61e2cc"
starline.ru.		3600	IN	TXT	"v=spf1 a mx ip4:185.129.96.76 ip4:185.129.96.77 include:smtp.userecho.com ~all"

;; AUTHORITY SECTION:
starline.ru.		3600	IN	NS	ns4-l2.nic.ru.
starline.ru.		3600	IN	NS	ns8-cloud.nic.ru.
starline.ru.		3600	IN	NS	ns.ultrastar.ru.
starline.ru.		3600	IN	NS	ns3.ultrastar.ru.
starline.ru.		3600	IN	NS	ns2.ultrastar.ru.
starline.ru.		3600	IN	NS	ns4-cloud.nic.ru.
starline.ru.		3600	IN	NS	ns8-l2.nic.ru.

;; Query time: 65 msec
;; SERVER: 91.217.21.1#53(91.217.21.1)
;; WHEN: Sat May 30 23:34:27 UTC 2020
;; MSG SIZE  rcvd: 338

May be big TTL (86400 ) is affects…

But in this post you can see - as letsencrypt not get any one _acme-challenge record, despite the fact that record present on the first ns (ns.ultrastar.ru)

1 Like
#10

You have to query for _acme-challenge.starline.ru to get the ACME validation records.

Let’s Encrypt can query any of your authoritative nameservers, though.

1 Like
#11

I did - I see name server updates is worked
For example I skip “clean_challenge”:

# dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
Unknown hook "this_hookscript_is_broken__dehydrated_is_working_fine__please_ignore_unknown_hooks_in_your_script"
Unknown hook "startup_hook"
Processing *.starline.ru
Unknown hook "this_hookscript_is_broken__dehydrated_is_working_fine__please_ignore_unknown_hooks_in_your_script"
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for starline.ru
 + 1 pending challenge(s)
 + Deploying challenge tokens...
deploy_challenge: deploy_challenge
deploy_challenge: starline.ru
deploy_challenge: q6ZUOKHlWFIyzN5nyKMDC5mO_jzrGCwNyLEU8bApbTI
deploy_challenge: h8mJSiCEuipttSCQMltOrZvCCnf2n9PC8TD6I-syFLI
/etc/bind/zones/starline.ru:8: using RFC1035 TTL semantics
zone starline.ru/IN: loaded serial 2020053102
OK
 + Responding to challenge for starline.ru authorization...
Unknown hook "invalid_challenge"
 + Cleaning challenge tokens...
clean_challenge: clean_challenge
clean_challenge: starline.ru
clean_challenge: q6ZUOKHlWFIyzN5nyKMDC5mO_jzrGCwNyLEU8bApbTI
clean_challenge: h8mJSiCEuipttSCQMltOrZvCCnf2n9PC8TD6I-syFLI
 + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "dns-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:dns",
    "detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.starline.ru - check that a DNS record exists for this domain",
    "status": 400
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/4919149486/QuWH_A",
  "token": "q6ZUOKHlWFIyzN5nyKMDC5mO_jzrGCwNyLEU8bApbTI"
})
exit_hook: exit_hook
exit_hook: Challenge
exit_hook: is
exit_hook: invalid!
exit_hook: (returned:
exit_hook: invalid)
exit_hook: (result:
exit_hook: {
exit_hook: "type":
exit_hook: "dns-01",
exit_hook: "status":
exit_hook: "invalid",
exit_hook: "error":
exit_hook: {
exit_hook: "type":
exit_hook: "urn:ietf:params:acme:error:dns",
exit_hook: "detail":
exit_hook: "DNS
exit_hook: problem:
exit_hook: NXDOMAIN
exit_hook: looking
exit_hook: up
exit_hook: TXT
exit_hook: for
exit_hook: _acme-challenge.starline.ru
exit_hook: -
exit_hook: check
exit_hook: that
exit_hook: a
exit_hook: DNS
exit_hook: record
exit_hook: exists
exit_hook: for
exit_hook: this
exit_hook: domain",
exit_hook: "status":
exit_hook: 400
exit_hook: },
exit_hook: "url":
exit_hook: "https://acme-v02.api.letsencrypt.org/acme/chall-v3/4919149486/QuWH_A",
exit_hook: "token":
exit_hook: "q6ZUOKHlWFIyzN5nyKMDC5mO_jzrGCwNyLEU8bApbTI"
exit_hook: })

As can see - status “invalid”
But record is present on all authoritative ns:

$ cat ./check-challenge.sh
#!/usr/bin/env bash

nslist="ns8-l2.nic.ru.
ns3.ultrastar.ru.
ns.ultrastar.ru.
ns4-cloud.nic.ru.
ns2.ultrastar.ru.
ns4-l2.nic.ru.
ns8-cloud.nic.ru."

while (true); do
	echo "-- check _acme-challenge --"
	for ns in $nslist; do 
		echo -en "$ns:\t\t"
		dig +noall +answer -t TXT _acme-challenge.starline.ru @${ns}
	done
	sleep 5;
done	

$ ./check-challenge.sh
-- check _acme-challenge --
ns8-l2.nic.ru.:		_acme-challenge.starline.ru. 60	IN	TXT	"h8mJSiCEuipttSCQMltOrZvCCnf2n9PC8TD6I-syFLI"
ns3.ultrastar.ru.:		_acme-challenge.starline.ru. 60	IN	TXT	"h8mJSiCEuipttSCQMltOrZvCCnf2n9PC8TD6I-syFLI"
ns.ultrastar.ru.:		_acme-challenge.starline.ru. 60	IN	TXT	"h8mJSiCEuipttSCQMltOrZvCCnf2n9PC8TD6I-syFLI"
ns4-cloud.nic.ru.:		_acme-challenge.starline.ru. 60	IN	TXT	"h8mJSiCEuipttSCQMltOrZvCCnf2n9PC8TD6I-syFLI"
ns2.ultrastar.ru.:		_acme-challenge.starline.ru. 60	IN	TXT	"h8mJSiCEuipttSCQMltOrZvCCnf2n9PC8TD6I-syFLI"
ns4-l2.nic.ru.:		_acme-challenge.starline.ru. 60	IN	TXT	"h8mJSiCEuipttSCQMltOrZvCCnf2n9PC8TD6I-syFLI"
ns8-cloud.nic.ru.:		_acme-challenge.starline.ru. 60	IN	TXT	"h8mJSiCEuipttSCQMltOrZvCCnf2n9PC8TD6I-syFLI"
#12

I don’t know. My two best guesses are that:

  • Maybe some of the nameservers take a few seconds too long to update?

  • Maybe the ACME client’s logic is wrong and it’s reusing an invalid authorization instead of creating a new one?

1 Like
#13

Apparently it is https://paste.ubuntu.com/p/M8GXZznrt2/
Two servers have long TTL in fact

ns4-cloud.nic.ru.: _acme-challenge.starline.ru. 60	IN	TXT	"T-ApV85P_fUlbOLB6AgIEUucajA5eSn2Ultg82RifpE"
ns8-cloud.nic.ru.: _acme-challenge.starline.ru. 60	IN	TXT	"T-ApV85P_fUlbOLB6AgIEUucajA5eSn2Ultg82RifpE"
1 Like
#14

Let’s Encrypt’s recursive resolvers don’t follow the TTL. They only hold onto old records for a few minutes.

#15

If I have (now again)

:~$ dig TXT _acme-challenge.starline.ru. @87.247.236.18

; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> TXT _acme-challenge.starline.ru. @87.247.236.18
;; global options: +cmd
;; connection timed out; no servers could be reached

it’s impossible to talk with that name server.

Not-answering name servers are always bad.

2 Likes
#16

All important issues with name servers fixed, wildcard certificate recieved and already deployed

Thanks comrades!

1 Like
#18

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.