DNS-01 validation getting "Incorrect TXT record v=spf1 …

I have set up an acme-dns server on my own server and am testing the acme-dns-client to use DNS-01 validation. After setting up the _acme-challenge CNAME record in the DNS settings

acme-dns-client check -d uniofilm.com

resulted in

Registered acme-dns account found!
CNAME record found and set up correctly!

So to test the DNS-01 validation I tried

certbot certonly --dry-run --manual --preferred-challenges dns --manual-auth-hook 'acme-dns-client' -d uniofilm.com

but this produces an error

Incorrect TXT record "v=spf1 a mx ip4:104.238.172.100 ip4:209.250.229.146 ip6:2001:19f0:7402:150:5400:ff:fe70:fb3b a:vezer..." found at _acme-challenge.uniofilm.com

This TXT record was set up for email purposes.

I am no expert on DNS records. Any help on how to sort this would be much appreciated.

1 Like

When requesting the TXT RR for _acme-challenge.uniofilm.com, your DNS server responds with TWOTHREE (ignoring the NS RRs) results:

_acme-challenge.uniofilm.com. 86400 IN	CNAME	cd22553e-58fc-4cd8-84aa-d955e97b9f81.auth.vezer.uk.
cd22553e-58fc-4cd8-84aa-d955e97b9f81.auth.vezer.uk. 86400 IN CNAME vezer.uk.
vezer.uk.		86400	IN	TXT	"v=spf1 a mx ip4:104.238.172.100 ip4:209.250.229.146 ip6:2001:19f0:7402:150:5400:ff:fe70:fb3b a:vezer.uk include:_spf.google.com ~all"

That latter TXT RR shouldn't be there I'm guessing. It should only reply with the CNAME.

Waaait a minute, I missed the middle line. For some reason your first CNAME destination responds with a CNAME of its own, instead of the TXT RR. Weird? Does your DNS zone have catch alls?

3 Likes

Thanks for a swift response :slight_smile:

No catch-alls - I guess you mean *.something

When I have time later, let me think your answer through (that middle line)

1 Like

I've had a chance to work out what is going on here with this middle line. There is a kind of catch-all in that the TXT RR is being served to any other CNAMEs defined in the DNS zone, but not to any random sub domains. For example:

www.uniofilm.com
ftp.unionfilm.com

and unfortunately

_acme-challenge.uniofilm.com

all pick up the same TXT record. Each is set up as a CNAME RR on the DNS server.

I'm not sure what the correct work-around would be. It is important to keep this TXT RR record for emails

But not for the _acme-challenge label.

I don't know if or how, but you might want to fix some kind of exclusion for that label.

3 Likes

Sorted several problems now. I did have a catch-all at the domain hosting the acme-dns server, but now this is fixed.

I've checked that the DNS is reachable for auth.vezer.uk, which it is.

I now have a new problem. When running:

certbot certonly --dry-run --manual --preferred-challenges dns --manual-auth-hook 'acme-dns-client' -d uniofilm.com

I get the authorisation failure:

DNS problem: NXDOMAIN looking up TXT for _acme-challenge.uniofilm.com - check that a DNS record exists for this domain

But I thought that only a CNAME RR was needed. I'm confused by this error. Remember reading somewhere that acme-dns-client takes care of converting look-up from TXT to CNAME, but I may be mistaken.

it has cname to cd22553e-58fc-4cd8-84aa-d955e97b9f81.auth.vezer.uk but cd22553e-58fc-4cd8-84aa-d955e97b9f81.auth.vezer.uk doesn't have any record so it's expected

4 Likes

Remember when setting up acme-dns as a delegated name server for a zone (auth) you need to tell DNS to look to that as a nameserver, otherwise it will use your main zone nameservers. So you need an NS record for auth.vezer.uk pointing to the IP of your acme-dns server, if you don't have that already.

1 Like

Thanks both @orangepizza and @webprofusion :slight_smile:

This is either a propagation issue or DNS for vezer.uk is still not set up correctly.

When I look for TXT RR specifying the name server:

dig @104.238.172.100 -t txt cd22553e-58fc-4cd8-84aa-d955e97b9f81.auth.vezer.uk

I do get a response … even from a remote server:

;; ANSWER SECTION:
cd22553e-58fc-4cd8-84aa-d955e97b9f81.auth.vezer.uk. 1 IN TXT "IHEZJCh3R3VNhvYsyNB01htxvL3rJQKfPR3M8EMitew"
cd22553e-58fc-4cd8-84aa-d955e97b9f81.auth.vezer.uk. 1 IN TXT "EnaM3AC5fWzpzUiG30M71YB9e9NEW9GLYEE1i8XxITI"

The DNS zone for vezer.uk has these two records:

auth A 104.238.172.100
auth.vezer.uk NS auth.vezer.uk

though as I write I'm wondering whether the second record should be:

auth NS auth.vezer.uk

because for A and CNAME records at least the DNS server (freedns.centos-webpanel.com) adds .vezer.uk to the host. Let me try.

Yes, that was it! Everything now working as expected. Thanks to everyone for their help :slight_smile:

2 Likes

Perhaps you did a wildcard *. DNS CNAME or TXT resolution. Try to exclude _acme-challenge.

2 Likes