DNS Based Renewal Failing for insect.com

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: insect.com, bellcowhvac.com, bellcowservices.com, bugs.net, exterminate.com, mscinc.com, mscpest.com, terminix.net, *.bellcowhvac.com, *.bellcowservices.com, *.bugs.net, *.cellmgmt.bugs.net, *.devtest.bugs.net, *.exterminate.com, *.insect.com, *.msc52.bugs.net, *.msc.bugs.net, *.mscinc.com, *.mscpest.com, *.phone.bugs.net, *.tc.bugs.net, *.tc.insect.com, *.terminix.net

I ran this command: /root/.acme.sh/acme.sh --cron --home /root/.acme.sh

It produced this output:
[Thu Jan 18 08:04:23 EST 2024] insect.com:Verify error:No TXT record found at _acme-challenge.insect.com

I was able to use dnssleep to give myself time to validate that the command:
host -t txt _acme-challenge.insect.com 1.1.1.1
returned valid records. I also tested with 8.8.8.8 and 8.8.4.4 and my own DNS servers. All of them return a block of valid records.

My web server is (include version): N/A (DNS)

The operating system my web server runs on is (include version): CentOS Linux 7 (Core)

My hosting provider, if applicable, is: Self-hosted

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): acme.sh v2.8.8

2

Hi @jjschwarz, and welcome to the LE community forum :slight_smile:

I'd start by updating that to their latest version.

If you have too many TXT records, that could be cause for problems.
Please review them and delete any unused records.

2 Likes
3

I updated to v3.0.8 (which is the latest version) and the same result.

1 Like
4

I have been renewing this fine since October 2020 with the same domains. The last renewal in 19 November 2023 was identical as well and we have not updated anything on our DNS servers since that date. We should be producing the same number of records. The output of the "host -t txt _acme-challenge.insect.com" command during the pause period gave back:

_acme-challenge.acme.insect.com descriptive text "-i9dfJzJP6Dy-5GeqNqKy4V6XyC27-FsBGTjcjUXjmg"
_acme-challenge.acme.insect.com descriptive text "DmLRBNt8uSShJELT28tG0BRVcBaJ6JgM6A-7n1vxrF8"
_acme-challenge.acme.insect.com descriptive text "h2_FHdhjjz4NfIW9Zz8cQUenwUNvRUEQujyhNwH1O2s"
_acme-challenge.acme.insect.com descriptive text "fDQOIxWV-k2JT3EHTSE3Q4qNqjOepEt9KPbPl5-413U"
_acme-challenge.acme.insect.com descriptive text "eVowIUmeckkI08priOhga6lLc2jjNpG3hDXR3CIqmnI"
_acme-challenge.acme.insect.com descriptive text "UpsskWHCfrMhzncuVih-xczVYaoEwnETxvff6WiMU6w"
_acme-challenge.acme.insect.com descriptive text "1AYvTflm6uAtg6in5UzQm7WdZRLDqXH5_dT3xoEpeAQ"
_acme-challenge.acme.insect.com descriptive text "Nl5_CLhbtAL_Be9nCq3xI4sg3JJUY5Ocu1NB5I7i49U"
_acme-challenge.acme.insect.com descriptive text "Mgbqom0cZJjLX_sSCDEZExjktJQdImHvG1caw03k87E"
_acme-challenge.acme.insect.com descriptive text "xKiCJ6qOne2fkbOoAftDTQBKdbJAAhphcT8jVtsaNAM"
_acme-challenge.acme.insect.com descriptive text "vSZo-0JycCClj0OGR6oqOHJhiuci34LE4ooV0U1vaJM"
_acme-challenge.acme.insect.com descriptive text "QnYzivtgNkdbYfVZZX7lWwbJL61U36bZuKzw2wCnNUE"
_acme-challenge.acme.insect.com descriptive text "X71Itab_cm3dIXFfrNQSjbSWX282JAEDJAAwQlfj-qU"
_acme-challenge.acme.insect.com descriptive text "Db_xiJi0cfrpqDK7OshCAnnzyBqthp3oXTd-sQ5PLDY"
_acme-challenge.acme.insect.com descriptive text "vYxLNidLOsNjwuR-CYf3RZZYm_UXoRCR-1qKMabv6CU"
_acme-challenge.acme.insect.com descriptive text "VM5hYR1IO6kU-9OwTzXhAPYEsfdd05ckEXY6vfCgINI"
_acme-challenge.acme.insect.com descriptive text "EgXuV1JCD2K5YsyH9WtVWGOtmaGGm27K_x8vqaIq0yM"
_acme-challenge.acme.insect.com descriptive text "D3zWSPG6NUnQXGYj2rtfM9L4GkXsgcCGiqHgl9pqcZQ"
_acme-challenge.acme.insect.com descriptive text "gzIKm2b3q_awKPDdk5aepNG4AUHVGNG9RjZFWW7jxM4"
_acme-challenge.acme.insect.com descriptive text "K1Pu-38QLZWs9-wXCZpRl8NlL7vrHvMbqUBnywMuKdA"
_acme-challenge.acme.insect.com descriptive text "Ev457ZMc87xJkX46TFBhbfOZyM_cHZbZRxTpVWWJ7EU"
_acme-challenge.acme.insect.com descriptive text "Vlyb3TQdC-WrLQrVKAdj_0EK4-lNbWeIwf6RfBDycLk"
_acme-challenge.acme.insect.com descriptive text "2UoqjJa4c6pwOzQzYqqranCQd56DVjv3T48xZKPSwAY"
5

Has anything changed on the Let's Encrypt DNS resolution side? I was able to grab the log and the DNS entries on my side and confirm that the TXT records acme.sh claims to add are actually in DNS. The zone is only used for renewals, so the records are removed after each renewal to keep down the record size.

6

I did a force renewal on another domain which is also using the same name server clusters and it worked fine, so this appears to be a limit on Let's Encrypt handling DNS resolution of our TXT records. Any idea why this would have stopped working or a way to work around it?

7

Yes, LE upgraded the unbound system it uses for that to version 1.18 (and then 1.19) after long using v1.16.

This has caused some DNS Challenge failures with more than around 20-22 TXT records. Which looks like you are just over that limit.

Use the https://unboundtest.com to check your TXT record with these diff versions.

LE has not yet provided an official response of their plans. See below thread for others like this.

3 Likes
8

Any suggestions on a work around because that ticket is already 23 days old and obviously I do not want the certificate to expire?

9

So it is the unbounded issue per the test below
v1.19:
https://unboundtest.com/m/TXT/_acme-challenge.acme.insect.com/YZHEGHQH
v1.16:
https://unboundtest.com/m/TXT/_acme-challenge.acme.insect.com/OHXNKTQU

The v1.19 isn't returning anything however the v1.16 returns just fine.

2 Likes
10

You have a month before the cert expires so the best option is to split the cert into two or more.

Use one cert for just the names in a single VirtualHost. Some of the domain names don't seem obviously related to me so I presume that at least some of them are in different VirtualHost than the others.

In your case you are just barely over the limit of what others have seen working. So, maybe just split off a couple of those domains to their own cert and leave the others as is.

There is another option of making a cert you won't even use for some of those names. Run that for success. Let's Encrypt will cache the good challenges. Then, run your full cert request again and that should work. This relies on this exact sequence and the cache duration so is less robust than just splitting up your cert permanently.

4 Likes
11

Some other workarounds you might try include:

  1. Using a different aliased name for each domain (In the acme.sh dns alias mode documentation, it's section 4 instead of section 3)
  2. Using a different CA (acme.sh is owned by ZeroSSL I think)

Definitely frustrating, we understand. I'll see if I can get an update from Let's Encrypt staff in the other thread.

5 Likes
12

OK,
#1 might be possible
#2 will be difficult with certificate CA pinning.

1 Like
13

OK, I was able to remove 2 domains that are no longer being actively used for SSL and migrate those to another certificate. That seems to have resolved the issue for now. Obviously that didn't fix the problem with DNS, but it reduced the query to a smaller size.

2 Likes
14

Delete the 23 TXT records:

And try validating them in smaller groups [of less than 20 names at a time].

2 Likes
15

The TXT records are cleared after each attempt by the acme.sh script, but the answer was to change the certificate to be less than 20 names due to the unbounded 1.19 bug with Let's Encrypt. That works for now, however fixing the root cause would be nice.

4 Likes
16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.