Our site is hosted in Azure.
The domain is: omaha.consultationmanager.dev but I am only using the one DNS zone for consultationmanager.dev. A previous instance of our site worked fine using a different subdomain BTW.
I am provisioning via terraform and it worked fine on the staging URL, but after changing over to production it now constantly times out. There are 5 domains (wildcards and subdomains, of the above domain if that helps).
If you do an ns lookup on consultationmanager.dev you get 4 nameservers which is correct, all starting with ns1-09.azure-dns
However, the error from letsencrypt in our terraform log is like
error: one or more domains had a problem:\n[*.api.omaha.consultationmanager.dev] time limit exceeded: last error: NS ns2-224.azure-dns.net. did not return the expected TXT record
As you can see it is getting ns2-224.azure-dns which is wrong
Is this some weird Azure issue someone has run into before? The nameservers were updated a week ago so this isn't some recent nameserver change
No, it's not. The hostname
_acme-challenge.api.omaha.consultationmanager.dev. has a CNAME with
omh-dev-api-west-us.azurewebsites.net. as value and
ns2-224.azure-dns.net is one of the authorative nameservers for that hostname.
That's probably due to the wildcard RR being a CNAME. Not sure how DNS would cope with a wildcard CNAME next to an actual non-wildcard label with a different RR type..
This error comes from lego's client-side preflight check, not from Let's Encrypt's servers.
Terraform is probably embedding lego.
Interesting. Would there be a benefit then of me removing the CNAME wildcards and only add them once the acme-challenge is complete?
I'd prefer to look for a more permanent arrangement.
Having to remove a CNAME that is presumably being used by someone/something somewhere may create a disturbance to that system (requirement).
Like use multiple CNAMEs: One for the specific entry and the other as a catch-all wildcard.
The specific one can CNAME to any domain you control* (including that same one - just not the same "path" that would create a "loop").
Note: "control" here implies being able to automate DNS changes.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.