DNS being queries is the wrong nameserver

Our site is hosted in Azure.
The domain is: omaha.consultationmanager.dev but I am only using the one DNS zone for consultationmanager.dev. A previous instance of our site worked fine using a different subdomain BTW.

I am provisioning via terraform and it worked fine on the staging URL, but after changing over to production it now constantly times out. There are 5 domains (wildcards and subdomains, of the above domain if that helps).

If you do an ns lookup on consultationmanager.dev you get 4 nameservers which is correct, all starting with ns1-09.azure-dns

However, the error from letsencrypt in our terraform log is like
error: one or more domains had a problem:\n[*.api.omaha.consultationmanager.dev] time limit exceeded: last error: NS ns2-224.azure-dns.net. did not return the expected TXT record

As you can see it is getting ns2-224.azure-dns which is wrong

Is this some weird Azure issue someone has run into before? The nameservers were updated a week ago so this isn't some recent nameserver change

No, it's not. The hostname _acme-challenge.api.omaha.consultationmanager.dev. has a CNAME with omh-dev-api-west-us.azurewebsites.net. as value and ns2-224.azure-dns.net is one of the authorative nameservers for that hostname.

That's probably due to the wildcard RR being a CNAME. Not sure how DNS would cope with a wildcard CNAME next to an actual non-wildcard label with a different RR type..


This error comes from lego's client-side preflight check, not from Let's Encrypt's servers.

Terraform is probably embedding lego.


Interesting. Would there be a benefit then of me removing the CNAME wildcards and only add them once the acme-challenge is complete?

I'd prefer to look for a more permanent arrangement.
Having to remove a CNAME that is presumably being used by someone/something somewhere may create a disturbance to that system (requirement).

Like use multiple CNAMEs: One for the specific entry and the other as a catch-all wildcard.
The specific one can CNAME to any domain you control* (including that same one - just not the same "path" that would create a "loop").

Note: "control" here implies being able to automate DNS changes.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.