DNS challenge questions

  1. Is there a way to repeat the DNS challenge without having to rerun the certbot command again? Is there a certbot command to rerun the DNS verification part of the script? I dont want to rerun the whole command again and get another TXT value to add to DNS. I would like for LE to just verify again just in case the DNS is taking longer to propagate. I do manually check for the record before I continue to let the certbot script check but it doens't work all the time. So it would be nice to just do a retry with certbot after some time without creating a whole new challenge.

  2. What provider does LE use to do a TXT record lookup? I am using the DNS challenge to verify my domain with a TXT record. In my script I have a loop to lookup the TXT record after I add it to DNS to make sure its resolvable before continuing on with the certbot script to let it verify the record is there. I am using googles 8.8.8.8 server and when I see the record resolve with it I continue with the script but it doesnt work every time. It failed to resolve 3 out of 10 times. So my question what DNS provider does LE use to lookup the TXT record. I want to verify with that server before I let LE verify so I am assured a lookup will be successful every time.

Thanks!

1 Like

For 1...

I'm not quite following your question, but no, each challenge is separate with a new code. But usually you'd be using a DNS plugin for certbot that handles updating your DNS server and confirming that the DNS provider says that it's updated everywhere, and wouldn't be needing any manual steps at all. Trying to do things manually is the most complicated, challenging and error-prone way to try to use Let's Encrypt.

6 Likes

For 1...

This suggests you're using the --manual authenticator plugin, which is not advisable. Let's Encrypt is all about automation and while certainly not impossible, it's relatively hard to automate the --manual plugin.

With which DNS service provider is your domain name hosted? Note that the DNS service provider can be different than the DNS registar and the website hosting provider.

And why do you require the dns-01 challenge to begin with? Usually the http-01 challenge works just fine and is more easily automatable.

3 Likes

So I run the script to get the value to put in my TXT record. Then I automate adding that value to our DNS server. Then I run a loop to verify the record exists in our DNS authoritative server which is 8.8.8.8. Once it resolves with that DNS server I continue the certbot script. 3 times out of 10 it has failed so it would be nice to tell certbot to retry the DNS lookup so I dont have to run the whole certbot process again and get another TXT record value. Make sense?

We have our own DNS server.

Yes we had been using the http challenge and it worked fine. However security started blocking http inbound for us unless we could tell them what ip range we expect the request to come from and LE doesnt provide that info. So hence needing to switch to the dns challenge.

2 Likes

For 1...

Let's Encrypt walks the DNS tree using the authoritive DNS servers. So, if you pre-checked it was there then there may be some other problem.

If you provide your domain name we can check your DNS config and probably see something you are not.

Also knowing the error message when it fails would be helpful. There are many possible reasons and knowing which caused the failure often leads to a solution.

6 Likes

Adding to my previous post ... both of those wouldn't be true. Did you mean your resolver is 8.8.8.8? Your own DNS Server is probably a different set of IP addresses.

5 Likes

Ok let me see if I can get a fresh session to fail again. Will post the domain when I get a failure. Thanks for the help!

3 Likes

Can you automate adding/removing the TXT RR? For example, many DNS servers can use the protocol as outlined by RFC 2136 to update the DNS zone dynamically. I know BIND and PowerDNS support it. And there's a DNS authenticator plugin for that: Welcome to certbot-dns-rfc2136’s documentation! — certbot-dns-rfc2136 0 documentation.

Alternatively I see a few people on the internet have developed hook scripts to be used with --manual for nsupdate, which uses the same protocol.

Also, it's sometimes possible to allow specific paths and block the rest. E.g., if your company would be able to allow access to /.well-known/acme-challenge/ on port 80, you could use the http-01 challenge again.

Further more, it's completely ridiculous to block port 80, but have port 443 open (as it's usually exactly the same software listening on both ports). So maybe you could convince your IT security department of their ludicrous concepts and have them take a look at Best Practice - Keep Port 80 Open - Let's Encrypt.

2 Likes

For 2...

It uses your authoritative DNS servers directly. (That is, they run their own recursive resolver, rather than delegating to some other company's DNS resolver.) You need to make sure that all of the authoritative servers for your domain name are in sync before having certbot continue with attempting to authorize the name.

5 Likes

Seems our DNS authoritative server is 8.8.8.8 as well. So it should in theory never fail if Ive already verified in my script that the record is resolvable by 8.8.8.8. LE should also resolve it too. But it doesn't sometimes.

For 2...

Your domain name's authoritative server is not 8.8.8.8, that just might be the recursive resolver your server uses. What system are you updating to add the TXT record? What domain name are you updating, and what does its NS records say?

5 Likes

Believe me its been a pain in the rear with the block and they arent budging so we have to use DNS for now. Need to keep security on my good side :).

Yes we use powerDNS and I automate adding the record to it. Seems to work well except for the few failures on resolving the record.