DNS error when trying to log to Google's testtube CT log


#1

I have a local boulder instance running and issuance works fine. As a next step, I added google’s testtube CT log to the va config but when a new cert is issued, I get the following error:

boulder-publisher Request failed, backing-off for 8s: Post http://ct.googleapis.com/testtube/ct/v1/add-chain: dial tcp: lookup ct.googleapis.com on 127.0.0.11:53: server misbehaving

The actual endpoint it’s trying to log to looks correct to me. I’m using 8.8.8.8 as a resolver in the va and ra configs and I am puzzled why it’s trying to use 127.0.0.11 as a DNS resolver.

Also, just to avoid questions, google’s requirements for logging to their test logs are fulfilled (the cert’s subject has test in the name and the root in the chain is acceptable to testtube).

Appreciate any ideas!


#2

Hi,

I (personally) think you should consider asking this on the GitHub repo’s issue page… Since there should have more people familiar with this matter.

Thank you


#3

boulder-publisher doesn’t use the RA/VA configs, but I think that the likely cause is that your Docker network’s embedded DNS resolver (127.0.0.11) is broken.

The reason that resolver is used is because it provides the ability for containers to address each other by their proper names (e.g. ra1.boulder) rather than hardcoded addresses, and other queries are forwarded onto the system’s host resolver.

Since the RA and VA have special DNS resolver requirements, they send DNS queries directly to other resolvers.

Try checking that you can perform DNS lookups in a normal interactive container, try restart Docker, try passing a resolver for the embedded resolver to forward queries to e.g. --dns 8.8.8.8.


#4

Tried that and DNS resolution seems to work fine in an interactive alpine container (even without specifically passing a public DNS resolver).


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.