DNS Manual Authentication Fails with NXDOMAIN

rdill17 · May 8, 2017, 3:15pm

Hi,

I am in the process of automating our certificate renewals. Many of the servers I'm validating lie behind a firewall and should remain private. In a previous post, I learned that I can validate a domain without opening any ports or IP addresses using the DNS challenge method, but it's not working.

I ran certbot in manual mode with "certbot-auto -d dw.cameron.edu --manual --preferred-challenges dns certonly." I added the appropriate DNS entries and tested them. In particular, I checked google's DNS at 8.8.8.8 with nslookup to ensure that the TXT record is indeed accessible. It was accessible and correct. Yet, when I pressed enter to follow through to the next step, I get the following error.

Failed authorization procedure. dw.cameron.edu (dns-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.dw.cameron.edu

Can someone tell me what I'm doing wrong?

Thank you.

mnordhoff · May 8, 2017, 3:33pm

At the moment, “_acme-challenge.dw.cameron.edu.” really does return NXDOMAIN.

On the other hand, there is a TXT record for “_acme-challenge.dw.cameron.edu.cameron.edu.”.

_acme-challenge.dw.cameron.edu.cameron.edu. 600 IN TXT "bEoWKFO-rn2b76-QSr-USoveD3o2O3cs0OEKh-9soos"

Maybe Google Public DNS was returning older cached results? You need to double check how the DNS is configured.

rdill17 · May 8, 2017, 3:52pm

Ah, I forgot to add the period at the end of the DNS entry name, so it tacked on an extra cameron.edu. Stupid me. I finally passed the validation. Thank you for your help.

system · June 7, 2017, 3:58pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.