DNS problem: NXDOMAIN looking up TXT for _acme-challenge.vadim.com.ru - check that a DNS record exists for this domain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: vadim.com.ru

I ran this command:acme.sh --issue --dns dns_yandex --dnssleep 180 -d vadim.com.ru

It produced this output:Using CA: https://acme-v02.api.letsencrypt.org/directory
[Fri Sep 16 21:10:02 MSK 2022] Single domain='vadim.com.ru'
[Fri Sep 16 21:10:03 MSK 2022] Getting domain auth token for each domain
[Fri Sep 16 21:10:05 MSK 2022] Getting webroot for domain='vadim.com.ru'
[Fri Sep 16 21:10:05 MSK 2022] Adding txt value: 4u-BCS9QpQphe8vL5vIHYhU7a8-8Cx7I_ysWtJ6nu3g for domain: _acme-challenge.vadim.com.ru
[Fri Sep 16 21:10:08 MSK 2022] The txt record is added: Success.
[Fri Sep 16 21:10:08 MSK 2022] Sleep 180 seconds for the txt records to take effect
[Fri Sep 16 21:13:09 MSK 2022] Verifying: vadim.com.ru
[Fri Sep 16 21:13:10 MSK 2022] It seems the CA server is busy now, let's wait and retry. Sleeping 1 seconds.
[Fri Sep 16 21:13:13 MSK 2022] Pending, The CA is processing your order, please just wait. (1/30)
[Fri Sep 16 21:13:17 MSK 2022] vadim.com.ru:Verify error:During secondary validation: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.vadim.com.ru - check that a DNS record exists for this domain
[Fri Sep 16 21:13:17 MSK 2022] Removing DNS records.
[Fri Sep 16 21:13:17 MSK 2022] Removing txt: 4u-BCS9QpQphe8vL5vIHYhU7a8-8Cx7I_ysWtJ6nu3g for domain: _acme-challenge.vadim.com.ru
[Fri Sep 16 21:13:18 MSK 2022] Removed: Success
[Fri Sep 16 21:13:19 MSK 2022] Please add '--debug' or '--log' to check more details.
[Fri Sep 16 21:13:19 MSK 2022] See: How to debug acme.sh · acmesh-official/acme.sh Wiki · GitHub

My web server is (include version): nginx/1.18.0

The operating system my web server runs on is (include version):TrueNAS-SCALE-22.02.3

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 1.12.0

It is a new server with a fresh install. I have another server running Truenas-Core 13 with let's encrypt cert on nextcloud with the same domain name

I'd first try raising the sleep time.

4 Likes

@rg305 like double? I'll try
There is only one text record here https://check-your-website.server-daten.de/?q=vadim.com.ru#txt

1 Like

I'm also thinking you might be running into Path MTU issues, if your authoritative nameservers were working with this configuration before July 27 when Let's Encrypt made a small change, based on the DNSViz report saying that it needed to use smaller packets in order to get replies:

https://dnsviz.net/d/_acme-challenge.vadim.com.ru/dnssec/

  • _acme-challenge.vadim.com.ru/A (NODATA): The server returned a no error (NOERROR) response when queried for _acme-challenge.vadim.com.ru having record data of type A, but returned a name error (NXDOMAIN) when queried for _acme-challenge.vadim.com.ru having record data of type AAAA. (2a02:6b8:0:1::213, UDP_-_EDNS0_4096_D_KN)
  • _acme-challenge.vadim.com.ru/A (NODATA): The server returned a no error (NOERROR) response when queried for _acme-challenge.vadim.com.ru having record data of type A, but returned a name error (NXDOMAIN) when queried for _acme-challenge.vadim.com.ru having record data of type TXT. (2a02:6b8:0:1::213, UDP_-_EDNS0_4096_D_KN)
  • _acme-challenge.vadim.com.ru/A (NXDOMAIN): No response was received from the server over UDP (tried 7 times) until the NSID EDNS option was removed (however, this server appeared to respond legitimately to other queries with the NSID EDNS option present). (2a02:6b8::213, UDP_-_EDNS0_4096_D_KN)
  • _acme-challenge.vadim.com.ru/A (NXDOMAIN): The server returned a no error (NOERROR) response when queried for _acme-challenge.vadim.com.ru having record data of type AAAA, but returned a name error (NXDOMAIN) when queried for _acme-challenge.vadim.com.ru having record data of type A. (2a02:6b8::213, UDP_-_EDNS0_4096_D)
  • _acme-challenge.vadim.com.ru/AAAA (NODATA): No response was received until the UDP payload size was decreased, indicating that the server might be attempting to send a payload that exceeds the path maximum transmission unit (PMTU) size. (2a02:6b8::213, UDP_-_EDNS0_4096_D_KN)
  • _acme-challenge.vadim.com.ru/AAAA (NODATA): The server returned a no error (NOERROR) response when queried for _acme-challenge.vadim.com.ru having record data of type AAAA, but returned a name error (NXDOMAIN) when queried for _acme-challenge.vadim.com.ru having record data of type A. (2a02:6b8::213, UDP_-_EDNS0_4096_D)
  • _acme-challenge.vadim.com.ru/AAAA (NODATA): The server returned a no error (NOERROR) response when queried for _acme-challenge.vadim.com.ru having record data of type AAAA, but returned a name error (NXDOMAIN) when queried for _acme-challenge.vadim.com.ru having record data of type TXT. (2a02:6b8::213, UDP_-_EDNS0_4096_D_KN)
  • _acme-challenge.vadim.com.ru/AAAA (NXDOMAIN): No response was received until the UDP payload size was decreased, indicating that the server might be attempting to send a payload that exceeds the path maximum transmission unit (PMTU) size. (2a02:6b8:0:1::213, UDP_-_EDNS0_4096_D_KN)
  • _acme-challenge.vadim.com.ru/AAAA (NXDOMAIN): The server returned a no error (NOERROR) response when queried for _acme-challenge.vadim.com.ru having record data of type A, but returned a name error (NXDOMAIN) when queried for _acme-challenge.vadim.com.ru having record data of type AAAA. (2a02:6b8:0:1::213, UDP_-_EDNS0_4096_D_KN)
  • _acme-challenge.vadim.com.ru/TXT (NXDOMAIN): No response was received until the UDP payload size was decreased, indicating that the server might be attempting to send a payload that exceeds the path maximum transmission unit (PMTU) size. (2a02:6b8:0:1::213, UDP_-_EDNS0_4096_D_KN)
  • _acme-challenge.vadim.com.ru/TXT (NXDOMAIN): The server returned a no error (NOERROR) response when queried for _acme-challenge.vadim.com.ru having record data of type A, but returned a name error (NXDOMAIN) when queried for _acme-challenge.vadim.com.ru having record data of type TXT. (2a02:6b8:0:1::213, UDP_-_EDNS0_4096_D_KN)
  • _acme-challenge.vadim.com.ru/TXT (NXDOMAIN): The server returned a no error (NOERROR) response when queried for _acme-challenge.vadim.com.ru having record data of type AAAA, but returned a name error (NXDOMAIN) when queried for _acme-challenge.vadim.com.ru having record data of type TXT. (2a02:6b8::213, UDP_-_EDNS0_4096_D_KN)

It's looking like your DNS servers aren't always responding correctly, at any rate, so I'd suggest first looking at ensuring they give a response worldwide correctly while the record is there.

4 Likes

Sleep 360 seconds for the txt records to take effect

[Fri Sep 16 21:36:37 MSK 2022] Pending, The CA is processing your order, please just wait. (1/30)
[Fri Sep 16 21:36:40 MSK 2022] vadim.com.ru:Verify error:DNS problem: NXDOMAIN looking up TXT for _acme-challenge.vadim.com.ru - check that a DNS record exists for this domain

Obviously did not help double sleep time

1 Like

@petercooperjr - Should I try and move to Cloudfare and then add them in Gui since Truenas allows that?

I don't know if I'm qualified to recommend the optimal DNS provider for you. I haven't used Cloudflare myself, but yes they have a well-supported API, and I'm guessing that they have experience with MTU issues. But checking with your current DNS provider to see if they can fix any problems they have might also be a workable solution.

4 Likes

@petercooperjr I am getting this now: Create new order error. Le_OrderFinalize not found. {
"type": "urn:ietf:params:acme:error:rateLimited",
"detail": "Error creating new order :: too many failed authorizations recently: see Failed Validation Limit - Let's Encrypt",
"status": 429
I'll give it another day or so and then will probably move to Cloudfare

1 Like

Yes, like that link says, there's a limit to how many failures you can have, but that limit gets lifted relatively quickly.

You should use the Staging Environment for testing, and by the time you've got everything sorted out you'll probably be able to get your certificate in the production environment.

4 Likes

@petercooperjr Thanks for the tip - will try that

2 Likes

I have to agree; At this point, you should focus on testing the DNS system [not the certification process].

4 Likes

I get different errors every time I try though - zerossl just times out and letsencrypt gets another one. Is it all about DNS really?

Yes. You need reliable DNS servers in order to get a certificate. (And, in order for users to consistently be able to get to your site.)

3 Likes

It works fine on my other server without a hitch though - same domain same DNS. I've just recently renewed it

I see the most recent renew was on Aug25. And, there was about 2 months where no valid cert existed after your cert from Mar23 expired. See crt.sh history here. That does not look like it was working fine.

More important, I see you are not using a wildcard cert. Have you considered using the webroot or nginx methods instead of DNS? These use the HTTP Challenge method instead which uses your working nginx server. Many times these methods are easier to use. And, maybe will not fail as often as the DNS Challenge.

3 Likes

Well, the HTTP challenge still needs a working DNS in order to find the server address. I'd expect it to be less reliable since it needs both the DNS and web servers to be accessible, not just the DNS server.

3 Likes

Maybe so. Maybe not. The update of TXT records can be more problematic than just the A record lookup. Of course, if the comms to the server is unreliable that is hard to assess with what we see.

EDIT: We've seen some odd problems with yandex in the past. Especially regarding TXT sync.

3 Likes

@MikeMcQ As far as renewal it was my fault - I updated the nextcloud jail via pkg system instead of original ports when installed certbot and ended up with 2 python versions on the system which got me in dependencies hell. So it took me a while to figure it all out and it was finally renewed.
Wildcard might be a better choice or even nginx, but my nextcloud is not up and running yet to my liking

No, the DNS Challenge you are using is required to get a wildcard cert. But, you are not using a wildcard so do not have to use DNS Challenge.

The webroot or nginx methods use HTTP Challenge which might work better given your Yandex DNS. But, you cannot get wildcard cert with these methods.

3 Likes

I've just ran it again with 20 min sleep DNS time and TXT was created immediately - I see it in the panel, but it still fails....