Dns record types allowed

roberto · October 11, 2017, 8:50am

Hello

We’ve been using acme.sh for over a year and it has been working great.

I have 2 questions:

Is this true: CNAME dns records are only allowed as subdomains ?

I am trying to add nextcloud.ourdomain.com . acme.sh is runing on that virtual machine. not web server.

pfsense has NAT set to portforward 37080 to 80 on the target

/root/.acme.sh/acme.sh --httpport 37080  --log --issue --standalone  -d   nextcloud.ourdomain.com  --force

 Verify error:DNS problem: NXDOMAIN looking up A

So at godaddy I changed our nextcloud record to A and will try again

Also - I assume it is best to wait some time after adding the A record at godaddy ?

best regards. Roberto

bytecamp · October 11, 2017, 8:56am

As long as you don’t mention the real domain name, nobody can help you.

roberto · October 11, 2017, 9:02am

OK here it is

fantinibakery.com

roberto · October 11, 2017, 9:10am

also the record i am trying to add is:

fbcadmin.fantinibakery.com

after I get that temporary/test done will add nextcloud.

sahsanu · October 11, 2017, 9:16am

Hi @roberto,

Are you sure you add a CNAME or A record to this subdomain?. None of your ns servers have an answer fot this subdomain.

$ dig @ns27.domaincontrol.com fbcadmin.fantinibakery.com

; <<>> DiG 9.11.1 <<>> @ns27.domaincontrol.com fbcadmin.fantinibakery.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 32764
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;fbcadmin.fantinibakery.com.    IN      A

;; AUTHORITY SECTION:
fantinibakery.com.      600     IN      SOA     ns27.domaincontrol.com. dns.jomax.net. 2017101100 28800 7200 604800 600

;; Query time: 10 msec
;; SERVER: 216.69.185.14#53(216.69.185.14)
;; WHEN: Wed Oct 11 11:14:24 CEST 2017
;; MSG SIZE  rcvd: 123

$ dig @ns28.domaincontrol.com fbcadmin.fantinibakery.com

; <<>> DiG 9.11.1 <<>> @ns28.domaincontrol.com fbcadmin.fantinibakery.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 16401
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;fbcadmin.fantinibakery.com.    IN      A

;; AUTHORITY SECTION:
fantinibakery.com.      600     IN      SOA     ns27.domaincontrol.com. dns.jomax.net. 2017101100 28800 7200 604800 600

;; Query time: 8 msec
;; SERVER: 208.109.255.14#53(208.109.255.14)
;; WHEN: Wed Oct 11 11:14:27 CEST 2017
;; MSG SIZE  rcvd: 123
:

Cheers,
sahsanu

roberto · October 11, 2017, 9:21am

yes I am looking at the godaddy screen now.
fbcadmin was added as an A record this morning.

nextcloud, ldap were added yesterday as CNAME

owncloud, sogo and 10 others have been in use for a year.

mnordhoff · October 11, 2017, 9:37am

Those all exist. fbcadmin doesn't.

Are you sure it's not misspelled? Added to the wrong domain? Or something like that?

Maybe GoDaddy is experiencing a problem with new DNS records?

roberto · October 11, 2017, 9:40am

I think there is a longer then expected delay between adding a record and having dig @ns28.domaincontrol.com work.

so my 2 questions:

1- can a cname record be used as the only -d record ?

2- after adding a record to [ a service like godaddy ] , how long does it it usually take for dig @ns28.domaincontrol.com to work?

mnordhoff · October 11, 2017, 9:43am

I'm not sure what you mean. There should be no problem with making fbcadmin.fantinibakery.com a CNAME, like your other records.

That's up to GoDaddy. I don't personally know how their systems usually work.

roberto · October 11, 2017, 9:58am

so godaddy has lags getting records to name servers.

once our test fbcadmin works as a dns A record with dig, I’ll test trying to use a CNAME record as the only --domain to be added. It probably works but the error message refers to ‘error:DNS problem: NXDOMAIN looking up A’ . I assume and could be wrong the the A means at least one A record needed.

thank you for the help , this is a responsive forum!

mnordhoff · October 11, 2017, 10:12am

A and/or AAAA records are necessary for HTTP-01 or TLS-SNI-01 validation, but it's totally fine if you have a CNAME pointing to (a CNAME pointing to...) a name with A and/or AAAA records.

roberto · October 11, 2017, 10:36am

OK so I decided to try this instead of waiting for fbcadmin to be ready.

/root/.acme.sh/acme.sh --httpport 37080  --log --issue --standalone  -d   ldap.fantinibakery.com  --force

i get

[Wed Oct 11 06:33:27 EDT 2017] Standalone mode.
[Wed Oct 11 06:33:27 EDT 2017] Single domain='ldap.fantinibakery.com'
[Wed Oct 11 06:33:27 EDT 2017] Getting domain auth token for each domain
[Wed Oct 11 06:33:27 EDT 2017] Getting webroot for domain='ldap.fantinibakery.com'
[Wed Oct 11 06:33:27 EDT 2017] Getting new-authz for domain='ldap.fantinibakery.com'
[Wed Oct 11 06:33:28 EDT 2017] The new-authz request is ok.
[Wed Oct 11 06:33:28 EDT 2017] Verifying:ldap.fantinibakery.com
[Wed Oct 11 06:33:28 EDT 2017] Standalone mode server
[Wed Oct 11 06:33:31 EDT 2017] ldap.fantinibakery.com:Verify error:Fetching http://ldap.fantinibakery.com/.well-known/acme-challenge/Tc75oFWF-FG-BuUrnO723sE3tpcqt8QCfRZQPC9vtqM: 
Connection refused
[Wed Oct 11 06:33:31 EDT 2017] Please check log file for more details: 
/root/.acme.sh/acme.sh.log

# grep error /root/.acme.sh/acme.sh.log
[Wed Oct 11 06:33:31 EDT 2017] ldap.fantinibakery.com:Verify error:Fetching http://ldap.fantinibakery.com/.well-known/acme-challenge/Tc75oFWF-FG-BuUrnO723sE3tpcqt8QCfRZQPC9vtqM: Connection refused

any hints to solve?

roberto · October 11, 2017, 11:03am

search forums. will try adding --tlsport port on cli and pfsense

roberto · October 11, 2017, 11:07am

/root/.acme.sh/acme.sh --tlsport 37443 --httpport 37080  --log --issue --standalone  -d   ldap.fantinibakery.com  --force

same error
[Wed Oct 11 07:06:05 EDT 2017] ldap.fantinibakery.com:Verify error:Fetching http://ldap.fantinibakery.com/.well-known/acme-challenge/NS0GckCHKcQ73TMYeaZ3nI0BT5Dc-J6itSRnm2EjWt4: Connection refused

sahsanu · October 11, 2017, 11:09am

@roberto, keep in mind that doesn’t matter what is the port used, Let’s Encrypt will try to connect to your server using port 80 (http-01 challenge) or port 443 (tls-01 challenge) so double check that you are forwarding these ports from your router (pfsense ?) to the right ports on the machine.

roberto · October 11, 2017, 11:35am

yes that was it - i had target port set to the custom port instead of 80. Thank you.

this probably means progress:

indent preformatted text by 4 spaces
new-authz error: {"type":"urn:acme:error:rateLimited","detail":"Error creating new authz :: Too many invalid authorizations recently.","status": 429}

I assume the connect tests work to get to that point.

sahsanu · October 11, 2017, 11:37am

You need to wait 1 hour before trying again.

roberto · October 11, 2017, 11:37am

OK will do! thanks again.

system · November 10, 2017, 11:38am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.