DNS records not read correctly

Updated TXT records for floralencounters.com and www.floralencounters.com but tols TXT records are incorrect.

Querying my DNS servers (dns1.visualenc.com) shows TXT records are exactly as they should be from renewal process.

What is LE doing?

I've moved your thread to the generic #Help section as I feel this is more of a request for help with issuance than a more specific discussion about issuance tech.

And in the #Help section you would have been shown a questionnaire. I'll copy/paste it below, please answer all the questions to the best of your knowledge and if you don't know the answer, please tell us that too:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2 Likes

Hi @Mole2021 and welcome to the LE community forum :slight_smile:

You might need to check both DNS servers before continue:

nslookup -q=ns floralencounters.com
floralencounters.com    nameserver = dns1.visualenc.com
floralencounters.com    nameserver = dns2.visualenc.com
2 Likes

My domain is:
floralencounters.com

I ran this command:
acme.sh --renew -d floralencounters.com -d www.floralencounters.com --yes-I-know-dns-manual-mode-enough-go-ahead-please

That produced:
[Mon 14 Jun 2021 03:28:55 PM EDT] Renew: 'floralencounters.com'
[Mon 14 Jun 2021 03:28:56 PM EDT] Multi domain='DNS:floralencounters.com,DNS:www.floralencounters.com'
[Mon 14 Jun 2021 03:28:56 PM EDT] Getting domain auth token for each domain
[Mon 14 Jun 2021 03:28:59 PM EDT] Getting webroot for domain='floralencounters.com'
[Mon 14 Jun 2021 03:28:59 PM EDT] Getting webroot for domain='www.floralencounters.com'
[Mon 14 Jun 2021 03:28:59 PM EDT] Add the following TXT record:
[Mon 14 Jun 2021 03:28:59 PM EDT] Domain: '_acme-challenge.floralencounters.com'
[Mon 14 Jun 2021 03:28:59 PM EDT] TXT value: 'GhPvBKJ9_So4Cln1fzOaJhj3E-BdX04PZEBsqMSNd58'
[Mon 14 Jun 2021 03:28:59 PM EDT] Please be aware that you prepend _acme-challenge. before your domain
[Mon 14 Jun 2021 03:28:59 PM EDT] so the resulting subdomain will be: _acme-challenge.floralencounters.com
[Mon 14 Jun 2021 03:29:00 PM EDT] Add the following TXT record:
[Mon 14 Jun 2021 03:29:00 PM EDT] Domain: '_acme-challenge.www.floralencounters.com'
[Mon 14 Jun 2021 03:29:00 PM EDT] TXT value: '3JH3ZXRtFvX0-w_eDIm7uzvIBk05cCqcIkhUHJUuHyw'
[Mon 14 Jun 2021 03:29:00 PM EDT] Please be aware that you prepend _acme-challenge. before your domain
[Mon 14 Jun 2021 03:29:00 PM EDT] so the resulting subdomain will be: _acme-challenge.www.floralencounters.com
[Mon 14 Jun 2021 03:29:00 PM EDT] Please add the TXT records to the domains, and re-run with --renew.
[Mon 14 Jun 2021 03:29:00 PM EDT] Please check log file for more details: /home/oracle/.acme.sh/acme.sh.log
[Mon 14 Jun 2021 03:29:00 PM EDT] The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead.

My web server is (although this is irrelevant at this juncture)
Tomcat 8.5

TH web server OS is
Solaris 10 x86

My hosting provider is:
Self - static IP addresses on Verizon FIOS

I can login as root- and have about 30 years experience with Unix

No control panel involved - everything run from a shell.

Certbot version is 0.31.0 - probably not relevant as the problem seems to be that even through the DNS servers (dns1.visualenc.com) return the expected value for TXT records when queried, LE does not see that.

You have two authoritative DNS server.
But they don't both return the same response:

nslookup -q=txt _acme-challenge.floralencounters.com dns1.visualenc.com
_acme-challenge.floralencounters.com    text = "gH2bUVHclyDVzH-XqnGzWwQGW33S0kB2AaWc58fixXw"

nslookup -q=txt _acme-challenge.floralencounters.com dns2.visualenc.com
*** UnKnown can't find _acme-challenge.floralencounters.com: No response from server
3 Likes

DNS2 is offline which should not matter. The response from DNS1 is correct. LE should and in the past has just used that.

Welcome to the Let's Encrypt Community, Steve :slightly_smiling_face:

The TXT records that I'm currently seeing don't match the dns-01 challenge presented. I'm assuming this is from your further attempts. Maybe not enough propagation delay?

_acme-challenge.floralencounters.com. 1799 IN TXT "gH2bUVHclyDVzH-XqnGzWwQGW33S0kB2AaWc58fixXw"

_acme-challenge.www.floralencounters.com. 1799 IN TXT "WSq1ZBfiiU4yXNaBZDXflSlYpsxV0dx_-XwcKUge2lY"

3 Likes

Well I can't find anything obviously wrong with any of the systems.
So that points me to the process...
Has anything changed since your last renewal?
Are you waiting long enough for the DNS change to be visible (from the Internet)?

3 Likes

The only thing that has changed since my last renewal is a change of ISP with corresponding changes in the static IP addresses used for my DNS servers and web sites etc.

If Lets Encrypt queries the authoritative servers directly then there is no propagation delay involved. But it does not seem to do that.

Just as a sanity check i re-ran this whole process again - o/p is below. First "renew" request obtains TXT values. Then I update DNS and I am showing results from querying dns1.visualenc.com from a host that is in a corporate data center that has nothing to do with my domains. Then I show the failure of the next ":renew" command.

This is all very, very frustrating and it's not helped by the life-cycle model that LE uses for the renew process.

RENEW REQUEST #1

It looks like the log didn't get added to the post via email properly.

2 Likes

So what is the best way of remedying that?

Thanks.

2 Likes

That reads like you are running renew twice but updating the TXT records only once.
What I mean is you have to update the TXT records every time you renew (while you renew).
[TXT record creations are done during the renewal - not afterwards, nor between renewals]

3 Likes

Come to the website, edit the post, and paste the contents manually...ideally between a pair of triple backticks (aka code fence) like this so it gets put into a code block with a monospaced font.

```
log contents goes here
```
4 Likes
RENEW REQUEST #1
=================

oracle@vpn:~/.acme.sh$ acme.sh --renew -d floralencounters.com   -d www.floralencounters.com    --yes-I-know-dns-manual-mode-enough-go-ahead-please 
[Tue 15 Jun 2021 09:30:11 AM EDT] Renew: 'floralencounters.com'
[Tue 15 Jun 2021 09:30:13 AM EDT] Multi domain='DNS:floralencounters.com,DNS:www.floralencounters.com'
[Tue 15 Jun 2021 09:30:13 AM EDT] Getting domain auth token for each domain
[Tue 15 Jun 2021 09:30:16 AM EDT] Getting webroot for domain='floralencounters.com'
[Tue 15 Jun 2021 09:30:16 AM EDT] Getting webroot for domain='www.floralencounters.com'
[Tue 15 Jun 2021 09:30:16 AM EDT] Add the following TXT record:
[Tue 15 Jun 2021 09:30:16 AM EDT] Domain: '_acme-challenge.floralencounters.com'
[Tue 15 Jun 2021 09:30:16 AM EDT] TXT value: 'R65NuuFu3k2IK18tOlJJ8Ii11ONlneBEFtaYa-Wa-Us'
[Tue 15 Jun 2021 09:30:16 AM EDT] Please be aware that you prepend _acme-challenge. before your domain
[Tue 15 Jun 2021 09:30:16 AM EDT] so the resulting subdomain will be: _acme-challenge.floralencounters.com
[Tue 15 Jun 2021 09:30:16 AM EDT] Add the following TXT record:
[Tue 15 Jun 2021 09:30:16 AM EDT] Domain: '_acme-challenge.www.floralencounters.com'
[Tue 15 Jun 2021 09:30:17 AM EDT] TXT value: 'gh0AkYR1rijEpI8CH28zK_YiuAlOvZgXLQtinAKUvso'
[Tue 15 Jun 2021 09:30:17 AM EDT] Please be aware that you prepend _acme-challenge. before your domain
[Tue 15 Jun 2021 09:30:17 AM EDT] so the resulting subdomain will be: _acme-challenge.www.floralencounters.com
[Tue 15 Jun 2021 09:30:17 AM EDT] Please add the TXT records to the domains, and re-run with --renew.
[Tue 15 Jun 2021 09:30:17 AM EDT] Please check log file for more details: /home/oracle/.acme.sh/acme.sh.log
[Tue 15 Jun 2021 09:30:17 AM EDT] The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead.




QUERY DNS FROM CORPORATE DATA CENTER
====================================

$[oracle@e1devent3] /home/oracle
-> nslookup
> server 96.235.134.178
Default server: 96.235.134.178
Address: 96.235.134.178#53
> set type=TXT
> _acme-challenge.floralencounters.com 
Server:         96.235.134.178
Address:        96.235.134.178#53

_acme-challenge.floralencounters.com    text = "R65NuuFu3k2IK18tOlJJ8Ii11ONlneBEFtaYa-Wa-Us"
> _acme-challenge.www.floralencounters.com
Server:         96.235.134.178
Address:        96.235.134.178#53

_acme-challenge.www.floralencounters.com        text = "gh0AkYR1rijEpI8CH28zK_YiuAlOvZgXLQtinAKUvso"

RENEW REQUEST #2
=================

oracle@vpn:~/.acme.sh$ acme.sh --renew -d floralencounters.com   -d www.floralencounters.com    --yes-I-know-dns-manual-mode-enough-go-ahead-please 
[Tue 15 Jun 2021 09:33:14 AM EDT] Renew: 'floralencounters.com'
[Tue 15 Jun 2021 09:33:16 AM EDT] Multi domain='DNS:floralencounters.com,DNS:www.floralencounters.com'
[Tue 15 Jun 2021 09:33:16 AM EDT] Getting domain auth token for each domain
[Tue 15 Jun 2021 09:33:16 AM EDT] Verifying: floralencounters.com
[Tue 15 Jun 2021 09:33:20 AM EDT] floralencounters.com:Verify error:Incorrect TXT record 
[Tue 15 Jun 2021 09:33:20 AM EDT] Please check log file for more details: /home/oracle/.acme.sh/acme.sh.log
[Tue 15 Jun 2021 09:33:21 AM EDT] The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead.

Yes - first "renew" results in TXT record values being sent to me and the second one is supposed to validate against DNS.
That's how it's always worked previously.
(Turning on --debug flag does not help - just lots of noise that might make sense to script author but really shed no light on why and "error" has happended.)

The TXT records shown above aren't the ones seen in the global DNS zone now.
Sounds like the script is failing and needs to be looked into.

1 Like

Do you mean the TXT record values I have entered in DNS are not the values that LE has in its system? Otherwise I don't know what you mean by "global DNS:" (A simple DNS query that does NOT specifically target the authorative DNS servers will quite likely return different TXT values because of cacheing/expiry time time issues.)

The latest values shown in this thread are not the ones seen in DNS right now.

2 Likes

Your own code/process shows the problem:

dns1.visualenc.com      internet address = 96.235.134.179
dns2.visualenc.com      internet address = 96.235.134.180

There must be a delay between when you update .178 and when .179/.180 update.

3 Likes

dns2.visualenc.com is offline so it does not respond to a DNS query. A perfectly normal state of affairs. One has more than one DNS server just so failure of one does not matter.
Are you actually DEFINITIVELY stating that LE requires a correct response from ALL authoratitive dns servers or are you just surmising that is the case?