DNS Server Does Not Support echo capitalization - Boulder Unable to Resolve IP

My domain is:

https://static.orzorc.space

I ran this command:

 sudo letsencrypt renew

It produced this output:

Processing /etc/letsencrypt/renewal/static.orzorc.space.conf
2017-05-03 20:26:28,891:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/static.orzorc.space.conf produced an unexpected error: Failed authorization procedure. static.orzorc.space (tls-sni-01): urn:acme:error:unknownHost :: The server could not resolve a domain name :: No valid IP addresses found for static.orzorc.space. Skipping.

dig command:

$ dig static.orzorc.space A

; <<>> DiG 9.10.3-P4-Ubuntu <<>> static.orzorc.space A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31115
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;static.orzorc.space. 		IN     	A

;; ANSWER SECTION:
static.orzorc.space.  	30     	IN     	A      	119.131.107.26

;; Query time: 83 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed May 03 20:57:30 CST 2017
;; MSG SIZE  rcvd: 65

I have some other sites with the same issue so I ignore them in this post.
Really need help because they will expire in 10 days.

Hi @orzorc,

Did you change the dns servers used since the last issued certificate?.

If the answer is no, that is very strange, if the answer is yes could be because your dns servers doesn’t answer in a case sensitive way to the dns questions.

I mean, Let’s Encrypt boulder tries to resolve your domain but capitalizing some random letters, instead of static.orzorc.space it will try something like sTtatiC.orZOrc.SpAce and your dns servers should answer to that question and the answer should provide the same name.

What boulder expects (pay attention to QUESTION and ANSWER sections):

$ dig @ns1.oray.net sTatiC.ORzorc.sPAce

; <<>> DiG 9.9.7 <<>> @ns1.oray.net sTatiC.ORzorc.sPAce
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59998
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;sTatiC.ORzorc.sPAce.           IN      A

;; ANSWER SECTION:
sTatiC.ORzorc.sPAce.    60      IN      A       119.131.107.26

;; Query time: 437 msec
;; SERVER: 115.29.234.127#53(115.29.234.127)
;; WHEN: mi. may. 03 16:38:04 RDT 2017
;; MSG SIZE  rcvd: 53

What your dns servers answer:

$ dig @ns1.oray.net sTatiC.ORzorc.sPAce

; <<>> DiG 9.9.7 <<>> @ns1.oray.net sTatiC.ORzorc.sPAce
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59998
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;static.orzorc.space.           IN      A

;; ANSWER SECTION:
static.orzorc.space.    60      IN      A       119.131.107.26

;; Query time: 437 msec
;; SERVER: 115.29.234.127#53(115.29.234.127)
;; WHEN: mi. may. 03 16:38:04 RDT 2017
;; MSG SIZE  rcvd: 53

Also, your servers don’t answer to TCP queries:

$ dig @ns1.oray.net sTatiC.ORzorc.sPAce +tcp

; <<>> DiG 9.9.5-9+deb8u10-Debian <<>> @ns1.oray.net sTatiC.ORzorc.sPAce +tcp
; (2 servers found)
;; global options: +cmd
;; connection timed out; no servers could be reached

And one of the ips of ns2.oray.net times out randomly (at least from my side):

$ dig @103.44.145.243 sTatiC.ORzorc.sPAce

; <<>> DiG 9.9.5-9+deb8u10-Debian <<>> @103.44.145.243 sTatiC.ORzorc.sPAce
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

I don’t know if any of these issues is the root cause of your problem, maybe @jsha or @cpu could check what is the actual problem but seems your DNS servers are not working pretty fine.

Cheers,
sahsanu

1 Like

@sahsanu is correct. If your DNS server does not echo capitalization of input, our DNS resolver will reject the result. See https://tools.ietf.org/id/draft-vixie-dnsext-dns0x20-00.txt for why that is.

1 Like

@sahsanu @jsha Thanks for your help.
After inquiring my DNS server holder, I think that they may refuse to solve the issue because they think they have done their job resolving the URL to IP and my site is indeed reachable from URL.
So, Is there any other way to renew my certifications?

I’m afraid you’ll have to switch DNS providers. The DNS 0x20 technique (i.e. requiring authoritative resolvers to echo capitalization) has been a common technique to increase the security of DNS resolution for many years. If your provider doesn’t echo capitalization, most likely they are not correctly resolving your hostname for the many people whose ISPs use DNS 0x20, so it would be a good idea to switch anyhow.

It would be good to know what DNS server software your provider uses, so we could file an issue with the authors to fix this bug.

Thanks,
Jacob

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.