DNS validation failing, worked previously

This was all working up until recently. Nothing has changed on our end. I’m trying to do DNS-01 validation. We’re using CNAMES to point to the correct TXT records in DNS. Here’s what a DNS query for the records returns while the validation is pending:

[root@apptest-519 ssl]# dig TXT _acme-challenge.rhcs.wichita.edu

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.5 <<>> TXT _acme-challenge.rhcs.wichita.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33336
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;_acme-challenge.rhcs.wichita.edu. IN TXT

;; ANSWER SECTION:
_acme-challenge.rhcs.wichita.edu. 28800 IN CNAME rhcs._acme-challenge.wichita.edu.
rhcs._acme-challenge.wichita.edu. 600 IN TXT “de7EhnaH_8rUEw-YCEDjrmGVXzvmEgJgulEqborzc0E”

;; AUTHORITY SECTION:
_acme-challenge.wichita.edu. 86400 IN NS elbert.wichita.edu.
_acme-challenge.wichita.edu. 86400 IN NS princeton.wichita.edu.

;; ADDITIONAL SECTION:
elbert.wichita.edu. 28800 IN A 156.26.1.1
princeton.wichita.edu. 28800 IN A 156.26.1.30

;; Query time: 1 msec
;; SERVER: 156.26.1.1#53(156.26.1.1)
;; WHEN: Fri Jun 8 08:22:28 2018
;; MSG SIZE rcvd: 218

I’m just not sure what changed. This totally worked weeks earlier… any clues?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: rhcs.wichita.edu

I ran this command: getssl -d -U -f -w /etc/httpd/ssl rhcs.wichita.edu

It produced this output:

HTTP/1.1 202 Accepted
Server: nginx
Content-Type: application/json
Content-Length: 338
Boulder-Requester: 6244772
Link: https://acme-staging.api.letsencrypt.org/acme/authz/hf4BBBXT2Zoh0a3l_0qBrGp4cH03ywdabZK7iUxLbok;rel=“up”
Location: https://acme-staging.api.letsencrypt.org/acme/challenge/hf4BBBXT2Zoh0a3l_0qBrGp4cH03ywdabZK7iUxLbok/134062831
Replay-Nonce: 5gXMrbbDB2BKG2tzsQB3Vn7ZZ4zny_G9YbJoplOuJgQ
Expires: Fri, 08 Jun 2018 13:20:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 08 Jun 2018 13:20:44 GMT
Connection: keep-alive

response {
“type”: “dns-01”,
“status”: “pending”,
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/hf4BBBXT2Zoh0a3l_0qBrGp4cH03ywdabZK7iUxLbok/134062831”,
“token”: “2VqW9DBCyKbRSVg-G2T7RPLpR69f2OWAt-3obQFqwLo”,
“keyAuthorization”: “2VqW9DBCyKbRSVg-G2T7RPLpR69f2OWAt-3obQFqwLo.fB04mIXoa7xkUgo58idRcN45eybMb3cd2SZpjrjERSA”
}

code 202

response status =

checking

url https://acme-staging.api.letsencrypt.org/acme/challenge/hf4BBBXT2Zoh0a3l_0qBrGp4cH03ywdabZK7iUxLbok/134062831

response {
“type”: “dns-01”,
“status”: “pending”,
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/hf4BBBXT2Zoh0a3l_0qBrGp4cH03ywdabZK7iUxLbok/134062831”,
“token”: “2VqW9DBCyKbRSVg-G2T7RPLpR69f2OWAt-3obQFqwLo”,
“keyAuthorization”: “2VqW9DBCyKbRSVg-G2T7RPLpR69f2OWAt-3obQFqwLo.fB04mIXoa7xkUgo58idRcN45eybMb3cd2SZpjrjERSA”
}

code pending

get_cr return code 0
Pending

sleep 5 secs before testing verify again

checking

url https://acme-staging.api.letsencrypt.org/acme/challenge/hf4BBBXT2Zoh0a3l_0qBrGp4cH03ywdabZK7iUxLbok/134062831

response {
“type”: “dns-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:acme:error:dns”,
“detail”: “DNS problem: NXDOMAIN looking up TXT for _acme-challenge.rhcs.wichita.edu”,
“status”: 400
},
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/hf4BBBXT2Zoh0a3l_0qBrGp4cH03ywdabZK7iUxLbok/134062831”,
“token”: “2VqW9DBCyKbRSVg-G2T7RPLpR69f2OWAt-3obQFqwLo”,
“keyAuthorization”: “2VqW9DBCyKbRSVg-G2T7RPLpR69f2OWAt-3obQFqwLo.fB04mIXoa7xkUgo58idRcN45eybMb3cd2SZpjrjERSA”,
“validationRecord”: [
{
“hostname”: “rhcs.wichita.edu”
}
]
}

code invalid

get_cr return code 0
getssl: rhcs.wichita.edu:Verify error: "DNS problem

attempting to clean up DNS entry for rhcs.wichita.edu

My web server is (include version): Apache 2.2

The operating system my web server runs on is (include version): RHEL 6

My hosting provider, if applicable, is: Self-hosting.

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No.

The wichita.edu zone is missing a delegation to the _acme-challenge.wichita.edu zone.

http://dnsviz.net/d/_acme-challenge.wichita.edu/WxqEHQ/dnssec/

$ dig +norecurse _acme-challenge.wichita.edu @kic.kanren.net

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +norecurse _acme-challenge.wichita.edu @kic.kanren.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53026
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_acme-challenge.wichita.edu.   IN      A

;; AUTHORITY SECTION:
wichita.edu.            600     IN      SOA     elbert.wichita.edu. hostmaster.wichita.edu. 2018060703 7200 3600 12096000 600

;; Query time: 31 msec
;; SERVER: 2001:49d0:2003:f000::5#53(2001:49d0:2003:f000::5)
;; WHEN: Fri Jun 08 13:29:33 UTC 2018
;; MSG SIZE  rcvd: 110

Need to add the NS records to the wichita.edu zone so resolvers can reliably find _acme-challenge.wichita.edu.

2 Likes

Well… the client I’m using (getssl) allows me to specify which DNS servers I want the ACME servers to query, and I specifically excluded the “kanren.net” servers and are just pointing to our internal servers elbert and princeton… and this has worked for me in the past.

An ACME client can't control which servers Let's Encrypt will query. Let's Encrypt uses a recursive DNS server that's controlled only by the DNS.

It will work around half the time, depending on luck. The NS records need to be correct for it to work all the time.

Well… that’s really strange. Mainly because if it should work 50% of the time… I’m REALLY unlucky… because after probably 20 attempts… I haven’t had it succeed yet. I’ll look at the delegation.

Well, when you’re right, you’re right. This solved it for me. And the getssl client DOES allow me to specify the DNS servers… but, that’s only for its own local validation that is performed before it sends the request to the acme servers. It was rather stupid of me to assume the other. sigh

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.