This was all working up until recently. Nothing has changed on our end. I’m trying to do DNS-01 validation. We’re using CNAMES to point to the correct TXT records in DNS. Here’s what a DNS query for the records returns while the validation is pending:
[root@apptest-519 ssl]# dig TXT _acme-challenge.rhcs.wichita.edu
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.5 <<>> TXT _acme-challenge.rhcs.wichita.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33336
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;_acme-challenge.rhcs.wichita.edu. IN TXT
;; ANSWER SECTION:
_acme-challenge.rhcs.wichita.edu. 28800 IN CNAME rhcs._acme-challenge.wichita.edu.
rhcs._acme-challenge.wichita.edu. 600 IN TXT “de7EhnaH_8rUEw-YCEDjrmGVXzvmEgJgulEqborzc0E”
;; AUTHORITY SECTION:
_acme-challenge.wichita.edu. 86400 IN NS elbert.wichita.edu.
_acme-challenge.wichita.edu. 86400 IN NS princeton.wichita.edu.
;; ADDITIONAL SECTION:
elbert.wichita.edu. 28800 IN A 156.26.1.1
princeton.wichita.edu. 28800 IN A 156.26.1.30
;; Query time: 1 msec
;; SERVER: 156.26.1.1#53(156.26.1.1)
;; WHEN: Fri Jun 8 08:22:28 2018
;; MSG SIZE rcvd: 218
I’m just not sure what changed. This totally worked weeks earlier… any clues?
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: rhcs.wichita.edu
I ran this command: getssl -d -U -f -w /etc/httpd/ssl rhcs.wichita.edu
It produced this output:
HTTP/1.1 202 Accepted
Server: nginx
Content-Type: application/json
Content-Length: 338
Boulder-Requester: 6244772
Link: https://acme-staging.api.letsencrypt.org/acme/authz/hf4BBBXT2Zoh0a3l_0qBrGp4cH03ywdabZK7iUxLbok;rel=“up”
Location: https://acme-staging.api.letsencrypt.org/acme/challenge/hf4BBBXT2Zoh0a3l_0qBrGp4cH03ywdabZK7iUxLbok/134062831
Replay-Nonce: 5gXMrbbDB2BKG2tzsQB3Vn7ZZ4zny_G9YbJoplOuJgQ
Expires: Fri, 08 Jun 2018 13:20:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 08 Jun 2018 13:20:44 GMT
Connection: keep-alive
response {
“type”: “dns-01”,
“status”: “pending”,
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/hf4BBBXT2Zoh0a3l_0qBrGp4cH03ywdabZK7iUxLbok/134062831”,
“token”: “2VqW9DBCyKbRSVg-G2T7RPLpR69f2OWAt-3obQFqwLo”,
“keyAuthorization”: “2VqW9DBCyKbRSVg-G2T7RPLpR69f2OWAt-3obQFqwLo.fB04mIXoa7xkUgo58idRcN45eybMb3cd2SZpjrjERSA”
}
code 202
response status =
checking
response {
“type”: “dns-01”,
“status”: “pending”,
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/hf4BBBXT2Zoh0a3l_0qBrGp4cH03ywdabZK7iUxLbok/134062831”,
“token”: “2VqW9DBCyKbRSVg-G2T7RPLpR69f2OWAt-3obQFqwLo”,
“keyAuthorization”: “2VqW9DBCyKbRSVg-G2T7RPLpR69f2OWAt-3obQFqwLo.fB04mIXoa7xkUgo58idRcN45eybMb3cd2SZpjrjERSA”
}
code pending
get_cr return code 0
Pending
sleep 5 secs before testing verify again
checking
response {
“type”: “dns-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:acme:error:dns”,
“detail”: “DNS problem: NXDOMAIN looking up TXT for _acme-challenge.rhcs.wichita.edu”,
“status”: 400
},
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/hf4BBBXT2Zoh0a3l_0qBrGp4cH03ywdabZK7iUxLbok/134062831”,
“token”: “2VqW9DBCyKbRSVg-G2T7RPLpR69f2OWAt-3obQFqwLo”,
“keyAuthorization”: “2VqW9DBCyKbRSVg-G2T7RPLpR69f2OWAt-3obQFqwLo.fB04mIXoa7xkUgo58idRcN45eybMb3cd2SZpjrjERSA”,
“validationRecord”: [
{
“hostname”: “rhcs.wichita.edu”
}
]
}
code invalid
get_cr return code 0
getssl: rhcs.wichita.edu:Verify error: "DNS problem
attempting to clean up DNS entry for rhcs.wichita.edu
My web server is (include version): Apache 2.2
The operating system my web server runs on is (include version): RHEL 6
My hosting provider, if applicable, is: Self-hosting.
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No.