DNS validation not working

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: in.jfarjona.com

I ran this command:
certbot certonly --dns-rfc2136 --dns-rfc2136-propagation-seconds 60 --dns-rfc2136-credentials "/etc/letsencrypt/dns.ini" -d "beethoven.jfarjona.com,beethoven.in.jfarjona.com,credit.jfarjona.com,credit.in.jfarjona.com,dyn.jfarjona.com,erp.in.jfarjona.com,erp.jfarjona.com,musike.jfarjona.com,musike.in.jfarjona.com,plex.jfarjona.com,plex.in.jfarjona.com,uploads.jfarjona.com,kimai.jfarjona.com,kimai.in.jfarjona.com,uploads.in.jfarjona.com,crm.jfarjona.com,crm.in.jfarjona.com"

It produced this output:
Plugins selected: Authenticator dns-rfc2136, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate for beethoven.jfarjona.com and 16 more domains
Performing the following challenges:
dns-01 challenge for beethoven.in.jfarjona.com
dns-01 challenge for beethoven.jfarjona.com
dns-01 challenge for credit.in.jfarjona.com
dns-01 challenge for crm.in.jfarjona.com
dns-01 challenge for erp.in.jfarjona.com
dns-01 challenge for kimai.in.jfarjona.com
dns-01 challenge for musike.in.jfarjona.com
dns-01 challenge for plex.in.jfarjona.com
dns-01 challenge for uploads.in.jfarjona.com
Waiting 60 seconds for DNS changes to propagate
Waiting for verification...
Challenge failed for domain beethoven.in.jfarjona.com
Challenge failed for domain beethoven.jfarjona.com
Challenge failed for domain credit.in.jfarjona.com
Challenge failed for domain crm.in.jfarjona.com
Challenge failed for domain erp.in.jfarjona.com
Challenge failed for domain kimai.in.jfarjona.com
Challenge failed for domain musike.in.jfarjona.com
Challenge failed for domain plex.in.jfarjona.com
Challenge failed for domain uploads.in.jfarjona.com
dns-01 challenge for beethoven.in.jfarjona.com
dns-01 challenge for beethoven.jfarjona.com
dns-01 challenge for credit.in.jfarjona.com
dns-01 challenge for crm.in.jfarjona.com
dns-01 challenge for erp.in.jfarjona.com
dns-01 challenge for kimai.in.jfarjona.com
dns-01 challenge for musike.in.jfarjona.com
dns-01 challenge for plex.in.jfarjona.com
dns-01 challenge for uploads.in.jfarjona.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: beethoven.in.jfarjona.com
    Type: dns
    Detail: DNS problem: SERVFAIL looking up TXT for
    _acme-challenge.beethoven.in.jfarjona.com - the domain's
    nameservers may be malfunctioning

    Domain: beethoven.jfarjona.com
    Type: dns
    Detail: DNS problem: SERVFAIL looking up CAA for
    beethoven.jfarjona.com - the domain's nameservers may be
    malfunctioning

    Domain: credit.in.jfarjona.com
    Type: dns
    Detail: DNS problem: SERVFAIL looking up TXT for
    _acme-challenge.credit.in.jfarjona.com - the domain's nameservers
    may be malfunctioning

    Domain: crm.in.jfarjona.com
    Type: dns
    Detail: DNS problem: SERVFAIL looking up TXT for
    _acme-challenge.crm.in.jfarjona.com - the domain's nameservers may
    be malfunctioning

    Domain: erp.in.jfarjona.com
    Type: dns
    Detail: DNS problem: SERVFAIL looking up TXT for
    _acme-challenge.erp.in.jfarjona.com - the domain's nameservers may
    be malfunctioning

    Domain: kimai.in.jfarjona.com
    Type: dns
    Detail: DNS problem: SERVFAIL looking up TXT for
    _acme-challenge.kimai.in.jfarjona.com - the domain's nameservers
    may be malfunctioning

    Domain: musike.in.jfarjona.com
    Type: dns
    Detail: DNS problem: SERVFAIL looking up TXT for
    _acme-challenge.musike.in.jfarjona.com - the domain's nameservers
    may be malfunctioning

    Domain: plex.in.jfarjona.com
    Type: dns
    Detail: DNS problem: SERVFAIL looking up TXT for
    _acme-challenge.plex.in.jfarjona.com - the domain's nameservers may
    be malfunctioning

    Domain: uploads.in.jfarjona.com
    Type: dns
    Detail: DNS problem: SERVFAIL looking up TXT for
    _acme-challenge.uploads.in.jfarjona.com - the domain's nameservers
    may be malfunctioning

My web server is (include version): N/A

The operating system my web server runs on is (include version): Debian 11

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.12.0

I sniffed my network interface and the response to all queries was positive:

...
23:33:09.499088 IP 54.71.40.132.15105 > 172.16.2.66.53: 43603% [1au] TXT? _AcMe-ChaLLeNgE.KImAi.In.JFaRJONa.cOm. (66)
23:33:09.499298 IP 172.16.2.66.53 > 54.71.40.132.15105: 43603*- 2/0/1 TXT "9uj8yeBd5-TxrYYyL07N1xQfWHiMO0mXJN6-UWRKcpM", RRSIG (270)
23:33:09.513409 IP 54.218.17.193.28219 > 172.16.2.66.53: 13617% [1au] TXT? _acMe-chalLeNGE.plEx.iN.jFARjona.cOM. (65)
23:33:09.513709 IP 172.16.2.66.53 > 54.218.17.193.28219: 13617*- 2/0/1 TXT "E4vXKzoaBPQeRaoHutPdKzRgO8OnjVXDMELvCE86O3E", RRSIG (268)
23:33:09.524592 IP 23.178.112.205.21205 > 172.16.2.66.53: 60207% [1au] Type257? IN.JfarJona.CoM. (44)
23:33:09.524894 IP 172.16.2.66.53 > 23.178.112.205.21205: 60207*- 0/4/1 (372)
....

Same goes to all sub-domains, I don't want to pollute the thread. The DNS server is answering correctly to the TXT query, but Letsencrypt is not getting it. Is there a bug?

Thanks,

Juan

Looks like your DNSSEC is misconfigured:

https://dnsviz.net/d/_acme-challenge.beethoven.in.jfarjona.com/dnssec/

You may also find unboundtest helpful; it's a DNS resolver configured similarly to how Let's Encrypt's is configured:

https://unboundtest.com/m/TXT/_acme-challenge.beethoven.in.jfarjona.com/P4KSEIP4

6 Likes

Great! Thanks Peter.

7 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.