DNSSEC with own SOA and acme2

rag · December 16, 2018, 2:06pm

I have 3 domains.
All three have their own zone for challenge.

zone _acme-challenge.example.net SOA IN SOA ns1.systron.de. info.systron.de. (
zone _acme-challenge.example.com SOA IN SOA ns1.systron.de. info.systron.de. (
zone _acme-challenge.systron.de SOA IN SOA ns1.systron.de. info.systron.de. (

systron.de has DNSSEC.

letsencrypt renewing works for example.net and example.com,
but not for systron.de.

letsdebug.net for systron.de shows me:

DNS response for _acme-challenge.systron.de had fatal DNSSEC issues: validation
failure <_acme-challenge.systron.de. TXT IN>: no signatures from 46.237.197.205

I like the way of seperating the zone in static and dynamic part.

Is there a solution for keeping my separation?

JuergenAuer · December 16, 2018, 4:04pm

Hi @rag

looks like the problem is solved. Letsdebug is green, same there:

rag · December 16, 2018, 4:19pm

Letsdebug is red.

TXTRecordError
Fatal

An error occurred while attempting to lookup the TXT record on _acme-challenge.systron.de . Any resolver errors that the Let’s Encrypt CA encounters on this record will cause certificate issuance to fail.

DNS response for _acme-challenge.systron.de had fatal DNSSEC issues: validation failure <_acme-challenge.systron.de. TXT IN>: no signatures from 46.237.197.205

JuergenAuer · December 16, 2018, 4:26pm

Ok, I've used the wrong validation method. But if you use DNSSEC, then fix these errors:

_acme-challenge.systron.de
	No DS records found for _acme-challenge.systron.de in the systron.de zone
	No DNSKEY records found
	No NSEC records in response
	No RRSIGs found

rag · December 16, 2018, 4:45pm

Why do Letsencrypt check domains on DNSSEC?

JuergenAuer · December 16, 2018, 4:54pm

Because the domain owner wants this.

Are you the domain owner of systron.de? Or why isn't it possible to add the required records?

schoen · December 16, 2018, 6:46pm

Exactly. For certificate authorities, not issuing certificates that shouldn't be issued is even more important than issuing certificates that should be issued. (That's ultimately what makes the certificates useful to the end users who visit sites.) So Let's Encrypt wants to use every source of information that can be checked automatically by machine that might help confirm whether the domain owner agrees with each certificate issuance request. DNSSEC is one source of information that can help confirm this, and in some cases help prevent the issuance of certificates that the domain owner didn't want.

rag · January 1, 2019, 1:30pm

I solved it. There are misconfigurations in my DNSSEC.
Thanks.

JuergenAuer · January 1, 2019, 1:35pm

Yep. Now your DNSSEC - configuration looks good.

system · January 31, 2019, 1:35pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
DNS failing only for letsencrypt, but not others Help	6	2015	June 13, 2019
SERVFAIL looking up TXT (IDNA or DNSSEC issues?) Server	10	2590	January 30, 2019
Failed renewal [Solved: DNSSEC problem] Help	4	2332	June 7, 2017
Could not issue a Let's Encrypt SSL/TLS certificate Help	20	1332	December 16, 2020
DNS problem: SERVFAIL for DNSSEC signed domain Issuance Tech	9	6371	May 18, 2016

DNSSEC with own SOA and acme2

Related topics