Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: c3k.to
I ran this command: terraform apply -var-file=secrets.tfvars -var-file=redis-variables.tfvars
It produced this output: Error: error creating certificate: error: one or more domains had a problem:
│ [redis.c3k.to] time limit exceeded: last error: NS ns1.linode.com. returned SERVFAIL for _acme-challenge.redis.c3k.to.
│ [redislb.c3k.to] time limit exceeded: last error: NS ns2.linode.com. returned SERVFAIL for _acme-challenge.redislb.c3k.to.
My web server is (include version): N/A
The operating system my web server runs on is (include version): debian 10
My hosting provider, if applicable, is: not know
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): N/A
yes, I am struggling with this issue for 2 days. i have a good internet connection, i hope its not related to Internet. I have mentioned more log details below for your reference. I could not able to create certificate using terraform template and ansible template also.
Terraform Error Log :
provider.terraform-provider-acme_v2.5.2: 2021/11/11 19:15:53 [DEBUG] lego: [redislb.c3k.to] acme: Checking DNS record propagation using [8.8.8.8:53 1.1.1.1:53 ns1.linode.com:53]: timestamp=2021-11-11T19:15:53.378+0530
provider.terraform-provider-acme_v2.5.2: 2021/11/11 19:19:53 [DEBUG] lego: Wait for propagation [timeout: 5m0s, interval: 4m0s]: timestamp=2021-11-11T19:19:53.379+0530
provider.terraform-provider-acme_v2.5.2: 2021/11/11 19:19:55 [DEBUG] lego: [redislb.c3k.to] acme: Waiting for DNS record propagation.: timestamp=2021-11-11T19:19:55.718+0530
provider.terraform-provider-acme_v2.5.2: 2021/11/11 19:23:56 [DEBUG] lego: [redislb.c3k.to] acme: Waiting for DNS record propagation.: timestamp=2021-11-11T19:23:56.811+0530
provider.terraform-provider-acme_v2.5.2: 2021/11/11 19:27:56 [DEBUG] lego: [redis.c3k.to] acme: Cleaning DNS-01 challenge: timestamp=2021-11-11T19:27:56.816+0530
provider.terraform-provider-acme_v2.5.2: 2021/11/11 19:28:00 [DEBUG] lego: [redislb.c3k.to] acme: Cleaning DNS-01 challenge: timestamp=2021-11-11T19:28:00.307+0530
provider.terraform-provider-acme_v2.5.2: 2021/11/11 19:28:05 [DEBUG] lego: retry due to: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/authz-v3/48271652280 :: urn:ietf:params:acme:error:badNonce :: JWS has an invalid anti-replay nonce: "0002OhExll0gaFI-0TW6aO-sOexSyIJ590hqrr8pSSN6Dxg": timestamp=2021-11-11T19:28:05.062+0530
provider.terraform-provider-acme_v2.5.2: 2021/11/11 19:28:05 [DEBUG] lego: Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/48271652280: timestamp=2021-11-11T19:28:05.667+0530
provider.terraform-provider-acme_v2.5.2: 2021/11/11 19:28:06 [DEBUG] lego: Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/48271652290: timestamp=2021-11-11T19:28:06.459+0530
Ansible Error :
"Failed to validate challenge for dns:redissdb.c3k.to: Status is "invalid". Challenge dns-01: Error urn:ietf:params:acme:error:dns: "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.redissdb.c3k.to - check that a DNS record exists for this domain".",
"other": {
"authorization": {
"challenges": [
{
"error": {
"detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.redissdb.c3k.to - check that a DNS record exists for this domain",
"status": 400,
"type": "urn:ietf:params:acme:error:dns"
},
"status": "invalid",
"token": "IvbC4-WG-9QxenFofXSKl3smDyoExFjOs_5GSw_mN1I",
"type": "dns-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/47730084980/F8e4_g",
"validated": "2021-11-09T19:32:29Z"
}
],
"expires": "2021-11-16T19:23:46Z",
"identifier": {
"type": "dns",
"value": "redissdb.c3k.to"
},
"status": "invalid",
"uri": "https://acme-v02.api.letsencrypt.org/acme/authz-v3/47730084980"
},
"identifier": "dns:redissdb.c3k.to"
}
}
No, I have not made any changes. I will brief clearly below :
Terminal Error Message :
acme_certificate.certificate: Still creating... [24m20s elapsed]
acme_certificate.certificate: Still creating... [24m30s elapsed]
╷
│ Error: error creating certificate: error: one or more domains had a problem:
│ [redis.c3k.to] time limit exceeded: last error: NS ns1.linode.com. returned SERVFAIL for _acme-challenge.redis.c3k.to.
│ [redislb.c3k.to] time limit exceeded: last error: NS ns2.linode.com. returned SERVFAIL for _acme-challenge.redislb.c3k.to.
│
│
│ with acme_certificate.certificate,
│ on main.tf line 46, in resource "acme_certificate" "certificate":
│ 46: resource "acme_certificate" "certificate" {
│
Terraform Log (TF_LOG) :
provider.terraform-provider-acme_v2.5.2: 2021/11/11 19:03:37 [DEBUG] lego: [redislb.c3k.to] acme: Preparing to solve DNS-01: timestamp=2021-11-11T19:03:37.788+0530
provider.terraform-provider-acme_v2.5.2: 2021/11/11 19:03:40 [DEBUG] lego: [redis.c3k.to] acme: Trying to solve DNS-01: timestamp=2021-11-11T19:03:40.796+0530
provider.terraform-provider-acme_v2.5.2: 2021/11/11 19:03:40 [DEBUG] lego: [redis.c3k.to] acme: Checking DNS record propagation using [8.8.8.8:53 1.1.1.1:53 ns1.linode.com:53]: timestamp=2021-11-11T19:03:40.798+0530
provider.terraform-provider-acme_v2.5.2: 2021/11/11 19:07:40 [DEBUG] lego: Wait for propagation [timeout: 5m0s, interval: 4m0s]: timestamp=2021-11-11T19:07:40.803+0530
From your end...
Your process should be able to communicate with your DNS servers [and edit your DNS zone].
Your process should be able to communicate with LE.
But there is no way for your system to know if LE can see your DNS servers (more than the error messages it can provide you).
You need to check that your process can update the TXT record first.
It seems that there are some records in there now.
Maybe the DNS zone can only hold a limited number of TXT records and simply needs to be emptied.
OR
Perhaps your DNS Service Provider (DSP) [Linode] has changed somethings and the propagation/synchronization is taking longer than expected.
See these results:
ns1.linode.com
serial = 2021000168
ns2.linode.com
serial = 2021000168
ns3.linode.com
serial = 2021000169
ns4.linode.com
serial = 2021000170
ns5.linode.com
serial = 2021000170
Also working against you:
The domain registrar shows only ns1,ns2,ns3 [not all 5].
And those three are the ones with the lowest SOA record serial numbers.
[so their information is the furthest out of sync]
If you added all 5 DNS servers, then you would have some sort of chance of getting the right response [presuming that at least one of them does have the right response].
OR you could use ns3,ns4,ns5 [instead of ns1,ns2,ns3]; At least they seem to have newer information.
provider.terraform-provider-acme_v2.5.2: 2021/11/12 01:08:40 [DEBUG] lego: [redislb.c3k.to] acme: Trying to solve DNS-01: timestamp=2021-11-12T01:08:40.126+0530
provider.terraform-provider-acme_v2.5.2: 2021/11/12 01:08:40 [DEBUG] lego: [redislb.c3k.to] acme: Checking DNS record propagation using [8.8.8.8:53 1.1.1.1:53 ns1.linode.com:53ns2.linode.com:53ns3.linode.com:53ns4.linode.com:53ns5.linode.com:53]: timestamp=2021-11-12T01:08:40.126+0530
provider.terraform-provider-acme_v2.5.2: 2021/11/12 01:12:40 [DEBUG] lego: Wait for propagation [timeout: 5m0s, interval: 4m0s]: timestamp=2021-11-12T01:12:40.128+0530
Error: error creating certificate: error: one or more domains had a problem:
│ [redis.c3k.to] time limit exceeded: last error: NS ns3.linode.com. returned SERVFAIL for _acme-challenge.redis.c3k.to.
│ [redislb.c3k.to] time limit exceeded: last error: NS ns5.linode.com. returned SERVFAIL for _acme-challenge.redislb.c3k.to.
provider.terraform-provider-acme_v2.6.0: 2021/11/12 01:49:12 [DEBUG] lego: [redislb.c3k.to] acme: Checking DNS record propagation using [8.8.8.8:53 1.1.1.1:53 ns1.linode.com:53ns2.linode.com:53ns3.linode.com:53ns4.linode.com:53ns5.linode.com:53]: timestamp=2021-11-12T01:49:12.213+0530
provider.terraform-provider-acme_v2.6.0: 2021/11/12 01:53:12 [DEBUG] lego: Wait for propagation [timeout: 5m0s, interval: 4m0s]: timestamp=2021-11-12T01:53:12.222+0530
provider.terraform-provider-acme_v2.6.0: 2021/11/12 01:53:16 [DEBUG] lego: [redislb.c3k.to] acme: Waiting for DNS record propagation.: timestamp=2021-11-12T01:53:16.511+0530
Error: error creating certificate: error: one or more domains had a problem:
│ [redis.c3k.to] time limit exceeded: last error: NS ns2.linode.com. returned SERVFAIL for _acme-challenge.redis.c3k.to.
│ [redislb.c3k.to] time limit exceeded: last error: NS ns2.linode.com. returned SERVFAIL for _acme-challenge.redislb.c3k.to.
│