Error urn:ietf:params:acme:error:dns

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: webtest.0hi.me

I ran this command: winacme using dns-01 validation (manual)

It produced this output:


[webtest.0hi.me] Authorizing...
[webtest.0hi.me] Authorizing using dns-01 validation (Manual)

 Domain:             webtest.0hi.me
 Record:             txtwebtest.api.fran.id
 Type:               TXT
 Content:            "gKl_J0i23-palnYt-eN_-1L42frjiHnB3AQMPvt9jfo"
 Note:               Some DNS managers add quotes automatically. A single set
                     is needed.

 Please press <Enter> after you've created and verified the record

 [webtest.0hi.me] Preliminary validation succeeded
 [webtest.0hi.me] Preliminary validation succeeded
 First chance error calling into ACME server, retrying with new nonce...
 [webtest.0hi.me] Authorization result: invalid
 [webtest.0hi.me] {
  "type": "urn:ietf:params:acme:error:dns",
  "detail": "DNS problem: query timed out looking up TXT for _acme-challenge.webtest.0hi.me",
  "status": 400
}

 Domain:             webtest.0hi.me
 Record:             txtwebtest.api.fran.id
 Type:               TXT
 Content:            "gKl_J0i23-palnYt-eN_-1L42frjiHnB3AQMPvt9jfo"

My hosting provider, if applicable, is: 0hi.me

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): winacme v2.1.20.1185 (x64, ReleasePluggable)

Everything was running as usual until yesterday when i couldn't create a new certificate. i don't know what to do. please help me. thank you

1 Like

Your DNS setup has some issues. please see for example:

https://dnsviz.net/d/_acme-challenge.webtest.0hi.me/dnssec/

Please fix these issues and try again.

2 Likes

as i already said, it all worked until yesterday.
i don't think that error has anything to do with this :frowning:

is there no other way? thank you

edit: 0hi.me has cname in the apex, and that's intentional

1 Like

I see a DNS error from the Let's Encrypt server and I see an errorbat the DNS checker site. They're probably related I'd think.

3 Likes

There's no other way; your DNS needs to be accessible for Let's Encrypt to be able to issue you a certificate. (It also has to be accessible for your users to be able to access your site, too.)

3 Likes

ah, so there is no other way?
thank you. 0hi.me can no longer issue let's encrypt :frowning:

1 Like

It probably has more issues than that: most likely some (but not all) regular users also have trouble visiting the site due to DNS issues.

3 Likes

Root authoritative DNS servers for .me. are:

me      nameserver = a0.nic.me
me      nameserver = a2.nic.me
me      nameserver = b0.nic.me
me      nameserver = b2.nic.me
me      nameserver = c0.nic.me

When asked for the NS records for 0hi.me they say:

0hi.me  nameserver = emilia-sama-you-are-my-queen-a1.5rt.net
0hi.me  nameserver = emilia-sama-you-are-my-queen-a2.5rt.net
0hi.me  nameserver = emilia-sama-you-are-my-queen-a3.5rt.net
0hi.me  nameserver = emilia-sama-you-are-my-queen-a4.5rt.net
0hi.me  nameserver = emilia-sama-you-are-my-queen-a5.5rt.net

When any of those are asked for the NS entries they say:
0hi.me canonical name = 0hi.me.cdn.cloudflare.net
[Because: 0hi.me does an apex CNAME to 0hi.me.cdn.cloudflare.net]
[complete delegation - from this point forward there is no further requests on 0hi.me]
So, we continue our search for your NS records.
But...
0hi.me.cdn.cloudflare.net doesn't list any NS entries.
me.cdn.cloudflare.net doesn't list any NS entries.
cdn.cloudflare.net doesn't list any NS entries.
cloudflare.net lists NS:

cloudflare.net  nameserver = ns1.cloudflare.net
cloudflare.net  nameserver = ns2.cloudflare.net
cloudflare.net  nameserver = ns3.cloudflare.net
cloudflare.net  nameserver = ns4.cloudflare.net
cloudflare.net  nameserver = ns5.cloudflare.net

None of which know anything about any NS entries for 0hi.me.cdn.cloudflare.net
Sure, they do know about the NS for 0hi.me, but the CNAME killed that request.
Everyone is now looking for 0hi.me.cdn.cloudflare.net and no one knows where that is.

3 Likes

thanks for the replies from all of you.
i know the exact configuration of my DNS, starting from the advantages and disadvantages. you guys seem to think SSL/TLS issuance never works. it works, but since yesterday i can't anymore. i just wanted to know if there is something was happening on your side, but never mind.

thank you for the help.

note: do you know unboundtest.com ? i used to test my TXT records there https://unboundtest.com/m/TXT/_acme-challenge.webtest.0hi.me/WUHXOIWS

2 Likes

I don't know, nor think anything about, such issuance(s).
What I do know is that if one follows from the root DNS zone ("."), the answer to "What is the TXT record for _acme-challenge.0hi.me?" can't be answered.

2 Likes
emilia-sama-you-are-my-queen-a1.5rt.net 185.27.134.7
emilia-sama-you-are-my-queen-a2.5rt.net 198.251.86.154
emilia-sama-you-are-my-queen-a3.5rt.net 198.251.86.154
emilia-sama-you-are-my-queen-a4.5rt.net 198.251.86.154
emilia-sama-you-are-my-queen-a5.5rt.net 205.185.118.176

Do you see a problem?

1 Like

More inconsistency:

nslookup emilia-sama-you-are-my-queen-a1.5rt.net emilia-sama-you-are-my-queen-a1.5rt.net
Name:   emilia-sama-you-are-my-queen-a1.5rt.net
Address: 185.27.134.7

nslookup emilia-sama-you-are-my-queen-a2.5rt.net emilia-sama-you-are-my-queen-a2.5rt.net
** server can't find emilia-sama-you-are-my-queen-a2.5rt.net: REFUSED

nslookup emilia-sama-you-are-my-queen-a3.5rt.net emilia-sama-you-are-my-queen-a3.5rt.net
** server can't find emilia-sama-you-are-my-queen-a3.5rt.net: REFUSED

nslookup emilia-sama-you-are-my-queen-a4.5rt.net emilia-sama-you-are-my-queen-a4.5rt.net
** server can't find emilia-sama-you-are-my-queen-a4.5rt.net: REFUSED

nslookup emilia-sama-you-are-my-queen-a5.5rt.net emilia-sama-you-are-my-queen-a5.5rt.net
** server can't find emilia-sama-you-are-my-queen-a5.5rt.net: REFUSED
1 Like

update: it started working again.


 [webtest.0hi.me] Authorizing...
 [webtest.0hi.me] Authorizing using dns-01 validation (Manual)

 Domain:             webtest.0hi.me
 Record:             txtwebtest.api.fran.id
 Type:               TXT
 Content:            "T6GZ_u1xZZdlb92aHC1FVsix9aqHOuCdLKqjPSzJEWE"
 Note:               Some DNS managers add quotes automatically. A single set
                     is needed.

 Please press <Enter> after you've created and verified the record

 [webtest.0hi.me] Preliminary validation succeeded
 [webtest.0hi.me] Preliminary validation succeeded
 First chance error calling into ACME server, retrying with new nonce...
 [webtest.0hi.me] Authorization result: valid

 Domain:             webtest.0hi.me
 Record:             txtwebtest.api.fran.id
 Type:               TXT
 Content:            "T6GZ_u1xZZdlb92aHC1FVsix9aqHOuCdLKqjPSzJEWE"

https://crt.sh/?id=5845079429

this is all my fault. sorry for the inconvenience.
i have removed all bot flows and procedures for Let's Encrypt due to a short-term decision... but it is ok. i can still make it from square one.
thank you everyone

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.