Fail to renew or create certificates from a DDNS provider, others work

icreadence · October 7, 2017, 4:15pm

Background. My webserver and LE certs have worked for over a year. I have had no issues updating the certs prior to October 1st (so 3 months ago). Right now I can renew and create certs for my NO-IP domain (readsds.read-books.org), and Synology DDNS (readsds.familyds.com). I used the same command below in all three cases and am currently using the cert for readsds.familyds.com, but that leaves my primary DDNS readsds.tzo.net down. The error at the end of the syno-letsencrypt new-cert -VV output about port 80 seems to be a synology thing (any error is port 80). port 80 is open and it does work for readsds.tzo.net. I normally keep port 80 closed and reroute all SSL traffic in though a non-standard port (not 443).
weird things:
DNS problem: SERVFAIL looking up CAA for readsds.tzo.net <<--- ????
DEBUG: [readsds.tzo.net] is not a subdomain of [readsds.familyds.com] <<<--- Clearly not true
DEBUG: DNS challenge failed, reason: {"error":203,"file":"client.cpp","msg":"Challenge setup is failed."}
DEBUG: Normal challenge failed, reason: {"error":107,"file":"client.cpp","msg":"readsds.tzo.net: DNS problem: SERVFAIL looking up CAA for readsds.tzo.net"}

STANDARD DEBUG INFO:

My domain is: readsds.tzo.net, ibb.readsds.tzo.net;readsds.familyds.com;readsds.read-books.org
I ran this command: sudo syno-letsencrypt new-cert -d readsds.tzo.net -m "icreadence@mailxhost.com" -vv
It produced this output:

DEBUG: ==== start to new cert ====
DEBUG: Server: https://acme-v01.api.letsencrypt.org/directory
DEBUG: Email: icreadence@com
DEBUG: Domain: readsds.tzo.net
DEBUG: ==========================
DEBUG: setup acme url https://acme-v01.api.letsencrypt.org/directory
DEBUG: szUserAgent: [synology_braswell_916+ DSM6.1-15152 Update 5 (DDNS)]
DEBUG: GET Request: https://acme-v01.api.letsencrypt.org/directory
DEBUG: Curl Reply: [200] Header: [HTTP/1.1 200 OK
Server: nginx
Content-Type: application/json
Content-Length: 561
Replay-Nonce: dSyRmj4OfR6ooZIJQ3qkMBCpvzGbU_rlfjiliwL-xFU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 04 Oct 2017 03:25:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 04 Oct 2017 03:25:30 GMT
Connection: keep-alive

] Body: [{
"Y2fAt3N7uQg": "Adding random entries to the directory",
"key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",
"meta": {
"terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
},
"new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
"new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",
"new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",
"revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"
}]
DEBUG: Found registed account. used old account. [/usr/syno/etc/letsencrypt/account/RTM4t3/]
DEBUG: strat to do new-authz for readsds.tzo.net
DEBUG: ==> start new authz.
DEBUG: new authz: do new-authz.
DEBUG: Post JWS Request: https://acme-v01.api.letsencrypt.org/acme/new-authz
DEBUG: Post JWS value: {
"identifier" : {
"type" : "dns",
"value" : "readsds.tzo.net"
},
"resource" : "new-authz"
}

DEBUG: szUserAgent: [synology_braswell_916+ DSM6.1-15152 Update 5 (DDNS)]
DEBUG: Post Request: https://acme-v01.api.letsencrypt.org/acme/new-authz
DEBUG: Post value: {
"header" : {
"alg" : "RS256",
"jwk" : {
"e" : "AQAB",
"kty" : "RSA",
"n" : "1ITFPglst_skDB8XZMm_PrcsCDXxpXsVnkXhN-7D2qT8t1sLK_45jXHNN0y_OAgn1OwnRdwksp1ean_EKaPyJubFuegPspZq8rnbXVuDXm4xAm79hgn3-5jZ-tRC3wIhLn61qrCaceRLYXwF_lcYihfc5iNr6S86hObNdOO7_WCIvt6Nmpw22cwYrVk9jFHqCESv5_-67lNi-Zo5giSUkHkb8juOoMd0GCUhjh6mLhsNhTKEkakwy5KIVmsqgbhxVWUZzUoD3PQNhFUfhFj-o9aLLMwYSu4LLizoiiW7vM9vM44onElmZ4sVE2G5NgxH2YvGnhxZsnqOJUxpdN2sMQ"
}
},
"payload" : "eyJpZGVudGlmaWVyIjp7InR5cGUiOiJkbnMiLCJ2YWx1ZSI6InJlYWRzZHMudHpvLm5ldCJ9LCJyZXNvdXJjZSI6Im5ldy1hdXRoeiJ9Cg",
"protected" : "eyJub25jZSI6ImRTeVJtajRPZlI2b29aSUpRM3FrTUJDcHZ6R2JVX3JsZmppbGl3TC14RlUifQo",
"signature" : "QwOFDzuOXNK-MA5VY4f9YlegGPRsssT_gDzzBCaBgTOLQQHW1Ncve40f0_Lv4JsriO1AMR4uWeLgk_5yeQzpJ-fStsJTI6rI9D5Q4mTtPgcPPAGMR2pKu_gDUeY2UFLnatIAA-1KZna4XxmxSHRNrVrr238vMPFKNhIt9Vrh0lds1usxrr-K1VM0p2usgHWYI-LBfudyjWSDP3bPQ5VmqjuiJNr-KJFb8hsFZ5KsKjMijqsJybZoAFyckgX7QcuDe2qH7fgEGZ_INS0CCa2NpDju4pKvLoddLRtw9A_qtDoGzfzzth2Vma8tMb3HxuZErZGlujtXaKTNcTZdlQXceg"
}

DEBUG: Curl Reply: [201] Header: [HTTP/1.1 201 Created
Server: nginx
Content-Type: application/json
Content-Length: 993
Boulder-Requester: 8333082
Link: https://acme-v01.api.letsencrypt.org/acme/new-cert;rel="next"
Location: https://acme-v01.api.letsencrypt.org/acme/authz/HiiMcfJeFlnXMTI0RNK6702YV74u-FZ2x82eJYSJZcE
Replay-Nonce: vFHIjtnYKcKNL9b7YRE0T2B2DqM4phZi1BORO9_TVzE
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 04 Oct 2017 03:25:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 04 Oct 2017 03:25:31 GMT
Connection: keep-alive

] Body: [{
"identifier": {
"type": "dns",
"value": "readsds.tzo.net"
},
"status": "pending",
"expires": "2017-10-11T03:23:43Z",
"challenges": [
{
"type": "dns-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/HiiMcfJeFlnXMTI0RNK6702YV74u-FZ2x82eJYSJZcE/2125401190",
"token": "8uhNark5Zh6x-nTM3P_BXqScaaEcpZeofBcVokV_v4o"
},
{
"type": "http-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/HiiMcfJeFlnXMTI0RNK6702YV74u-FZ2x82eJYSJZcE/2125401191",
"token": "GZvKPHaQnlH5Moug3rBfeWA8rMRPZl8oeDNFq3o11Jc"
},
{
"type": "tls-sni-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/HiiMcfJeFlnXMTI0RNK6702YV74u-FZ2x82eJYSJZcE/2125401192",
"token": "gD_sX7VAboRtjxihYuX1f7aIBC0odAVVQgEzgWGDpmM"
}
],
"combinations": [
[
2
],
[
1
],
[
0
]
]
}]
DEBUG: new authz: setup challenge env.
DEBUG: new authz: http-01 challenge.
DEBUG: Post JWS Request: https://acme-v01.api.letsencrypt.org/acme/challenge/HiiMcfJeFlnXMTI0RNK6702YV74u-FZ2x82eJYSJZcE/2125401191
DEBUG: Post JWS value: {
"keyAuthorization" : "GZvKPHaQnlH5Moug3rBfeWA8rMRPZl8oeDNFq3o11Jc.iEt4z3AxFxKEk-7C4xVDVbtqpTFWNMk9MFpuZDKBIPU",
"resource" : "challenge",
"type" : "http-01"
}

DEBUG: szUserAgent: [synology_braswell_916+ DSM6.1-15152 Update 5 (DDNS)]
DEBUG: Post Request: https://acme-v01.api.letsencrypt.org/acme/challenge/HiiMcfJeFlnXMTI0RNK6702YV74u-FZ2x82eJYSJZcE/2125401191
DEBUG: Post value: {
"header" : {
"alg" : "RS256",
"jwk" : {
"e" : "AQAB",
"kty" : "RSA",
"n" : "1ITFPglst_skDB8XZMm_PrcsCDXxpXsVnkXhN-7D2qT8t1sLK_45jXHNN0y_OAgn1OwnRdwksp1ean_EKaPyJubFuegPspZq8rnbXVuDXm4xAm79hgn3-5jZ-tRC3wIhLn61qrCaceRLYXwF_lcYihfc5iNr6S86hObNdOO7_WCIvt6Nmpw22cwYrVk9jFHqCESv5_-67lNi-Zo5giSUkHkb8juOoMd0GCUhjh6mLhsNhTKEkakwy5KIVmsqgbhxVWUZzUoD3PQNhFUfhFj-o9aLLMwYSu4LLizoiiW7vM9vM44onElmZ4sVE2G5NgxH2YvGnhxZsnqOJUxpdN2sMQ"
}
},
"payload" : "eyJrZXlBdXRob3JpemF0aW9uIjoiR1p2S1BIYVFubEg1TW91ZzNyQmZlV0E4ck1SUFpsOG9lRE5GcTNvMTFKYy5pRXQ0ejNBeEZ4S0VrLTdDNHhWRFZidHFwVEZXTk1rOU1GcHVaREtCSVBVIiwicmVzb3VyY2UiOiJjaGFsbGVuZ2UiLCJ0eXBlIjoiaHR0cC0wMSJ9Cg",
"protected" : "eyJub25jZSI6InZGSElqdG5ZS2NLTkw5YjdZUkUwVDJCMkRxTTRwaFppMUJPUk85X1RWekUifQo",
"signature" : "qmh89Pm55e78xLVNwDKxMeVtUjl28czPhcn1GXvwg57LgT8CLgWtvPTIBcTDor0vhSr0mN77KXszHsWu6JyyCIFAc_0xwCjVdgjsxVcPiA99G3RXBp8q9VR8Uy92jpfQiqOw5Fa1H-Q2XpGqz17XrMfcwW65R0V7UsSVlriGmTVC7TvGu3JHn4lCyYWhD63Uj8_SxyldaWS7KfF_im63uO3sB7vQgGuPF7AiWnDJCJI0GFA6pIxOEqD-8Ti5vWb28pyfOjZYFi_hDedkXOm7KJezlWsCjuisxng9AwLjYgXbRHCoFBEPeXhIyADT-2pNwox5HTDd7C_j3yw6LUPipA"
}

DEBUG: Curl Reply: [202] Header: [HTTP/1.1 100 Continue
Expires: Wed, 04 Oct 2017 03:25:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 202 Accepted
Server: nginx
Content-Type: application/json
Content-Length: 336
Boulder-Requester: 8333082
Link: https://acme-v01.api.letsencrypt.org/acme/authz/HiiMcfJeFlnXMTI0RNK6702YV74u-FZ2x82eJYSJZcE;rel="up"
Location: https://acme-v01.api.letsencrypt.org/acme/challenge/HiiMcfJeFlnXMTI0RNK6702YV74u-FZ2x82eJYSJZcE/2125401191
Replay-Nonce: RD3yyIGrd30lkA0c12o23A4wyIhGqCUS6hvj1YIdDvI
Expires: Wed, 04 Oct 2017 03:25:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 04 Oct 2017 03:25:31 GMT
Connection: keep-alive

] Body: [{
"type": "http-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/HiiMcfJeFlnXMTI0RNK6702YV74u-FZ2x82eJYSJZcE/2125401191",
"token": "GZvKPHaQnlH5Moug3rBfeWA8rMRPZl8oeDNFq3o11Jc",
"keyAuthorization": "GZvKPHaQnlH5Moug3rBfeWA8rMRPZl8oeDNFq3o11Jc.iEt4z3AxFxKEk-7C4xVDVbtqpTFWNMk9MFpuZDKBIPU"
}]
DEBUG: new authz: http-01 check result.
DEBUG: szUserAgent: [synology_braswell_916+ DSM6.1-15152 Update 5 (DDNS)]
DEBUG: GET Request: https://acme-v01.api.letsencrypt.org/acme/authz/HiiMcfJeFlnXMTI0RNK6702YV74u-FZ2x82eJYSJZcE
DEBUG: Curl Reply: [200] Header: [HTTP/1.1 200 OK
Server: nginx
Content-Type: application/json
Content-Length: 1110
Link: https://acme-v01.api.letsencrypt.org/acme/new-cert;rel="next"
Replay-Nonce: eo_tHNwJnaJ_Xvp01gj2NY1CI4GCriZraiA9xRPz4UI
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 04 Oct 2017 03:25:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 04 Oct 2017 03:25:31 GMT
Connection: keep-alive

] Body: [{
"identifier": {
"type": "dns",
"value": "readsds.tzo.net"
},
"status": "pending",
"expires": "2017-10-11T03:23:43Z",
"challenges": [
{
"type": "dns-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/HiiMcfJeFlnXMTI0RNK6702YV74u-FZ2x82eJYSJZcE/2125401190",
"token": "8uhNark5Zh6x-nTM3P_BXqScaaEcpZeofBcVokV_v4o"
},
{
"type": "http-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/HiiMcfJeFlnXMTI0RNK6702YV74u-FZ2x82eJYSJZcE/2125401191",
"token": "GZvKPHaQnlH5Moug3rBfeWA8rMRPZl8oeDNFq3o11Jc",
"keyAuthorization": "GZvKPHaQnlH5Moug3rBfeWA8rMRPZl8oeDNFq3o11Jc.iEt4z3AxFxKEk-7C4xVDVbtqpTFWNMk9MFpuZDKBIPU"
},
{
"type": "tls-sni-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/HiiMcfJeFlnXMTI0RNK6702YV74u-FZ2x82eJYSJZcE/2125401192",
"token": "gD_sX7VAboRtjxihYuX1f7aIBC0odAVVQgEzgWGDpmM"
}
],
"combinations": [
[
2
],
[
1
],
[
0
]
]
}]
DEBUG: szUserAgent: [synology_braswell_916+ DSM6.1-15152 Update 5 (DDNS)]
DEBUG: GET Request: https://acme-v01.api.letsencrypt.org/acme/authz/HiiMcfJeFlnXMTI0RNK6702YV74u-FZ2x82eJYSJZcE
DEBUG: Curl Reply: [200] Header: [HTTP/1.1 200 OK
Server: nginx
Content-Type: application/json
Content-Length: 1110
Link: https://acme-v01.api.letsencrypt.org/acme/new-cert;rel="next"
Replay-Nonce: aIwHZaavbXnUSf2DTa44EBXaFtpcCcWqsNDSLWQkzrc
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 04 Oct 2017 03:25:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 04 Oct 2017 03:25:34 GMT
Connection: keep-alive

] Body: [{
"identifier": {
"type": "dns",
"value": "readsds.tzo.net"
},
"status": "pending",
"expires": "2017-10-11T03:23:43Z",
"challenges": [
{
"type": "dns-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/HiiMcfJeFlnXMTI0RNK6702YV74u-FZ2x82eJYSJZcE/2125401190",
"token": "8uhNark5Zh6x-nTM3P_BXqScaaEcpZeofBcVokV_v4o"
},
{
"type": "http-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/HiiMcfJeFlnXMTI0RNK6702YV74u-FZ2x82eJYSJZcE/2125401191",
"token": "GZvKPHaQnlH5Moug3rBfeWA8rMRPZl8oeDNFq3o11Jc",
"keyAuthorization": "GZvKPHaQnlH5Moug3rBfeWA8rMRPZl8oeDNFq3o11Jc.iEt4z3AxFxKEk-7C4xVDVbtqpTFWNMk9MFpuZDKBIPU"
},
{
"type": "tls-sni-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/HiiMcfJeFlnXMTI0RNK6702YV74u-FZ2x82eJYSJZcE/2125401192",
"token": "gD_sX7VAboRtjxihYuX1f7aIBC0odAVVQgEzgWGDpmM"
}
],
"combinations": [
[
2
],
[
1
],
[
0
]
]
}]
DEBUG: szUserAgent: [synology_braswell_916+ DSM6.1-15152 Update 5 (DDNS)]
DEBUG: GET Request: https://acme-v01.api.letsencrypt.org/acme/authz/HiiMcfJeFlnXMTI0RNK6702YV74u-FZ2x82eJYSJZcE
DEBUG: Curl Reply: [200] Header: [HTTP/1.1 200 OK
Server: nginx
Content-Type: application/json
Content-Length: 1110
Link: https://acme-v01.api.letsencrypt.org/acme/new-cert;rel="next"
Replay-Nonce: -vHZ1kOAHKs707zLHZwD0y-uoA_hmtOJeiMJbyjbqR0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 04 Oct 2017 03:25:36 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 04 Oct 2017 03:25:36 GMT
Connection: keep-alive

] Body: [{
"identifier": {
"type": "dns",
"value": "readsds.tzo.net"
},
"status": "pending",
"expires": "2017-10-11T03:23:43Z",
"challenges": [
{
"type": "dns-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/HiiMcfJeFlnXMTI0RNK6702YV74u-FZ2x82eJYSJZcE/2125401190",
"token": "8uhNark5Zh6x-nTM3P_BXqScaaEcpZeofBcVokV_v4o"
},
{
"type": "http-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/HiiMcfJeFlnXMTI0RNK6702YV74u-FZ2x82eJYSJZcE/2125401191",
"token": "GZvKPHaQnlH5Moug3rBfeWA8rMRPZl8oeDNFq3o11Jc",
"keyAuthorization": "GZvKPHaQnlH5Moug3rBfeWA8rMRPZl8oeDNFq3o11Jc.iEt4z3AxFxKEk-7C4xVDVbtqpTFWNMk9MFpuZDKBIPU"
},
{
"type": "tls-sni-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/HiiMcfJeFlnXMTI0RNK6702YV74u-FZ2x82eJYSJZcE/2125401192",
"token": "gD_sX7VAboRtjxihYuX1f7aIBC0odAVVQgEzgWGDpmM"
}
],
"combinations": [
[
2
],
[
1
],
[
0
]
]
}]
DEBUG: szUserAgent: [synology_braswell_916+ DSM6.1-15152 Update 5 (DDNS)]
DEBUG: GET Request: https://acme-v01.api.letsencrypt.org/acme/authz/HiiMcfJeFlnXMTI0RNK6702YV74u-FZ2x82eJYSJZcE
DEBUG: Curl Reply: [200] Header: [HTTP/1.1 200 OK
Server: nginx
Content-Type: application/json
Content-Length: 1666
Link: https://acme-v01.api.letsencrypt.org/acme/new-cert;rel="next"
Replay-Nonce: HOOuR6EbdNGuLto8CIxiFpBKlDD-NCGnKj_PuDrgVf8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 04 Oct 2017 03:25:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 04 Oct 2017 03:25:38 GMT
Connection: keep-alive

] Body: [{
"identifier": {
"type": "dns",
"value": "readsds.tzo.net"
},
"status": "invalid",
"expires": "2017-10-11T03:23:43Z",
"challenges": [
{
"type": "dns-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/HiiMcfJeFlnXMTI0RNK6702YV74u-FZ2x82eJYSJZcE/2125401190",
"token": "8uhNark5Zh6x-nTM3P_BXqScaaEcpZeofBcVokV_v4o"
},
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:acme:error:connection",
"detail": "DNS problem: SERVFAIL looking up CAA for readsds.tzo.net",
"status": 400
},
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/HiiMcfJeFlnXMTI0RNK6702YV74u-FZ2x82eJYSJZcE/2125401191",
"token": "GZvKPHaQnlH5Moug3rBfeWA8rMRPZl8oeDNFq3o11Jc",
"keyAuthorization": "GZvKPHaQnlH5Moug3rBfeWA8rMRPZl8oeDNFq3o11Jc.iEt4z3AxFxKEk-7C4xVDVbtqpTFWNMk9MFpuZDKBIPU",
"validationRecord": [
{
"url": "http://readsds.tzo.net/.well-known/acme-challenge/GZvKPHaQnlH5Moug3rBfeWA8rMRPZl8oeDNFq3o11Jc",
"hostname": "readsds.tzo.net",
"port": "80",
"addressesResolved": [
"96.237.238.150"
],
"addressUsed": "96.237.238.150",
"addressesTried":
}
]
},
{
"type": "tls-sni-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/HiiMcfJeFlnXMTI0RNK6702YV74u-FZ2x82eJYSJZcE/2125401192",
"token": "gD_sX7VAboRtjxihYuX1f7aIBC0odAVVQgEzgWGDpmM"
}
],
"combinations": [
[
2
],
[
1
],
[
0
]
]
}]
DEBUG: ==> start new authz.
DEBUG: new authz: do new-authz.
DEBUG: Post JWS Request: https://acme-v01.api.letsencrypt.org/acme/new-authz
DEBUG: Post JWS value: {
"identifier" : {
"type" : "dns",
"value" : "readsds.tzo.net"
},
"resource" : "new-authz"
}

DEBUG: szUserAgent: [synology_braswell_916+ DSM6.1-15152 Update 5 (DDNS)]
DEBUG: Post Request: https://acme-v01.api.letsencrypt.org/acme/new-authz
DEBUG: Post value: {
"header" : {
"alg" : "RS256",
"jwk" : {
"e" : "AQAB",
"kty" : "RSA",
"n" : "1ITFPglst_skDB8XZMm_PrcsCDXxpXsVnkXhN-7D2qT8t1sLK_45jXHNN0y_OAgn1OwnRdwksp1ean_EKaPyJubFuegPspZq8rnbXVuDXm4xAm79hgn3-5jZ-tRC3wIhLn61qrCaceRLYXwF_lcYihfc5iNr6S86hObNdOO7_WCIvt6Nmpw22cwYrVk9jFHqCESv5_-67lNi-Zo5giSUkHkb8juOoMd0GCUhjh6mLhsNhTKEkakwy5KIVmsqgbhxVWUZzUoD3PQNhFUfhFj-o9aLLMwYSu4LLizoiiW7vM9vM44onElmZ4sVE2G5NgxH2YvGnhxZsnqOJUxpdN2sMQ"
}
},
"payload" : "eyJpZGVudGlmaWVyIjp7InR5cGUiOiJkbnMiLCJ2YWx1ZSI6InJlYWRzZHMudHpvLm5ldCJ9LCJyZXNvdXJjZSI6Im5ldy1hdXRoeiJ9Cg",
"protected" : "eyJub25jZSI6IkhPT3VSNkViZE5HdUx0bzhDSXhpRnBCS2xERC1OQ0duS2pfUHVEcmdWZjgifQo",
"signature" : "BaMN5-HVIKBDAuJJ7I-pdTTYnMoeArpXiGW4EUheC_bRaAXqvl4UFnhZOeynAogdUYpY71JlFW8R1aadA-Yl5VGe6GiTqoEoGU4z5XZaYHDWDapw-nRkzFMJ_MGQqEpZv-STzJhy_mpXV779jMtkXjMhz7shs3_b8k8WhWIM0tEEVv2dbLQF5AyDooJt3z3QzFcdzyRj4j0NUvf0cAYESNY7d1VsbfjRBqhFYyQCk8wynp8Zjw5HswJSHibUAnXUxGhfzLhvasdZPXotPonQ-_Nj4Mzahmc-bgISp8dPDTqhJ_y0NsUArY4D0G_keZhuPWKpthVUKz0coRDPS7uV5A"
}

DEBUG: Curl Reply: [201] Header: [HTTP/1.1 201 Created
Server: nginx
Content-Type: application/json
Content-Length: 1003
Boulder-Requester: 8333082
Link: https://acme-v01.api.letsencrypt.org/acme/new-cert;rel="next"
Location: https://acme-v01.api.letsencrypt.org/acme/authz/C-MX1m_TlJHFqfPn12y8y6m7m70XvKdEsk1FebPByto
Replay-Nonce: Ldf3fMA2Ljyc0HFRfj_hzvBDw_ELz7o3ncPm0wXMjg0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 04 Oct 2017 03:25:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 04 Oct 2017 03:25:38 GMT
Connection: keep-alive

] Body: [{
"identifier": {
"type": "dns",
"value": "readsds.tzo.net"
},
"status": "pending",
"expires": "2017-10-11T03:25:38.828427608Z",
"challenges": [
{
"type": "dns-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/C-MX1m_TlJHFqfPn12y8y6m7m70XvKdEsk1FebPByto/2125410748",
"token": "MFZJorXA77t4UdMMEC3ApyCbfODACeV2mmmdm_u5DEs"
},
{
"type": "http-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/C-MX1m_TlJHFqfPn12y8y6m7m70XvKdEsk1FebPByto/2125410749",
"token": "u2DNGCgeXZUlnaIStMcUYJ1bTHSjCH52gnBFzQ0kwro"
},
{
"type": "tls-sni-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/C-MX1m_TlJHFqfPn12y8y6m7m70XvKdEsk1FebPByto/2125410750",
"token": "iCPU_3z_zfwZiYd56dG4cDXsCxuyVrGkIATmhB32hNA"
}
],
"combinations": [
[
0
],
[
2
],
[
1
]
]
}]
DEBUG: new authz: setup challenge env.
DEBUG: [readsds.tzo.net] is not a subdomain of [readsds.familyds.com]
DEBUG: DDNS Curl: [https://ddns.synology.com/main.php?_=letsencrypt%2Fdelete&hostname=readsds.tzo.net&myds_id=32890&auth_key=96deaa1dd9f44a86e53ddd4e770575fc15dd05acbab59bdd1b04ef000a8914089b135443c00c92c8&serial=1660NZN318205&txt=]
DEBUG: szUserAgent: [synology_braswell_916+ DSM6.1-15152 Update 5 (DDNS)]
DEBUG: GET Request: https://ddns.synology.com/main.php?_=letsencrypt%2Fdelete&hostname=readsds.tzo.net&myds_id=32890&auth_key=96deaa1dd9f44a86e53ddd4e770575fc15dd05acbab59bdd1b04ef000a8914089b135443c00c92c8&serial=1660NZN318205&txt=
DEBUG: Curl Reply: [200] Header: [HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Wed, 04 Oct 2017 03:25:39 GMT
Server: synology
Content-Length: 19
Connection: keep-alive

] Body: [{"code":"badparam"}]
DEBUG: Dns01 challenge: Teardown [{"code":"badparam"}].
DEBUG: DNS challenge failed, reason: {"error":203,"file":"client.cpp","msg":"Challenge setup is failed."}

DEBUG: Normal challenge failed, reason: {"error":107,"file":"client.cpp","msg":"readsds.tzo.net: DNS problem: SERVFAIL looking up CAA for readsds.tzo.net"}

DEBUG: failed to open port 80.
DEBUG: close port 80.
{"error":101,"file":"client.cpp","msg":"failed to open port 80."}

My web server is (include version): WebStation, Apache 2.4
The operating system my web server runs on is (include version):Synology DS 6.1.3

My hosting provider, if applicable, is: DyDNS (failing), NO-IP (ok), and Synology (OK)

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): yes DMS and no SSH

Thanks

tialaramex · October 7, 2017, 5:04pm

I think this is saying that there was a problem asking about the CAA record for readsds.tzo.net

In the past few weeks it became mandatory for Certificate Authorities like Let’s Encrypt to verify CAA records. The CAA record is a special DNS record only for indicating to CAs whether it’s OK for them to issue certificates in your domain. This way if you dislike a particular CA (perhaps you think they’re sloppy) you can tell them never to issue, or if you favour one particular CA (maybe they’ve agreed to phone your Security Office to check each certificate manually) you can express this in the DNS records, which is neat.

However, to successfully check CAA, a DNS query for the CAA record must succeed. It’s not necessary to have a CAA record, an answer which says “We checked and there are zero CAA records” would be fine. But unfortunately some domains have poor quality DNS software which when it’s asked a question it doesn’t understand, instead of saying “I have no answers” either crashes or says “An error occurred”.

Some CAs have decided to work around this, but Let’s Encrypt is reluctant to do so. If this is the problem you may need to ask the domain this name is in to look at fixing their DNS software. Explain that this is a serious DNS compliance problem, and that it may inconvenience all their other users too, somebody else might be able to suggest a good diagnostics site that shows clearly that this is broken without involving Let’s Encrypt.

rg305 · October 7, 2017, 5:21pm

Here are some CAA resources for your reference:
http://dnsviz.net/

How exactly do you understand readsds.tzo.net to be a subdomain of readsds.familyds.com ???

icreadence · October 7, 2017, 5:32pm

I do not. This was an error message where I do not understand why the tool would think so. No reference was made to familyds.com in the command. This was a non-sequitur that I thought might be of interest in debugging. Sorry about the double negative.

icreadence · October 7, 2017, 5:36pm

Thanks. I will forward this in my ticket with DyDNS. You would think Oracle would be able to get this right.?.?

I am not up on the details of DNS fields and what they mean (I am still much of a n00b when it comes to this and the SSL/TLS process) basic cryptography is not bad, but on networks, its a bit much. Any good places to get info on the workings so I can talk a bit better about this stuff. Want to learn.

Thanks

rg305 · October 7, 2017, 8:18pm

The problem is definitely in that.
CAA returns invalid RCODE (NOTIMP).

from: Certificate Authority Authorization (CAA) - Let's Encrypt
Returning other opcodes, including NOTIMP, for unrecognized qtypes is a violation of RFC 1035, and needs to be fixed.

system · November 6, 2017, 8:19pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.