Failed authorization procedure for CNAME domains: Former working setup stopped working

Hello! I have searched the web for CNAME related issues with LE. And I have found a mix of resolved configuration errors on the client side and some posts claiming LE stopped issuing certs for CNAME domain because of security issues.

My NS subdomain cert gets signed with the setup; the other with CNAME record does not. My setup did not change since the last signing. The setup is OK (provided in docker container).

It would be really sad if LE stopped to issue certs for CNAME domains. This would mean that my setup with a ngix reverse-proxy to distribute to the internal servers will not work anymore. :frowning: Other options than CNAMES are not possible with my DNS-server.

Is this really an security issue, as the posts I have found on the internet, say... or is it a temporary bug (technical issue) or policy change?! Can I hope that it will work again...? THX.

More information

> docker run -it --rm -p 443:443 -p 80:80 --name letsencrypt01 -v "/foo/etc:/etc/letsencrypt" -v "/foo/var:/var/lib/letsencrypt" quay.io/letsencrypt/letsencrypt:latest certonly

Cersts requested: server.rienecker.name,owncloud.rienecker.name
server.rienecker.name is NS type
owncloud.rienecker.name is CNAME for server.rienecker.name

Response:

Failed authorization procedure. owncloud.rienecker.name (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 91.53.91.212:443 for TLS-SNI-01 challenge

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: owncloud.rienecker.name
Type: connection
Detail: Failed to connect to 91.53.91.212:443 for TLS-SNI-01
challenge

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

;; ANSWER SECTION:
owncloud.rienecker.name. 7176   IN      CNAME   server.rienecker.name.
server.rienecker.name.  36      IN      A       91.53.84.224

The IP address doesn’t match. Did that change?

Thanks for the quick reply! That is correct, it is a dynamic IP. I update the IP via
script to one subdomain (server.rienecker.name) and than point the CNAMEs to
the subdomain. I can only update one subdomain, that’s why I am limited in my
setup and do not have another way for a realization of a reverse proxy. THX.

Any ideas if it is a policy change or a bug? Or any sugestions on how to collect more information for debuging of this issue? THX.

CNAMEs are fine. The error message shows an IP address (which I assume was the correct one at the time), so it’s not related to DNS. Let’s Encrypt simply was unable to connect to port 443 during verification. This could be for any number of reasons - maybe your ISP is blocking incoming connections on port 443 (possibly not all connections, but based on some heuristic - this is not uncommon for residential ISPs). It’s rather hard to make a more educated guess here, since the only thing this error is telling us is that the validation server didn’t reach yours. :slight_frown:

There are errors in your DNS - see http://dnsviz.net/d/owncloud.rienecker.name/dnssec/ and http://mxtoolbox.com/domain/owncloud.rienecker.name/

Thanks for the replies!

It took me hours to go through my setup, it works now but I am still not 100% sure what
caused the problem.

Frist thanks for the good links to mxtoolbox.com and dnsviz.net! I checked them and
that all the reported issues basically fall into 2 categories: 1.) Mail server/Blacklisting
due to dynamic IP, reverse look up does not work for the same reason. 2.) The
webserver finding was related to rienecker.name not server.rienecker.name and
the DNS checks were OK.

I have changed some firewall rules/setup and in parallel performed some dry-runs. The change
in the firewall config would explain the error messages, but would not explain
that the cert for server.rienecker.name went through, but not for
owncloud.rienecker.name.

My current idea of what happened is a combination of firewall rules and possible hiccup at
the provider for my domains or more likely a timeout due to much trafic.

Your DNS is still broken. TCP is not optional with DNS.

Edit: Since the LE server can resolve the address, this is most likely not the problem. However, Internet services should stick to standards.

I am definitively on your side to stick to standards. Rather make less, but this right.

Am I right that the link http://dnsviz.net/d/owncloud.rienecker.name/dnssec/ checks DNSSEC, which I don’t know much about, but as far as I know is not used/deployed by my provider. So I guess the answer that “it is not secure” is correct, but true for every other domain without that feature.

For https://mxtoolbox.com/domain/owncloud.rienecker.name/ the DNS results are OK:

Did you see an other problem? THX

No, despite the name, dnsviz also checks DNS in general. There are 2 messages about missing DNSSEC in black, and then there are 3 errors and 1 warning that have nothing to do with DNSSEC.

I too am having this same issue. I have a domain zanclus.com which has an A record for home.zanclus.com. I have several CNAME records for that same domain which point to home. Renewal for home.zanclus.com works fine, but renewals for the CNAME hosts fail with the following error:

Attempting to renew cert from /etc/letsencrypt/renewal/cloud.zanclus.com.conf produced an unexpected error: Failed authorization procedure. cloud.zanclus.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for cloud.zanclus.com. Skipping.
 - The following errors were reported by the server:

   Domain: cloud.zanclus.com
   Type:   connection
   Detail: DNS problem: SERVFAIL looking up A for cloud.zanclus.com

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

Aha! It was my own fault… My DNS provider changed domain names a while back and I never updated the NS records with my domain registrar. Once I did, everything started working correctly.

Hello @InfoSec812,

I was writing a post to warn you about that DNS issue but glad you get it working… by the way, dnsbycomodo.net name servers are still saying that the right ns servers to resolve your domain zanclus.com are nsx.dnsbycomodo.com yet.

dig @ns1.dnsbycomodo.net zanclus.com ns +short
ns1.dnsbycomodo.com.
ns2.dnsbycomodo.com.
ns3.dnsbycomodo.com.
ns4.dnsbycomodo.com.

You should take a look into it.

Cheers,
sahsanu

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.