Failed to generate certificate via dns plugin due to slow propagation

maretodoric · April 3, 2019, 6:15pm

I try to get couple of certificates for domains listed bellow, not all of them are hosted on same server and not all of them are hosting web pages, some are just mail servers as can be seen. So i would like to use DNS plugin to ease the pain so to say. However, our domain has 5 nameservers (1 master and 4 slaves), and when i use certbot DNS plugin to obtain the certificates, it will successfully create TXT records on master DNS, master DNS will send notifies to slaves, and because slaves host a lot of other domains sometimes, they don’t update immediately but takes more than 60 seconds for some of them. I’ve noticed that acme checks whatever DNS servers it can find and it can hit fast enough, but since propagation doesn’t happen that fast, it will always fail to verify AT LEAST 1 domain… Actually, this is the first time today I’ve managed to have only 1 failure, usually it’s at least 4.

Is there any chance that i can increase the wait time for changes to take effect or maybe force acme to only check one nameserver of my choice, say ns.mywimax.me (which is actually the master DNS)?

Any help is greatly appreciated. Thanks in advance!

My domain is: mywimax.me

I ran this command: certbot certonly --dns-rfc2136 --dns-rfc2136-credentials .secrets/rfc2136.ini -d mywimax.me -d biznis.mywimax.me -d crm.mywimax.me -d help.mywimax.me -d home.mywimax.me -d mail.mywimax.me -d phpmyadmin.mywimax.me -d webmail.mywimax.me -d smtp.mywimax.me -d imap.mywimax.me --dry-run

It produced this output: Failed authorization procedure. mail.mywimax.me (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.mail.mywimax.me

My web server is (include version): nginx/1.12.2

The operating system my web server runs on is (include version): CentOS 7.6

My hosting provider, if applicable, is: Self hosted

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

JuergenAuer · April 3, 2019, 6:35pm

Hi @maretodoric

there is a certbot parameter --debug-challenges. Use that, then you must confirm the next step. So you can wait.

No. You can reduce the number of your nameservers

•  dns1.orion.rs
		•

	•  dns2.orion.rs
		•

	•  dns3.orion.rs
		•

	•  dns4.orion.rs
		•

	•  ns.mywimax.me

or you can use my online tool to check, if every nameserver has the same serial number.

But with a lot of domains, sounds terrible.

Isn't it possible to speed up the dns propagation?

maretodoric · April 3, 2019, 6:57pm

Well, that’s awesome, didn’t know about that one, thanks ! It will still remain the issue with automated renewals but… Maybe something will work out at some point.

As for reducing the number of nameservers…
Well… Maybe one day. I like having the option of multiple nameservers, especially if they are on different geo location. dns3 and 4 are in USA and Sidney. Maybe i will leave those two + ns.

Btw, they all definitely have the same serial. But after some time larger than 60 seconds for sure. I will test and see how long does it take after multiple occasions to propagate across all nameservers
dns1-4 hosts a lot of domains.
How do you propose to speed up the propagation? Maybe manually running rndc reload mywimax.me on other servers?

Thanks for the fast reply, though! Really appreciate it !

[root@controller ~]# dig +multi mywimax.me soa @ns.mywimax.me | grep serial < this one is master
                                2019040487 ; serial
[root@controller ~]# dig +multi mywimax.me soa @dns1.orion.rs | grep serial
                                2019040487 ; serial
[root@controller ~]# dig +multi mywimax.me soa @dns2.orion.rs | grep serial
                                2019040487 ; serial
[root@controller ~]# dig +multi mywimax.me soa @dns3.orion.rs | grep serial
                                2019040487 ; serial
[root@controller ~]# dig +multi mywimax.me soa @dns4.orion.rs | grep serial
                                2019040487 ; serial

mnordhoff · April 3, 2019, 7:09pm

Certbot has a --dns-rfc2136-propagation-seconds option for exactly this kind of delay.

JuergenAuer · April 3, 2019, 7:20pm

I don't use my own name server.

maretodoric · April 3, 2019, 10:39pm

I'm going to give this a try tomorrow ! Sounds like a lot better option for sure, thanks!

On an unrelated note, I've just tested how long does it take to update all nameservers when notifies are sent. And it takes approx 10 minutes

maretodoric · April 5, 2019, 8:21am

Worked like a charm!! Thank you !

system · May 5, 2019, 8:21am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.