Failed to Interact with Lets Encrypt via DNS

We are using AKS with Azure Firewall together with Argo CD. Most of the things looks that they work but we are getting error like this in Argo CD

dial tcp: lookup acme-v02.api.letsencrypt.org on X.X.X.X:53: server misbehaving

I ran this command: I am creating the cluster in Argo Cd, everything is green but we are getting this error
dial tcp: lookup acme-v02.api.letsencrypt.org on X.X.X.X:53: server misbehaving

Can somebody help or give an opinion where we should look at ..

Thank you..

1 Like

whatever server you are using for resolve DNS crashing when lookup domain for LE's API: what DNS server stack it uses?

6 Likes

Well we are using simply.com as dns we put some of the env informations also but still nothing the same error .. any advice maybe

I don't know as people here will be able to give you much help, it sounds like your DNS resolver isn't configured correctly. I don't think there's anything specific to Let's Encrypt. Can that DNS server resolve other names?

3 Likes

@martindimovski, do you have cli access?

2 Likes

You mean to the DNS side

You need to be clear to whom you are speaking with.

2 Likes

sorry @rg305 , yes i was thinking to you :slight_smile: , To Azure yes we have CLI ... but on DNS side i am not sure if its exist hahaha

1 Like

Please show the DNS setting in AKS
cat /etc/resolv.conf

3 Likes

As @orangepizza says:

Your system cannot complete a basic outgoing DNS query to resolve the Let's Encrypt API.

Nothing is going to work until your system can make DNS queries.

It has nothing to do with Let's Encrypt DNS validation or simply.com (which is your domain registrar, not your DNS resolution service) etc, your system just can't resolve public DNS names.

It sounds a little like this Kubernetes issue and the resolution was to restart the master node but it could also just be that your config has an error somewhere: "server misbehaving" error / kube-dns returning SERVFAIL · Issue #39980 · kubernetes/kubernetes · GitHub

Try basic curl from a command line on your container (if curl is available):
curl https://acme-v02.api.letsencrypt.org

4 Likes

Hello @webprofusion,
So we are using Azure Firewall Premium and all outbound connectivities are configure including also Lets Encrypt endpoint as URL filter:
In first case on Azure Firewall when we leave the DNS section as Default Azure Provided we get this error on Traefik pod:
"x509: certificate signed by unknown authority"

/ $ wget https://acme-v02.api.letsencrypt.org/directory Connecting to acme-v02.api.letsencrypt.org (172.65.46.172:443) ssl_client: acme-v02.api.letsencrypt.org: certificate verification failed: self signed certificate in certificate chain.

This is what I get in first case with wget command

In second case when we update our settings on Azure Firewall with our Custom Dns Ip of Simply provider we get this error as above:

dial tcp: lookup acme-v02.api.letsencrypt.org on 10.41.0.10:53: server misbehaving
This private ip is our AKS dns service ip

Are you the same person who started this thread? Because we prefer having each problem have its own thread.

Your wget problem looks like something is intercepting the outbound https requests.

What does this show

echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | head
3 Likes

Yes @MikeMcQ we are together on this ... sorry maybe i needed to reply ...

1 Like

You can tag-team the problem.
We just needed to be sure we are working on the SAME problem :slight_smile:

5 Likes

Hello @MikeMcQ , I am unable to run this command inside Traefik pod inside my cluster, looks like I don't have also permissions to install packages.
/ $ whoami
whoami: unknown uid 65532
/ $ echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | head
sh: openssl: not found

only some basic commands work like wget and ping

traefik:
deployment:
initContainers:
- name: volume-permisions
image: busybox:1.31.1
command: ["sh", "-c", "chmod -Rv 600 /data/*"]
volumeMounts:
- name: data
mountPath: /data

service:
annotations:
service.beta.kubernetes.io/azure-dns-label-name: xxx
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "loadbalancer"

certResolvers:
le:
email: system@xxx.com
tlsChallenge: true
storage: "/data/acme.json"
caServer: https://acme-v02.api.letsencrypt.org/directory

persistence:
enabled: true

ingressClass:
enabled: true
isDefaultClass: true

providers:
kubernetesCRD:
allowExternalNameServices: true

kubernetesIngress:
  publishedService:
    enabled: true

ports:
web:
redirectTo: websecure
websecure:
tls:
enabled: true
certResolver: "le"
domains:
- main: x.x.x.x.com
sans:
- x.x.domain.com

This is our Traefik script

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.