Failed to Interact with Lets Encrypt via DNS

martindimovski · August 23, 2023, 12:53pm

We are using AKS with Azure Firewall together with Argo CD. Most of the things looks that they work but we are getting error like this in Argo CD

dial tcp: lookup acme-v02.api.letsencrypt.org on X.X.X.X:53: server misbehaving

I ran this command: I am creating the cluster in Argo Cd, everything is green but we are getting this error
dial tcp: lookup acme-v02.api.letsencrypt.org on X.X.X.X:53: server misbehaving

Can somebody help or give an opinion where we should look at ..

Thank you..

orangepizza · August 23, 2023, 1:14pm

whatever server you are using for resolve DNS crashing when lookup domain for LE's API: what DNS server stack it uses?

martindimovski · August 23, 2023, 3:01pm

Well we are using simply.com as dns we put some of the env informations also but still nothing the same error .. any advice maybe

petercooperjr · August 23, 2023, 3:02pm

I don't know as people here will be able to give you much help, it sounds like your DNS resolver isn't configured correctly. I don't think there's anything specific to Let's Encrypt. Can that DNS server resolve other names?

rg305 · August 23, 2023, 3:17pm

@martindimovski, do you have cli access?

martindimovski · August 23, 2023, 3:25pm

You mean to the DNS side

rg305 · August 23, 2023, 3:37pm

You need to be clear to whom you are speaking with.

martindimovski · August 23, 2023, 3:44pm

sorry @rg305 , yes i was thinking to you , To Azure yes we have CLI ... but on DNS side i am not sure if its exist hahaha

rg305 · August 23, 2023, 3:48pm

Please show the DNS setting in AKS
cat /etc/resolv.conf

webprofusion · August 24, 2023, 1:49am

As @orangepizza says:

Your system cannot complete a basic outgoing DNS query to resolve the Let's Encrypt API.

Nothing is going to work until your system can make DNS queries.

It has nothing to do with Let's Encrypt DNS validation or simply.com (which is your domain registrar, not your DNS resolution service) etc, your system just can't resolve public DNS names.

It sounds a little like this Kubernetes issue and the resolution was to restart the master node but it could also just be that your config has an error somewhere: "server misbehaving" error / kube-dns returning SERVFAIL · Issue #39980 · kubernetes/kubernetes · GitHub

Try basic curl from a command line on your container (if curl is available):
curl https://acme-v02.api.letsencrypt.org

barlet-nushi · August 24, 2023, 10:54am

Hello @webprofusion,
So we are using Azure Firewall Premium and all outbound connectivities are configure including also Lets Encrypt endpoint as URL filter:
In first case on Azure Firewall when we leave the DNS section as Default Azure Provided we get this error on Traefik pod:
"x509: certificate signed by unknown authority"

/ $ wget https://acme-v02.api.letsencrypt.org/directory Connecting to acme-v02.api.letsencrypt.org (172.65.46.172:443) ssl_client: acme-v02.api.letsencrypt.org: certificate verification failed: self signed certificate in certificate chain.

This is what I get in first case with wget command

In second case when we update our settings on Azure Firewall with our Custom Dns Ip of Simply provider we get this error as above:

dial tcp: lookup acme-v02.api.letsencrypt.org on 10.41.0.10:53: server misbehaving
This private ip is our AKS dns service ip

MikeMcQ · August 24, 2023, 12:27pm

Are you the same person who started this thread? Because we prefer having each problem have its own thread.

Your wget problem looks like something is intercepting the outbound https requests.

What does this show

echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | head

martindimovski · August 24, 2023, 2:55pm

Yes @MikeMcQ we are together on this ... sorry maybe i needed to reply ...

rg305 · August 24, 2023, 3:25pm

You can tag-team the problem.
We just needed to be sure we are working on the SAME problem

barlet-nushi · August 25, 2023, 11:04am

Hello @MikeMcQ , I am unable to run this command inside Traefik pod inside my cluster, looks like I don't have also permissions to install packages.
/ $ whoami
whoami: unknown uid 65532
/ $ echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | head
sh: openssl: not found

barlet-nushi · August 25, 2023, 11:05am

only some basic commands work like wget and ping

barlet-nushi · August 25, 2023, 11:14am

traefik:
deployment:
initContainers:
- name: volume-permisions
image: busybox:1.31.1
command: ["sh", "-c", "chmod -Rv 600 /data/*"]
volumeMounts:
- name: data
mountPath: /data

service:
annotations:
service.beta.kubernetes.io/azure-dns-label-name: xxx
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "loadbalancer"

certResolvers:
le:
email: system@xxx.com
tlsChallenge: true
storage: "/data/acme.json"
caServer: https://acme-v02.api.letsencrypt.org/directory

persistence:
enabled: true

ingressClass:
enabled: true
isDefaultClass: true

providers:
kubernetesCRD:
allowExternalNameServices: true

kubernetesIngress:
  publishedService:
    enabled: true

ports:
web:
redirectTo: websecure
websecure:
tls:
enabled: true
certResolver: "le"
domains:
- main: x.x.x.x.com
sans:
- x.x.domain.com

This is our Traefik script