Follow NS records


#1

We would like to use let’s encrypt certs on a domain where we use “dns loadbalancing” where the main record (on Route53) is a NS record pointing at each of our gateway’s that in turn run a DNS server pointing at itself.

When running:
certbot certonly --manual --preferred-challenges dns -d $DOMAIN -m $EMAIL --keep-until-expiring

We get error:

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: <domain>
   Type:   connection
   Detail: DNS problem: query timed out looking up TXT for
   _acme-challenge.<domain>

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. 

However, the TXT record exists:

❯ dig TXT +short _acme-challenge.<domain>
"<uuid>"

Seems to me that let’s encrypt is not following the NS records and doing another lookup there. Could this be the issue? Any way to work around it? Webroot seems to be failing for the same reason (unable to resolve ).

Appreciate any help :smile:

Regards,
Asbjørn


#2

Hi @asbjornenge,

What is your real domain?.

Cheers,
sahsanu


#3

@sahsanu next.taghub.net :smile::+1:


#4

Hi @asbjornenge,

The main problem I can see is that I’m receiving a timeout requesting records like CAA, NS, SOA for next.taghub.net.

For example:

$ dig @gw-aws-euw1a.taghub.net next.taghub.net ns

; <<>> DiG 9.11.1 <<>> @gw-aws-euw1a.taghub.net next.taghub.net ns
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

$ dig @gw-gcp-euw1b.taghub.net next.taghub.net caa

; <<>> DiG 9.11.1 <<>> @gw-gcp-euw1b.taghub.net next.taghub.net caa
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

It works for A, AAAA and TXT records but at least you should be able to answer CAA, NS and SOA records.

Cheers,
sahsanu


#5

Aha! The issue is with my gateway dns servers :man_facepalming: They only hold A, AAAA and TXT records currently :+1:I’ll give that a try monday!

Thanks a bunch @sahsanu :grimacing::+1:


#6

Hmm :thinking: I have fixed all the mention records, but still keep getting same timeout error.

❯ dig A +short next.taghub.net @gw-aws-euw1a.taghub.net
34.248.70.255
❯ dig A +short next.taghub.net @gw-aws-euw1a.taghub.net
34.248.70.255
❯ dig AAAA +short next.taghub.net @gw-aws-euw1a.taghub.net
34.248.70.255
❯ dig CAA +short next.taghub.net @gw-aws-euw1a.taghub.net
34.248.70.255
❯ dig NS +short next.taghub.net @gw-aws-euw1a.taghub.net
34.248.70.255.
35.187.183.44.
❯ dig SOA +short next.taghub.net @gw-aws-euw1a.taghub.net
ns-1078.awsdns-06.org. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
❯ dig TXT +short next.taghub.net @gw-aws-euw1a.taghub.net
"Betioc4SnujAdqNbbqL3keQPMt-CnUoeI7Qb2_Guhc8"

Same goes for the other NS gw-gcp-euw1b.taghub.net :+1:

Any other ideas @sahsanu ?


#7

Hmmm… The error suddenly changed from a connection error to unauthorized.

Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. next.taghub.net (dns-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: No TXT record found at _acme-challenge.next.taghub.net

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: next.taghub.net
   Type:   unauthorized
   Detail: No TXT record found at _acme-challenge.next.taghub.net

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

#8

Hi @asbjornenge,

Sorry but seems it is not fixed from my side:

$ dig @gw-gcp-euw1b.taghub.net next.taghub.net caa

; <<>> DiG 9.11.1 <<>> @gw-gcp-euw1b.taghub.net next.taghub.net caa
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

Cheers,
sahsanu


#9
next.taghub.net.        30      IN      NS      34.248.70.255.
next.taghub.net.        30      IN      NS      35.187.183.44.

NS records are supposed to be hostnames, but aside from that…

I’m pretty sure one or both of those nameservers usually drops queries, and one or both of them doesn’t support case randomization, which causes the resolver to retry and make more queries. Bad in isolation, very bad in combination.


#10

Ah yes… These are some old homegrown DNS servers - does not support CAA records it would seem. :confused:

However, I’m giving wildcard cert a try - using taghub.net tld. Certs issued :tada:Not let’s see if I can put them to use…

Thanks a bunch @sahsanu and @mnordhoff :ok_hand:


#11

That’s also a critical issue, but the Let’s Encrypt error in your first post was on the _acme-challenge TXT query.

(Not supporting a record type should never be a thing. DNS servers should have a valid negative response to queries for unknown record types. Additionally, any DNS server with RFC 3597 input has been able to serve actual CAA records since about 2002.)


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.