Help with NXDOMAIN looking up TXT for Error

My domain is:
digiinnovation.net

I ran this command:
I’m using the acme4j client for java against the v2 staging URL (https://acme-staging-v02.api.letsencrypt.org/directory), and trying to order a certificate with the following domain “*.ZigTest6.digiinnovation.net”.
Since yesterday (after the staging environment disruption), I’m keep getting the following error “DNS problem: NXDOMAIN looking up TXT for _acme-challenge.zigtest6.digiinnovation.net”

When trying with Let’s Debug everything looks fine:
https://letsdebug.net/zigtest6.digiinnovation.net/44670

It produced this output:
“DNS problem: NXDOMAIN looking up TXT for _acme-challenge.zigtest6.digiinnovation.net”

The version of my client is: acme4j client for java

Please advise

Thanks in advance

Hi @Talz

you don’t have any dns entries ( https://check-your-website.server-daten.de/?q=zigtest6.digiinnovation.net ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
zigtest6.digiinnovation.net Name Error yes 1 0
www.zigtest6.digiinnovation.net Name Error yes 1 0

And there are no TXT entries.

But checking your domain manual there is a refused answer.

D:\>nslookup -type=TXT zigtest6.digiinovation.net.  ns-1308.awsdns-35.org.

*** zigtest6.digiinovation.net. wurde von UnKnown nicht gefunden: Query refused.

Must check later, why check-your-website doesn’t show that refused answer.

Oh, what’s that? Checking your main domain there is the same picture ( https://check-your-website.server-daten.de/?q=digiinovation.net ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
digiinovation.net Name Error yes 1 0
www.digiinovation.net Name Error yes 1 0

And checking the domain name I could buy your domain.

Looks that the domain is expired and there are some old / wrong ns entries.

PS: Yep, checked with another domain registrar. Your domain isn’t registered.

@JuergenAuer, thanks for the quick response!

Sorry, but you have a mistake, its digiinnovation.net (with double ‘n’) and not digiinovation.net

And I don’t think the problem is with the DNS TXT entry because letsdebug returns OK https://letsdebug.net/zigtest6.digiinnovation.net/44670
And also
https://www.sslforfree.com/create?dns_txt_verify=_acme-challenge.zigtest6.digiinnovation.net

Let’s Debug can’t really test for this issue.

Testing one of my domains – with a different ACME client – works successfully.

Are you sure acme4j is waiting until the record has been fully deployed before asking Let’s Encrypt to validate it?

@shred Do you know how ACME4J behaves w.r.t to POSTing a DNS-01 challenge? Is there a self-check or is that the responsibility of the integrator?

@Talz Which version of ACME4J are you using? Can you share your integration code?

acme4j does not set up the DNS server itself. It is the responsibility of the invoker to set up everything that is required for fulfilling the challenge. In this case, the invoker must set the TXT record. It’s just because there is no standard way to set DNS records, it may be anything from invoking a command line tool to writing into a database. :smile:

acme4j also does not perform any pre-checks. As soon as challenge.trigger() is invoked, the request is immediately sent to the ACME server, and the challenge is being verified.

It might be a timing issue. I don’t know how the DNS TXT record is set here, but maybe it is an asynchronous process that was fast enough by a lucky chance, but isn’t now. I’d just try a Thread.sleep(1000) before invoking challenge.trigger(), to find out if it’s timing related.

If it doesn’t help, I’d set a breakpoint before challenge.trigger(), and manually check if the TXT record is present and valid.

3 Likes

Thanks @shred! I’m sure the OP will appreciate the debugging advice!

Thanks @shred and everyone that trying to help here.
I have already tried the sleep and the debug… just to clarify, everything worked well before the issue in the staging env…
Therefor, I don’t think its timing issue. I suspect that it might be connected to some limit…
Do you know when the limits reset?

If it’s any help: I have just tried to get a certificate from staging via DNS challenge. It was successful. So at least, it should work with the latest acme4j.

Is the error actually coming from acme4j or the staging server? Do you have a stack trace?
Edit: I could reproduce this error message when I tried a DNS challenge without setting the TXT record. It really seems that the staging server is unable to retrieve your TXT record, for whatever reason… :thinking:

1 Like

If the problem were related to reaching a rate limit there would be an explicit and clear error problem returned that would indicate that. I don’t think rate limiting is likely to be the case here.

There haven’t been any changes in the staging environment’s DNS resolution that I expect would have caused a change in behaviour.

trying to order a certificate with the following domain “*.ZigTest6.digiinnovation.net”.

Are you ordering a certificate with just that domain, or also the base domain without the wildcard, ZigTest6.digiinnovation.net?

Next thing I tried is to get a certificate for zigtest6.digiinnovation.net via DNS challenge. It is supposed to fail because I would use a different digest, but I wondered if I would also get the “DNS problem” error.

However, the error was Incorrect TXT record "xph_bNK_bloZpIVjxL5NSU-0vGa8kkv8iW42iRsOCwk" found at _acme-challenge.zigtest6.digiinnovation.net, as expected.

It really seems that there is no TXT record at the time the staging server tries to verify the challenge.

Can you just try again?

I tried again, but now with a bigger sleep time of 10 seconds and it worked :slight_smile:
So, you were right. Sorry for the hassle…
And many thanks for your help!
@shred @cpu @mnordhoff @JuergenAuer

3 Likes