Homebrewed client gets "No TXT record found"

Hi,
I'm implementing an ACME client capable of passing DNS validations. Basically, it listens on UDP port 53 and, when it gets a DNS query for an "_acme-challenge" TXT record, it answers with the appropriate value. All other queries are answered "NODATA".

This works fine on localhost using pebble, and I've been able to get a certificate. But when I try to run it on a remote host with letsencrypt's staging environment, I get this error:

During secondary validation: No TXT record found at _acme-challenge.sor0.ru

During validation, at least one "_acme-challenge" TXT query reaches my client and gets answered appropriately, I'm seeing this via tcpdump and debugger. I also have the following DNS records set up with my provider:

_acme-challenge.sor0.ru. 90     IN      CNAME   sor0.ru.

sor0.ru.                345600  IN      NS      ns1.sor0.ru.
ns1.sor0.ru.            345600  IN      A       xx.xx.xx.xx

Since the error occurs during "secondary validation", I'm assuming the client passes at least "primary validation", whatever that means? Where should I start digging?

“During secondary validation” may mean a few things:

  • Your NSes have a geographic filter.
  • Your NSes are not synced properly. When primary validator hits a NS that has proper records and secondary(es) hit the one(s) that do not.

More info here:

Additionally, when I do this query dig _acme-challenge.sor0.ru, I get a different response from yours:

_acme-challenge.sor0.ru. 90     IN      CNAME   sor0.ru.
sor0.ru.                3600    IN      A       95.143.188.120

;; AUTHORITY SECTION:
sor0.ru.                345600  IN      NS      ns1.sor0.ru.
sor0.ru.                345600  IN      NS      ns1.axelname.RU.
sor0.ru.                345600  IN      NS      ns2.axelname.RU.

When I query your NS directly from NL, I get connection refused:

$ dig _acme-challenge.sor0.ru @ns1.sor0.ru.
;; communications error to 95.143.188.120#53: connection refused
;; communications error to 95.143.188.120#53: connection refused
;; communications error to 95.143.188.120#53: connection refused
4 Likes

What about TCP/53 ?

4 Likes

Additionally, when I do this query dig _acme-challenge.sor0.ru, I get a different response from yours:

Yes, I didn't mean to post a full response, only to show what records are set up. And I missed out the A record :slightly_smiling_face:

When I query your NS directly from NL, I get connection refused:

That's right, the server is down at the moment.

What about TCP/53 ?

Yes, I was thinking about that. At the moment, it handles UDP only, and I guess this may be the problem.

2 Likes

Does your client return the value multiple times?

You can try looking up the record with https://unboundtest.com/ to make sure it works properly - that’s configured quite similarly to the resolvers we use in production.

3 Likes

Does your client return the value multiple times?

It returns an answer to each DNS query. The queries for non-TXT records are answered "NODATA" (empty answer section).

You can try looking up the record with https://unboundtest.com/ to make sure it works properly - that’s configured quite similarly to the resolvers we use in production

I've tried it a couple of times, here's the last one - https://unboundtest.com/m/TXT/sor0.ru/G34WP4QZ

I'm not sure what I should take away from it though, it gives you tons of information. But I'm seeing that at least it gets my TXT value:

Response:
;; opcode: QUERY, status: NOERROR, id: 34062
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 1232

;; QUESTION SECTION:
;sor0.ru.	IN	 TXT

;; ANSWER SECTION:
sor0.ru.	0	IN	TXT	"hUZ3M-DDI2EBqBv5K-RUAmyxfo5yv802s6xi82kbSOs"

The label is sor0.ru. and not _acme-challenge.sor0.ru. but I guess this is because of my CNAME record _acme-challenge.sor0.ru. 90 IN CNAME sor0.ru.?

I should say that I've tried restarting my client multiple times and a couple of times it's worked successfully and downloaded a certificate from Staging! But I still can't figure out why this works in some cases and not in the others :slight_smile: The error message the ACME server gives me is either No TXT record found at _acme-challenge.sor0.ru or During secondary validation: No TXT record found at _acme-challenge.sor0.ru :roll_eyes:

1 Like

To me, that generally implies Geo-Location blocking.

2 Likes

Yes, or sometimes the various DNS servers not consistent. I can reach the two axelname.ru but not ns1.sor0.ru

Similar to Homebrewed client gets "No TXT record found" - #2 by Nekit

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.