Hi,
I'm implementing an ACME client capable of passing DNS validations. Basically, it listens on UDP port 53 and, when it gets a DNS query for an "_acme-challenge" TXT record, it answers with the appropriate value. All other queries are answered "NODATA".
This works fine on localhost using pebble, and I've been able to get a certificate. But when I try to run it on a remote host with letsencrypt's staging environment, I get this error:
During secondary validation: No TXT record found at _acme-challenge.sor0.ru
During validation, at least one "_acme-challenge" TXT query reaches my client and gets answered appropriately, I'm seeing this via tcpdump and debugger. I also have the following DNS records set up with my provider:
_acme-challenge.sor0.ru. 90 IN CNAME sor0.ru.
sor0.ru. 345600 IN NS ns1.sor0.ru.
ns1.sor0.ru. 345600 IN A xx.xx.xx.xx
Since the error occurs during "secondary validation", I'm assuming the client passes at least "primary validation", whatever that means? Where should I start digging?
“During secondary validation” may mean a few things:
Your NSes have a geographic filter.
Your NSes are not synced properly. When primary validator hits a NS that has proper records and secondary(es) hit the one(s) that do not.
More info here:
Additionally, when I do this query dig _acme-challenge.sor0.ru, I get a different response from yours:
_acme-challenge.sor0.ru. 90 IN CNAME sor0.ru.
sor0.ru. 3600 IN A 95.143.188.120
;; AUTHORITY SECTION:
sor0.ru. 345600 IN NS ns1.sor0.ru.
sor0.ru. 345600 IN NS ns1.axelname.RU.
sor0.ru. 345600 IN NS ns2.axelname.RU.
When I query your NS directly from NL, I get connection refused:
$ dig _acme-challenge.sor0.ru @ns1.sor0.ru.
;; communications error to 95.143.188.120#53: connection refused
;; communications error to 95.143.188.120#53: connection refused
;; communications error to 95.143.188.120#53: connection refused
You can try looking up the record with https://unboundtest.com/ to make sure it works properly - that’s configured quite similarly to the resolvers we use in production.
It returns an answer to each DNS query. The queries for non-TXT records are answered "NODATA" (empty answer section).
You can try looking up the record with https://unboundtest.com/ to make sure it works properly - that’s configured quite similarly to the resolvers we use in production
The label is sor0.ru. and not _acme-challenge.sor0.ru. but I guess this is because of my CNAME record _acme-challenge.sor0.ru. 90 IN CNAME sor0.ru.?
I should say that I've tried restarting my client multiple times and a couple of times it's worked successfully and downloaded a certificate from Staging! But I still can't figure out why this works in some cases and not in the others The error message the ACME server gives me is either No TXT record found at _acme-challenge.sor0.ru or During secondary validation: No TXT record found at _acme-challenge.sor0.ru