How to debug intermittent challenge failures?

rg305 · January 26, 2021, 4:09am

hmm...
~~Which DNS servers does your server use?~~
~~cat /etc/resolv.conf~~

Disregard; the problem is not outbound DNS.

For some unknown reason, those cloud DNS systems have issues from some of the LE test locations.
@_az, can you crosscheck/fact-check any of this?

mylittlestashbox.com    nameserver = ns-cloud-c1.googledomains.com
mylittlestashbox.com    nameserver = ns-cloud-c2.googledomains.com
mylittlestashbox.com    nameserver = ns-cloud-c3.googledomains.com
mylittlestashbox.com    nameserver = ns-cloud-c4.googledomains.com

DNS-Viz looks good:
mylittlestashbox.com | DNSViz

EDNS tests OK:
EDNS Compliance Tester (isc.org)

I'm thinking maybe Google is using GeoIP and some areas/sites aren't as "available".

_az · January 26, 2021, 4:36am

Hard to say.

Intermittent SERVFAILs against Google Cloud DNS is not a good sign.

On the other hand, we don't have any other user reports. Usually there are, for widespread problems.

If Google is maybe rate-limiting the secondary VAs, it might help to actually create a CAA record for each of your 10 subdomains, to prevent extra DNS queries from the CAA algorithm. I don't know if Let's Encrypt caches negative responses so the difference might be negligible.

st0necraft · January 26, 2021, 5:06am

Is it worth submitting something to Google Domains' "contact us"? Not sure exactly what I would say though.

st0necraft · January 26, 2021, 9:40pm

OK so I added a CAA record for the top level domain (I had not explicitly created one before, and it was never a problem). I have now had to fully successful sets of challenges in a row. Unless I post back in this thread saying otherwise, let's assume that fixed it.

system · February 25, 2021, 9:40pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.