Http-01 challenge always pending for particular domain


#1

Hey!

I’ve been gradually requesting certificates for a few thousand domains, which is going very well. However, out of all of them, I’m having trouble with just one - proofs.ruthgillson.com

This domain correctly returns NOERROR for CAA queries on the sub and parent domain, and doesn’t appear to have any strange situations with inaccessible AAAA or DNSSEC issues. I’m stumped!

Why does this challenge never move forward?

Thanks!


#2

Hi,

What tool are you currently using?

Thank you


#3

This is a custom implementation based on https://github.com/acmephp/core


#4

Can you provide more detail on (or logs showing) the trouble?

FYI: https://letsdebug.net/proofs.ruthgillson.com/11368

proofs.ruthgillson.com CNAME to clients.shootproof.com


#5

This is great, thanks! I didn’t know about this tool’s existence. So the next logical question is, why does it show SERVFAIL when the authoritative servers do not? Are the responses cached externally for some period of time by LetsEncrypt?

$ dig proofs.ruthgillson.com CAA @ns3.ideaworldhq.net
; <<>> DiG 9.10.6 <<>> proofs.ruthgillson.com CAA @ns3.ideaworldhq.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59789
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 27
;; WARNING: recursion requested but not available

#6

Never; LE doesn’t cache anything DNS.

Same IP for both name servers?
Name: ns3.ideaworldhq.net Address: 96.125.184.251
Name: ns4.ideaworldhq.net Address: 96.125.181.251


#7

That’s pretty entertaining (and a bad idea), but I don’t think it’s a violation of any standard (full disclosure, I’m not the registrar).


#8

ideaworldhq.net zone: The server(s) were not responsive to queries over TCP.


#9

Ah ha! So LetsEncrypt uses TCP queries for DNS?

I can reproduce with

dig +tcp proofs.ruthgillson.com CAA @ns3.ideaworldhq.net
;; Connection to 96.125.184.251#53(96.125.184.251) for proofs.ruthgillson.com failed: connection refused.

#10

In fact, the same IP for both nameservers is a violation of IANA requirements.

https://www.iana.org/help/nameserver-requirements


#11

Hi @rokclimb15

Good catch @rg305, thanks!

Not by default, but for cases where the response is larger than 512 bytes (our advertised edns buffersize value) there will be a truncated response from the authoritative nameserver and we will retry the query over TCP.

I suspect that’s what is happening here, dig @ns3.ideaworldhq.net +norecurse proofs.ruthgillson.com shows big authority/additional information sections in the answer. Delivering a truncated answer without supporting TCP queries will result in the Let’s Encrypt issuance problems you’ve observed.


#12

Thanks @rg305 and @cpu for your help. I’ve advised the domain owner to choose a registrar with compliant DNS servers.


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.