LE servers DNS caching is preventing certificate from being issued


#1

Hello everyone.

I am using @serverco’s getssl client to renew a certificate for one of my domains. However, the process is failing with “DNS problem: NXDOMAIN looking up TXT for _acme-challenge.s007.co”. I believe the issue is to do with the domain’s DNS being cached by the ACME servers, preventing it from issuing a certificate.

The domain is s007.co and the challenge is at https://acme-v01.api.letsencrypt.org/acme/challenge/KhSNr1OZenuCES20hfS8prR3SnwwL3iuh-_0ZVY_IBc/694042360.

This has been happening for the last few weeks and the current certificate has now expired.

Can someone please take a look at this?


#2

have you added the token into your DNS at _acme-challenge.s007.co ? from a dig I’m not seeing it.


#3

Yes, that is done by means of a script.

I have removed the token from the DNS after the failure (because otherwise the ACME servers won’t know which one to use the next time I run it) which is why you’re not seeing it.

The config and scripts work fine for every other domain I have, it is just this domain that has issues.


#4

The ACME server will just check it is one of the values if there is more than one - so you don’t need to delete it for that reason ( it is good to tidy up of course, but for testing it’s fine to leave it there).

Can you run it again please, leaving the token there, and provide a copy of the output to the script please. (possibly in pastebin.com)


#5

I’ve had problems from leaving old tokens around in the past (which I’ve never understood, since as you say it should just check the correct values).

Anyway, the paste is at https://ghostbin.com/paste/yu2cp

All the spydar007.com domains are fine, the s007.co is a SANS and has worked fine previously.

It actually looks like the token is being incorrectly added to the zone file (it has three records, none of which correspond to the challenge in the paste).


#6

Thanks,

There is an unusual line

nslookup: couldn’t get address for ‘’: not found

which means it isn’t getting the primary nameserver for some reason.

in the config file can you add

AUTH_DNS_SERVER=“ns1.spydar007.net

then try running it again please


#7

That did it!

This comes back to an issue I was having months ago where various people couldn’t access that domain, with an NXDOMAIN error. It’s almost as if the DNS nameservers are set incorrectly with the registrar (they aren’t, and I have checked with them and have said everything is fine from their end), and that my DNS servers cannot be contacted.

I’ll have to investigate this further, but thanks for your help.


#8

You’re welcome, glad that fixed it :slight_smile:


#9

There definitely appears to be something odd going on with your nameservers:

http://dns.squish.net/traverses/d853555518e2ddfddbc8920fcb3b567d/detail


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.