LE Staging DNS Servers?

I’m working on testing a higher-order client against the LE staging environment. I am currently using Google, Cloudflare, and Level3’s public DNS servers to check my DNS-01 challenges. My workflow leverages the go-acme/lego internally, with the DNS precheck using all three of the referenced public providers to verify the record is available before continuing the certificate request workflow. The challenges are resolving just fine from all 3 providers, but the LE staging server keeps throwing these kinds of errors:

acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.db-v2-3019.cdn-broker-test.cloud.gov

But I can resolve it, and it works just fine.

dig -t txt _acme-challenge.db-v2-3019.cdn-broker-test.cloud.gov

; <<>> DiG 9.10.6 <<>> -t txt _acme-challenge.db-v2-3019.cdn-broker-test.cloud.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22889
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4000
;_acme-challenge.db-v2-3019.cdn-broker-test.cloud.gov. IN TXT

_acme-challenge.db-v2-3019.cdn-broker-test.cloud.gov. 60 IN TXT	"ZKYTWRW4oFyBlJhZKhDSuD9xTkRRxfrspLfqz3ZMl44"

;; Query time: 138 msec
;; WHEN: Tue Nov 26 13:11:13 MST 2019
;; MSG SIZE  rcvd: 137

What DNS provider does the LE staging environment use? I want to make sure they can resolve the DNS records because using the public DNS servers doesn’t seem to work.

They run their own recursive Unbound resolvers, rather than using a public one. Their resolver is configured to observe whatever TTLs you use, with an upper limit of 60 seconds.

I think this likely suggests that you haven’t waited long enough for the Route53 change to apply to all their servers globally.

Let’s Encrypt staging uses multi-VA validation, meaning they will check the DNS from USA, Europe, etc.

It’s possible that you are shooting your shot slightly prematurely - at a time when the record is visible on some Route53 nameservers, but not all of them globally.

tl;dr; Try a dumb 60 second sleep before responding to the challenges.

1 Like

Ah, I did not know this. That makes sense, I will try the tl;dr method and see if that works.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.