LE Staging DNS Servers?

mxplusb · November 26, 2019, 8:24pm

I’m working on testing a higher-order client against the LE staging environment. I am currently using Google, Cloudflare, and Level3’s public DNS servers to check my DNS-01 challenges. My workflow leverages the go-acme/lego internally, with the DNS precheck using all three of the referenced public providers to verify the record is available before continuing the certificate request workflow. The challenges are resolving just fine from all 3 providers, but the LE staging server keeps throwing these kinds of errors:

acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.db-v2-3019.cdn-broker-test.cloud.gov

But I can resolve it, and it works just fine.

dig -t txt _acme-challenge.db-v2-3019.cdn-broker-test.cloud.gov

; <<>> DiG 9.10.6 <<>> -t txt _acme-challenge.db-v2-3019.cdn-broker-test.cloud.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22889
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_acme-challenge.db-v2-3019.cdn-broker-test.cloud.gov. IN TXT

;; ANSWER SECTION:
_acme-challenge.db-v2-3019.cdn-broker-test.cloud.gov. 60 IN TXT	"ZKYTWRW4oFyBlJhZKhDSuD9xTkRRxfrspLfqz3ZMl44"

;; Query time: 138 msec
;; SERVER: 192.168.115.4#53(192.168.115.4)
;; WHEN: Tue Nov 26 13:11:13 MST 2019
;; MSG SIZE  rcvd: 137

What DNS provider does the LE staging environment use? I want to make sure they can resolve the DNS records because using the public DNS servers doesn’t seem to work.

_az · November 26, 2019, 8:34pm

They run their own recursive Unbound resolvers, rather than using a public one. Their resolver is configured to observe whatever TTLs you use, with an upper limit of 60 seconds.

I think this likely suggests that you haven't waited long enough for the Route53 change to apply to all their servers globally.

Let's Encrypt staging uses multi-VA validation, meaning they will check the DNS from USA, Europe, etc.

It's possible that you are shooting your shot slightly prematurely - at a time when the record is visible on some Route53 nameservers, but not all of them globally.

tl;dr; Try a dumb 60 second sleep before responding to the challenges.

mxplusb · November 26, 2019, 8:38pm

Ah, I did not know this. That makes sense, I will try the tl;dr method and see if that works.

system · December 26, 2019, 8:38pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Error using DNS Challenge with Staging and HAProxy on OPNsense Help	8	501	July 8, 2024
_acme-challenge nxdomain issue - Cloudflare Help	5	685	May 6, 2022
Dns-01 challenge failure / wildcard certificate Client dev	3	2183	June 15, 2018
Problem with DNS challenge with Cloudflare Help	16	3373	May 4, 2024
Error 'urn:acme:error:connection': DNS problem: SERVFAIL Server	3	2091	May 14, 2016

LE Staging DNS Servers?

Related topics