During the issuance process I ran into an issue verifying control of one of my domains, turns out I had DNS configured wrong, it was pointing at an individual Application Server instead of the load-balancer. The site was operational so I hadn’t caught that this site wasn’t being distributed by the load-balancer across my network.
I was able to complete the process of issuing a SAN cert for the rest of the domains by leaving that domain out. I modified the DNS records and waited for them to propagate across my host’s network of DNS servers (I host @Linode), After a few hours I tried to issue a new cert for the domain that had failed earlier only to see it still failing. I checked the domain’s DNS settings and it was correct in my authoritative DNS servers, I also checked using external tools like NWTools.com’s DNS query tool which was returning the correct value for the A record. I tried again 24 hours later, and am still getting the error.
Failed authorization procedure. www.copy.mx (simpleHttp): unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.copy.mx/.well-known/acme-challenge/p67dvPAKbViesuIjoNMuIcIgDT5RT1Uybi1xLo6Who0 [OLD IP ADDRESS]: 404, copy.mx (dvsni): unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge
- The following ‘unauthorized’ errors were reported by the server:
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain contains
the right IP address.
So, even though the DNS records had propagated through the internet and traffic for this domain was now hitting my load-balancer. LetsEncrypt’s server was still using OLD DNS information (cached?) to attempt to do the Domain Verification.
I switched to the Application server that LetsEncrypt was trying to verify the domain at, grabbed the python client to attempt to verify the domain here, the domain verified perfectly and a certificate was issued.
I do not know if there is a (security) reason why we would cache DNS lookups, intentionally slow down changes to the domains to issue certs?