Letsencrypt can't resolve DNS

Hi, I am trying to get a certificate for minidebconf.curitiba.br which was registered 3 days ago. Not sure if that is relevant, but the curitiba.br TLD was also only made available for registration 3 days ago. I am using dehydrated as client.

The response I get is:

# INFO: Using main config file /etc/dehydrated/config
Processing minidebconf.curitiba.br
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for minidebconf.curitiba.br...
 + Responding to challenge for minidebconf.curitiba.br...
# !! WARNING !! Extra configuration directory /etc/dehydrated/conf.d exists, but no configuration found in it.
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:acme:error:unknownHost",
    "detail": "No valid IP addresses found for minidebconf.curitiba.br",
    "status": 400
  },
  "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/9fKqyy6JfzA3F1wJ3w2KWUsKIMFwsdnA8OKhY-eyZRk/2459918393",
  "token": "N6bPl2yUcCo9LWFcQdXT2xHJy_55uPWc1HaD3Rls3FM",
  "keyAuthorization": "N6bPl2yUcCo9LWFcQdXT2xHJy_55uPWc1HaD3Rls3FM.s-QUxdkD7XSz17uAvOtCZ6qDYRk3tfDJqjOClZLkYMM",
  "validationRecord": [
    {
      "url": "http://minidebconf.curitiba.br/.well-known/acme-challenge/N6bPl2yUcCo9LWFcQdXT2xHJy_55uPWc1HaD3Rls3FM",
      "hostname": "minidebconf.curitiba.br",
      "port": "80",
      "addressesResolved": [],
      "addressUsed": "",
      "addressesTried": []
    }
  ]
})

I have tried resolving the name from various servers that I have access to, across the planet, and seems to be fine. What else can I try?

There’s something wrong with how the domain’s DNS servers handle capitalization. Though I’m not exactly sure what.

I can reproduce the failure on my own resolver, and https://unboundtest.com/.

https://unboundtest.com/m/A/minidebconf.curitiba.br/746A7YT2

AAAA and CAA and other query types succeed, A fails.

A gets a negative response that is also invalid. Unbound says “debug: NODATA response failed to prove NODATA status with NSEC/NSEC3”.

$ dig @publicdns.goog minidebconf.curitiba.br

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @publicdns.goog minidebconf.curitiba.br
; (4 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42823
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;minidebconf.curitiba.br.       IN      A

;; ANSWER SECTION:
minidebconf.curitiba.br. 800    IN      A       198.58.116.17

;; Query time: 2 msec
;; SERVER: 2001:4860:4860::8888#53(2001:4860:4860::8888)
;; WHEN: Mon Nov 13 12:22:18 UTC 2017
;; MSG SIZE  rcvd: 68

$ dig @publicdns.goog Minidebconf.Curitiba.Br

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @publicdns.goog Minidebconf.Curitiba.Br
; (4 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20831
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;Minidebconf.Curitiba.Br.       IN      A

;; Query time: 197 msec
;; SERVER: 2001:4860:4860::8888#53(2001:4860:4860::8888)
;; WHEN: Mon Nov 13 12:21:26 UTC 2017
;; MSG SIZE  rcvd: 52

$ dig +dnssec +norecurse @a.auto.dns.br minidebconf.curitiba.br

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +dnssec +norecurse @a.auto.dns.br minidebconf.curitiba.br
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65299
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;minidebconf.curitiba.br.       IN      A

;; ANSWER SECTION:
minidebconf.curitiba.br. 900    IN      A       198.58.116.17
minidebconf.curitiba.br. 900    IN      RRSIG   A 13 3 900 20171113125000 20171113121000 33150 minidebconf.curitiba.br. G3T15hOxn4v0MJpOQCIbO2pyUDys3LMb2KeWCBw0IwZ0TZy1a2SGygUu /U7B7MK7Sic7TPxq1D5O/GxcXXxvVw==

;; Query time: 148 msec
;; SERVER: 2001:12ff:0:2::88#53(2001:12ff:0:2::88)
;; WHEN: Mon Nov 13 12:26:18 UTC 2017
;; MSG SIZE  rcvd: 187

$ dig +dnssec +norecurse @b.auto.dns.br Minidebconf.Curitiba.Br

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +dnssec +norecurse @b.auto.dns.br Minidebconf.Curitiba.Br
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17082
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;Minidebconf.Curitiba.Br.       IN      A

;; AUTHORITY SECTION:
minidebconf.curitiba.br. 900    IN      SOA     a.auto.dns.br. hostmaster.registro.br. 2017317490 1800 900 604800 900
minidebconf.curitiba.br. 900    IN      RRSIG   SOA 13 3 900 20171113125000 20171113121000 33150 minidebconf.curitiba.br. nS2saNzM2xJ0bMXmpzQXJQl0/yTH+lUpu7DUM7qRobK2H2otkdtN25Lm 15ir1hWXwXx9yCkk/C7Q0RXoziSaeg==
minidebconf.curitiba.br. 900    IN      NSEC    www.minidebconf.curitiba.br. A NS SOA RRSIG NSEC DNSKEY
minidebconf.curitiba.br. 900    IN      RRSIG   NSEC 13 3 900 20171113125000 20171113121000 33150 minidebconf.curitiba.br. PH86iE5fJLeVXwgXQkfH8kGe8TUPYL+geXH4FbJJBUViLoMiIWSGUBXg cVc7UloSRtxsHmu9jwBvLZgLvSjYow==

;; Query time: 149 msec
;; SERVER: 2001:12ff:0:2::89#53(2001:12ff:0:2::89)
;; WHEN: Mon Nov 13 12:26:36 UTC 2017
;; MSG SIZE  rcvd: 430
1 Like

Hi, thanks for the quick reply! Indeed the DNS servers seem to be broken with regards to respecting the 0x20 bits in the letters of the domain name. we replaced the DNS servers and now it seems to work.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.