Letsencrypt uses old DNS data during authorization

domain: htnk.nl
new ip: 188.226.153.128
old ip: 194.109.6.98
The DNS was updated aroud 40 hours ago.

I get the error:

Failed authorization procedure. htnk.nl (http-01): urn:acme:error:unauthorized :: 
The client lacks sufficient authorization :: Invalid response from 
http://htnk.nl/.well-known/acme-challenge/KdmQehhBeZ2n1PrLdpeuI0b5Gas-4tBWMH9UxwcoAXQ: 
"<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>"

This is a generic nginx page. My new server runs Apache, so Letsencrypt must connect to the old server. I’ve validated this by changing my hosts file and connecting to the old server. I guess Letsencrypt is using old DNS data. But the weird thing is the DNS data for htnk.nl seems up to date everywhere I look.

I don’t have access to the old server, so I can’t transfer the keys.

I’m at a loss.

Hi @Soramika,

I notice your domain name also has an IPv6 AAAA record:

$ dig +short AAAA htnk.nl
2001:888:0:18::117:80

Does that happen to belong to the old server as well? Since May Let's Encrypt has preferred IPv6 addresses for dual-homed hosts which means that the validation authority is connecting to this IPv6 address and not one of the two IPv4 addresses you shared.

If this is the old IPv6 address I recommend updating the AAAA to point to the new server's IPv6 address.

If this is the new server's IPv6 address you should check that your webserver is directing the request to the correct webroot that the ACME client configured when the request comes in over IPv6.

If all else fails you could try removing the AAAA record but I would leave that as a last resort since working IPv6 should be everyone's goal in 2017 :slight_smile:

I think I've identified the problem above but just to be clear if not - Let's Encrypt doesn't cache DNS data for any considerable time. Our recursive resolver talks directly to one of your authoritative DNS servers and our max TTL is set quite low (sub 1m). It's almost never the case that the problem is stale DNS data.

Hope that helps!

OMG that makes so much sense. You’re a hero, I could kiss you. I’ll look into it. Thanks! <3

1 Like

Great! Glad to help. :tada:

Please let us know if that ended up being the solution or if there were other troubles to address.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.