MASTER DCV: 400 urn:ietf:params:acme:error:dns

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.bitbundle.in

I ran this command: https://www.bitbundle.in

It produced this output: Your connection to this site is not secure

My web server is (include version):

The operating system my web server runs on is (include version): linux

My hosting provider, if applicable, is: Bigrock

I can login to a root shell on my machine (yes or no, or I don't know): i don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): cPanel 94.0.11

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

i am receiving the following error in Certificate status on my SSL/TLS Status page :
MASTER DCV: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (No valid IP addresses found for bitbundle.in) 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: NXDOMAIN looking up TXT for _acme-challenge.bitbundle.in - check that a DNS record exists for this domain)

2

You've got some odd inconsistencies in your domain's DNS configuration that is likely contributing to your problems getting a certificate. Most notably:

  • The NS records configured at the registrar don't match the NS records returned by those nameservers
  • The SOA serial number reported by the various nameservers isn't the same which usually indicates they're not serving the same copy of the zone.

I'd recommend trying to solve these issues first and then trying again.

https://intodns.com/bitbundle.in

1 Like
3

I am a completely beginner to this.
Can you give me out some instructions or links for this?
would be really grateful.

4

I can try to help in generalities, but I can't give specific instructions because I know nothing about Bigrock or cPanel.

When the internet wants to know who to ask for DNS records for bitbundle.in, they first ask the authorities that own the .in TLD. One of them happens to be ns1.registry.in. This is what we get when we query the NS records for your domain from the TLD:

>dig ns bitbundle.in. @ns1.registry.in. +noall +answer +authority
bitbundle.in.           3600    IN      NS      dns3.bigrock.in.
bitbundle.in.           3600    IN      NS      dns4.bigrock.in.
bitbundle.in.           3600    IN      NS      cns3999.bigrock.com.
bitbundle.in.           3600    IN      NS      cns4000.bigrock.com.

They all appear to be Bigrock related which would make sense if Bigrock is both your domain registrar and your DNS provider. There's probably a place in your control panel to configure the nameservers for your domain. If you can find it, can you post a screenshot? It would also help to post a screenshot of the DNS management page for the domain (where you can ideally see the SOA and NS records).

Let's look up the IP addresses for each of those names:

>dig dns3.bigrock.in. +noall +answer
dns3.bigrock.in.        300     IN      A       162.251.82.118
dns3.bigrock.in.        300     IN      A       162.251.82.119
dns3.bigrock.in.        300     IN      A       162.251.82.246
dns3.bigrock.in.        300     IN      A       162.251.82.247

>dig dns4.bigrock.in. +noall +answer
dns4.bigrock.in.        300     IN      A       162.251.82.124
dns4.bigrock.in.        300     IN      A       162.251.82.125
dns4.bigrock.in.        300     IN      A       162.251.82.252
dns4.bigrock.in.        300     IN      A       162.251.82.253

>dig cns3999.bigrock.com. +noall +answer
cns3999.bigrock.com.    300     IN      A       162.241.85.118

>dig cns4000.bigrock.com. +noall +answer
cns4000.bigrock.com.    300     IN      A       162.241.85.119

It's a little uncommon for DNS servers to resolve to multiple IP addresses. But it's not wrong as long as all of them return consistent results.

Let's query the SOA record for bitbundle.in on each of the IP addresses we got in the previous queries:

>dig +noall +answer soa bitbundle.in. @162.251.82.118
bitbundle.in.           7200    IN      SOA     dns1.bigrock.in. shubham1286.15014.gmail.com. 2021061705 7200 7200 172800 38400

>dig +noall +answer soa bitbundle.in. @162.251.82.119
bitbundle.in.           7200    IN      SOA     dns1.bigrock.in. shubham1286.15014.gmail.com. 2021061705 7200 7200 172800 38400

>dig +noall +answer soa bitbundle.in. @162.251.82.246
bitbundle.in.           7200    IN      SOA     dns1.bigrock.in. shubham1286.15014.gmail.com. 2021061705 7200 7200 172800 38400

>dig +noall +answer soa bitbundle.in. @162.251.82.247
bitbundle.in.           7200    IN      SOA     dns1.bigrock.in. shubham1286.15014.gmail.com. 2021061705 7200 7200 172800 38400

>dig +noall +answer soa bitbundle.in. @162.251.82.124
bitbundle.in.           7200    IN      SOA     dns1.bigrock.in. shubham1286.15014.gmail.com. 2021061705 7200 7200 172800 38400

>dig +noall +answer soa bitbundle.in. @162.251.82.125
bitbundle.in.           7200    IN      SOA     dns1.bigrock.in. shubham1286.15014.gmail.com. 2021061705 7200 7200 172800 38400

>dig +noall +answer soa bitbundle.in. @162.251.82.252
bitbundle.in.           7200    IN      SOA     dns1.bigrock.in. shubham1286.15014.gmail.com. 2021061705 7200 7200 172800 38400

>dig +noall +answer soa bitbundle.in. @162.251.82.253
bitbundle.in.           7200    IN      SOA     dns1.bigrock.in. shubham1286.15014.gmail.com. 2021061705 7200 7200 172800 38400

>dig +noall +answer soa bitbundle.in. @162.241.85.118
bitbundle.in.           86400   IN      SOA     cns3999.bigrock.com. root.cs2000.bigrock.com. 2021061704 86400 7200 3600000 86400

>dig +noall +answer soa bitbundle.in. @162.241.85.119
bitbundle.in.           86400   IN      SOA     cns3999.bigrock.com. root.cs2000.bigrock.com. 2021061704 86400 7200 3600000 86400

Each of the IPs for dns3 and dns4 return consistent results. Though it's a little weird they reference dns1.bigrock.in as the primary nameserver since that wasn't included in the records from the TLD. More importantly, they don't match the results returned by cns3999 and cns4000. It's as if dns3 and dns4 are hosting one copy of the domain and cns3999 and cns4000 are hosting a different copy. The primary indication is the SOA serial which is the first all numeric value in those responses that looks a bit like a date. Think of it like a version number for the data in the zone. The value should increas every time there's a change.

dns3 and dns4 think the serial is 2021061705 versus 2021061704 on cns3999 and cns4000. So dns3 and dns4 theoretically have a slightly newer copy of the zone. But what matters is that they're different and so clients querying for records in the zone will likely get different responses depending on which pair of nameservers they ask.

Let's take a look at what one IP from each set returns for NS records for bitbundle.in.

>dig +noall +answer ns bitbundle.in. @162.251.82.118
bitbundle.in.           38400   IN      NS      dns1.bigrock.in.
bitbundle.in.           38400   IN      NS      dns2.bigrock.in.
bitbundle.in.           38400   IN      NS      dns3.bigrock.in.
bitbundle.in.           38400   IN      NS      dns4.bigrock.in.

>dig +noall +answer ns bitbundle.in. @162.241.85.118
bitbundle.in.           86400   IN      NS      cns3999.bigrock.com.
bitbundle.in.           86400   IN      NS      cns4000.bigrock.com.

This further confirms that we appear to have 2 separate sets of DNS servers here. Was there a DNS migration within Bigrock at some point? My guess is that you're going to need to updated the nameservers for the domain to either point to dns1-4.bigrock.in or cns3999-4000.bigrock.com. But I can't say for sure which ones. And I don't know why they'd be messed up to begin with if you're just using the defaults provided by Bigrock.

5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.