Multiple domains on same VPS, nginx proxy manager in front handling SSL certs fails for one of two domains

My domain is:

mokumkraakt.nl
hotelmokum.org

I ran this command:

2022-05-26 12:54:47,802:DEBUG:certbot._internal.main:Arguments: ['--config', '/etc/letsencrypt.ini', '--cert-name', 'npm-30', '--agree-tos', '--email', 'redacted@email.com', '--domains', '*.mokumkraakt.nl,mokumkraakt.nl', '--authenticator', 'dns-njalla', '--dns-njalla-credentials', '/etc/letsencrypt/credentials/credentials-30']

It produced this output:

2022-05-26 12:56:39,374:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: dns-njalla). The Certificate Authority reported these problems:
  Domain: mokumkraakt.nl
  Type:   dns
  Detail: DNS problem: SERVFAIL looking up TXT for _acme-challenge.mokumkraakt.nl - the domain's nameservers may be malfunctioning

  Domain: mokumkraakt.nl
  Type:   dns
  Detail: DNS problem: SERVFAIL looking up TXT for _acme-challenge.mokumkraakt.nl - the domain's nameservers may be malfunctioning

Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-njalla. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-njalla-propagation-seconds (currently 100 seconds).

My web server is (include version):
openresty 1.19.9.1

The operating system my web server runs on is (include version):
debian 10

My hosting provider, if applicable, is:

1984hosting
domain registered with njalla

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

Nginx-proxy-manager:
nginx-proxy-manager 2.9.16

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
1.27.0


Description:

Nginx Proxy Manager (NPM) runs in front of docker servers for both domains. When I request a wildcard cert for hotelmokum.org using the NPM web interface and the njalla authenticator it works fine, however for mokumkraakt it fails. Both domains are registered with njalla and have their own API keys.

Hi @hmmk, and welcome to the LE community forum :slight_smile:

Something seems amiss with the .NL root DNS system when resolved via other global DNS systems:

nslookup -q=ns mokumkraakt.nl 1.0.0.1
Server:  one.one.one.one
Address:  1.0.0.1
*** one.one.one.one can't find mokumkraakt.nl: Server failed

nslookup -q=ns mokumkraakt.nl 8.8.8.8
Server:  dns.google
Address:  8.8.8.8
*** dns.google can't find mokumkraakt.nl: Server failed

Directly, I see no issue:

nslookup -q=ns mokumkraakt.nl ns1.dns.nl
Server:  UnKnown
Address:  194.0.28.53
mokumkraakt.nl  nameserver = 1-you.njalla.no
mokumkraakt.nl  nameserver = 2-can.njalla.in
mokumkraakt.nl  nameserver = 3-get.njalla.fo
3 Likes

Just plain and simple DNSSEC failure:

https://dnsviz.net/d/mokumkraakt.nl/Yo-88Q/dnssec/

Funnily enough, it was just fine 6 hours ago: mokumkraakt.nl | DNSViz

4 Likes

So, when I wrote this it was set up as described in the post.

Then, I got a bit impatient and tried to set it up with freeDNS at the VPS, with DNSSEC there and added the DS record at Njalla. This is the "working 6 hours ago" state.

However, I still couldn't get any certs with nginx proxy manager manually either, plus I noticed nginx proxy manager was lacking a FreeDNS or 1984hosting certbot authenticator... So I reset the whole thing back to as described in the post and since then it hasn't even been resolving. :person_facepalming:

So, the DNSSEC entries are now invalid/incorrect/unnecessary?

2 Likes

I tried to flush them at 1984/freeDNS before deleting the setup. Then I setup the name servers at njalla again and activated DNSSEC there.

(still wrapping my head around all these concepts and I hope I haven't botched it completely)

I still see the same DNSSEC failure.

2 Likes

ok. How do I get rid of old DNSSEC entries? Do I just wait for thigs to expire or do I need to do something?

I would like to use Njalla for DNS as there is a certbot plugin for that in nginx proxy manager's web interface.

From your DNS editor remove DNSKEY type records you no long use.

Also look here List of DNS record types - Wikipedia and search for DNSKEY,
those that you are not using can be removed. Now with https://www.pairdomains.com/
they seem to manage DNSSEC through their website and do not show the DNSKEY records
while editing the DNS Records. So look for:
image

This might be helpful as well

2 Likes

Yes, it seems there are a few DNS issues with mokumkraakt.nl
as shown here: mokumkraakt.nl | DNSViz

2 Likes

While hotelmokum.org DNS' seems fair as show here hotelmokum.org | DNSViz

2 Likes

Your certificate for mokumkraakt.nl

2 Likes

Yeah, I read that page before trying any DNSSEC stuff.

In njalla, when using it on a domain through them it's just an on/off button. When managing DNS from somewhere else it just allows for DS records.

In neither of these interfaces have I seen any way to delete records that have propagated elsewhere.

Anyway, I waited til the next day and tried to request a wildcard cert again from the same host using the njalla authenticator and voila - it works. I hate DNS lol.

1 Like

This is the DNSSEC "interface" on njalla:

When I set up FreeDNS to handle it and changed the NS entries at njalla the DNSSEC page changed to an "Add entry" page where I could add the DS record.

In FreeDNS there were a few more settings but once I deleted them before deleting the zone, and turning off DNSSEC there they are still out in the wild propagating around the web right? Not sure how to deal with this other than waiting?

Anywho, here's a haiku

Thanks for helping me trying to figure this out c:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.