NO TXT record found

i'm trying to renew a wildcard certificate using dns-01,and i comfirmed that I created the TXT in the dns configuration with TTL = 180 seconds, after i wait for 600 seconds i got this:
order status: invalid
error status: 403
error type: urn:ietf:params:acme:error:unauthorized
error detail: No TXT record found at _acme-challenge.cloud.st.meituan.com

but the record exists

1 Like

For me dig -t TXT _acme-challenge.cloud.st.meituan.com says:

 dig -t TXT _acme-challenge.cloud.st.meituan.com

; <<>> DiG 9.16.1-Ubuntu <<>> -t TXT _acme-challenge.cloud.st.meituan.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 56079
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.cloud.st.meituan.com. IN TXT

;; ANSWER SECTION:
_acme-challenge.cloud.st.meituan.com. 120 IN CNAME hlb.st.sankuai.com.
hlb.st.sankuai.com.     120     IN      CNAME   offlinebeijing-bj.st.vip.sankuai.com.

;; AUTHORITY SECTION:
sankuai.com.            135     IN      SOA     dns1.sankuai.com. hostmaster.sankuai.com. 2016104917 18000 400 72000 1800

;; Query time: 400 msec
;; SERVER: 172.30.96.1#53(172.30.96.1)
;; WHEN: Fri Sep 17 12:11:31 AWST 2021
;; MSG SIZE  rcvd: 185

Your DNS is not returning the TXT record. What command did you use to get your results in your screenshot, it's obviously different to mine, because those are not your actual authoritative name servers.

1 Like

I think you may need to ask the actual authoritative nameservers to be sure of the response.

I get:

dig -t TXT _acme-challenge.cloud.st.meituan.com @ns3.dnsv5.com

; <<>> DiG 9.11.3-1ubuntu1.15-Ubuntu <<>> -t TXT _acme-challenge.cloud.st.meituan.com @ns3.dnsv5.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51263
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_acme-challenge.cloud.st.meituan.com. IN TXT

;; ANSWER SECTION:
_acme-challenge.cloud.st.meituan.com. 180 IN TXT "8d3bar2L-NLT_cZOY1pJaEtUqmUTMePhFDzpIFI9rFw"

;; AUTHORITY SECTION:
meituan.com.            86400   IN      NS      ns4.dnsv5.com.
meituan.com.            86400   IN      NS      ns3.dnsv5.com.

;; Query time: 236 msec
;; SERVER: 129.211.176.212#53(129.211.176.212)
;; WHEN: Fri Sep 17 04:25:32 UTC 2021
;; MSG SIZE  rcvd: 175

That said, they may employ some type of global anycast IP system (who knows).
And depending on where you are on the Internet, you might have to wait longer for the synchronization to be visible.

3 Likes

OK, there is (always) more than meets the eye!

Depending on who you ask, you get a different set of authoritative nameservers.

nslookup -q=ns meituan.com e.gtld-servers.net
Shows four:

meituan.com     nameserver = ns3.dnsv5.com
meituan.com     nameserver = ns4.dnsv5.com
meituan.com     nameserver = edns1.sankuai.com
meituan.com     nameserver = edns2.sankuai.com

But...
nslookup -q=ns meituan.com ns3.dnsv5.com
Shows only two:

meituan.com     nameserver = ns3.dnsv5.com
meituan.com     nameserver = ns4.dnsv5.com

Long story short: Your DNS is in a bad state.
Go to your registrar and ensure they only list the nameservers that are expected.

3 Likes

i got TXT record:DNS Checker - DNS Check Propagation Tool

1 Like

Yes, it works for me now as well, so maybe you have fixed it, or maybe you have really slow DNS propagation across your nameservers. You'll find out when you next have to change that value.

1 Like

why the number of nameserver lead to certficate failure?

1 Like

I haven't solved fixed it,maybe DNS propagation is really slow

1 Like

The number of nameservers isn't the problem.
It fails, because LE will walk the DNS tree and find four authoritative nameservers.
Two of which work and two that fail.
All nameservers must work.

I repeat:

6 Likes

I contacted the registrar to solve this problem,thanks :grinning:
but Why does LE require all nameservers to work properly?

2 Likes

I can't say with certainty that all nameservers must work properly.
So I dare say that is NOT a requirement.
But I can say that for each failing system in a four nameserver configuration, the odds of success are reduced by at least 37/64 (or 57.8%).
And when two systems are failing (as in your case) the odds of failure are at least 7/8 (or 87.5%).

2 Likes

After registrar solves this problem, it still returns "No TXT Record found"
domain:_acme-challenge.cloud.st.sankuai.com

2 Likes

I don't see any change with the authoritative nameservers.

Why are you checking against domain "sankuai.com" ?
[when the cert request is on domain "meituan.com"]

1 Like

I think you have a wildcard CNAME record which is taking priority over the TXT record and redirecting everything to hlb.st.sankuai.com which in turns points to offlinebeijing-bj.st.vip.sankuai.com:

https://dnsviz.net/d/_acme-challenge.cloud.st.sankuai.com/dnssec/
https://unboundtest.com/m/TXT/_acme-challenge.cloud.st.sankuai.com/2DLZAVEP

So if you specifically query for TXT records only, you get your value, but if you query for CNAME or TXT, then you get the CNAME

1 Like

They are not synchronized:

nslookup -q=soa meituan.com ns3.dnsv5.com
Server:  UnKnown
Address:  59.36.120.148
meituan.com
        primary name server = ns3.dnsv5.com
        responsible mail addr = enterprise3dnsadmin.dnspod.com
        serial  = 1631950111

nslookup -q=soa meituan.com edns1.sankuai.com
Server:  UnKnown
Address:  103.37.136.254
meituan.com
        primary name server = edns1.sankuai.com
        responsible mail addr = edp.networkrd.meituan.com
        serial  = 1
2 Likes

You're not allowed to combine CNAMEs with other DNS resource records according to the RFCs (I once learned.)

5 Likes

Fatal: Inconsistency between delegation and zone.

The set of NS records served by the authoritative name servers must match those proposed for the delegation in the parent zone.: ns3.dnsv5.com (129.211.176.212):

Delegation: edns1.sankuai.com, edns2.sankuai.com, ns3.dnsv5.com, ns4.dnsv5.com,

Zone: ns3.dnsv5.com, ns4.dnsv5.com.

Name Servers defined in Delegation, missing in Zone: edns1.sankuai.com, edns2.sankuai.com.

2 Likes

i try to issue a Multi Domain Wildcard certificate,this certificate contains [sankuai.com] and [meituan.com]。

1 Like

I solved this problem,The cause of the problem is TTL。
It works when i touch off the challenge after 2TTL,I guess DNS propagation is really slow
Thanks All :grin:

3 Likes

Hi @amber, Just want to point out you have mixed content on your site - some images are being over http through your two subdomains of p0.meituan.net and p1.meituan.net sites. Either change those to https or force https and you'll be all set. :smiley:
s0.meituan.net seems to be serving all images over https. :+1:

2 Likes