No TXT record found

I’m trying to get a wildcard certificate using a custom Node based DNS server (based on native-dns)
I have checked that I’m getting correct TXT result using:

dig @master.shirogames.net -t txt _acme-challenge.shirogames.net +short
"WRVKoKAQqN3C-wq7IwXN4bop1SpVoC9ML16Q5ziEjz8"

And also using _acme-challenge.shirogames.net=[value] on shirogames.net toplevel

dig @master.shirogames.net -t txt shirogames.net +short
"_acme-challenge.shirogames.net=WRVKoKAQqN3C-wq7IwXN4bop1SpVoC9ML16Q5ziEjz8"

But in both cases, I get the following error:

Failed authorization procedure. shirogames.net (dns-01):
urn:ietf:params:acme:error:unauthorized :: 
The client lacks sufficient authorization :: 
No TXT record found at _acme-challenge.shirogames.net

I suspect there is something wrong with the DNS server answer (I try setting the aa bit with no chance), but various tools (dig or online websites) that I used seems to correctly get the TXT results.

Any help welcome :slight_smile:

Hi @ncannasse

there is a check of your domain, ~~0,5 hours old ( https://check-your-website.server-daten.de/?q=shirogames.net ):

There is another TXT entry:

9. TXT - Entries

Domainname TXT Entry Status ∑ Queries ∑ Timeout
shirogames.net 1 0
www.shirogames.net ok 1 0
_acme-challenge.shirogames.net UD5lKA84sTt5G7NSImscWojBq0vkbT1jbx79gjZQJwc looks good 1 0

That's a correct entry.

But:

X Fatal error: Nameserver isn't defined or has timeout
X Fatal error: Nameserver doesn't support TCP connection: master.shirogames.net / 37.187.27.57: Fatal error - no NameServer IP-Address or connection. Details: One or more errors occurred. - No connection could be made because the target machine actively refused it 37.187.27.57:53
X Fatal error: Nameserver doesn't support TCP connection: master2.shirogames.net: Fatal error - no NameServer IP-Address or connection. Details: One or more errors occurred. - No such host is known
X Fatal error: Nameserver doesn't support EDNS with max. 512 Byte Udp payload or sends more then 512 Bytes: master.shirogames.net

That's bad. Authoritative nameservers must support TCP connections. Looks like a blocking firewall or something else.

But Unboundtest ( https://unboundtest.com/m/TXT/_acme-challenge.shirogames.net/7YRY7YUS ) doesn't see an error.

Yes I’ve only enabled UDP server for now, as it seemed to be enough. I don’t support EDNS either. Could you confirm which of those are absolutely required for letsencrypt DNS challenge ?

I don't know. Unboundtest is from @jsha and uses nearly the same configuration as the unbound instance Letsencrypt uses.

So if Unboundtest doesn't see an error, it should work.

May be another error? Did you create the TXT entry manual? Perhaps you should wait a little bit.

1 Like

I wait quite long at the the “Before continuing, verify the record is deployed.” phase.
But upon validation, it failed again with same result:

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Resetting dropped connection: acme-v02.api.letsencrypt.org
Resetting dropped connection: acme-v02.api.letsencrypt.org
Cleaning up challenges
Failed authorization procedure. shirogames.net (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: No TXT record found at _acme-challenge.shirogames.net

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: shirogames.net
   Type:   unauthorized
   Detail: No TXT record found at _acme-challenge.shirogames.net

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

I don’t have a AAAA (ipv6) record set, maybe it’s necessary?

No, you use DNS-validation, so a webserver isn't required.

But checked unboundtest again

https://unboundtest.com/m/TXT/_acme-challenge.shirogames.net/7NSBZCTG

there is NODATA.

So Unboundtest doesn't see the manual fetched result

_acme-challenge.shirogames.net text =

   "WRVKoKAQqN3C-wq7IwXN4bop1SpVoC9ML16Q5ziEjz8"

Perhaps allow TCP - connections and recheck your TXT with Unboundtest.

PS: Oh, that may be the problem.

Your second nameserver doesn’t have an ip address. That’s terrible.

Yes I was in the process of changing things, I have now both ns1 and ns2 pointing to DNS server, and added NS record as well.
I’m still getting no TXT record from either shirogames.net or _acme-challenge.shirogames.net,

https://unboundtest.com/m/TXT/shirogames.net/XPDPD6HC

I can see two problems here maybe:

May 23 13:48:50 unbound[23275:0] info: response for shirogames.net. TXT IN
May 23 13:48:50 unbound[23275:0] info: reply from <shirogames.net.> 37.187.27.57#53
May 23 13:48:50 unbound[23275:0] info: query response was nodata ANSWER

While dig @ns1.shirogames.net -t txt shirogames.net gives the following

; <<>> DiG 9.11.6 <<>> @ns1.shirogames.net -t txt shirogames.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50236
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;shirogames.net.                        IN      TXT

;; ANSWER SECTION:
shirogames.net.         200     IN      TXT     "_acme-challenge.shirogames.net=WRVKoKAQqN3C-wq7IwXN4bop1SpVoC9ML16Q5ziEjz8"

;; Query time: 21 msec
;; SERVER: 37.187.27.57#53(37.187.27.57)
;; WHEN: Thu May 23 15:53:35     2019
;; MSG SIZE  rcvd: 119

And at the end:

May 23 13:48:50 unbound[23275:0] info: validated DNSKEY net. DNSKEY IN
May 23 13:48:50 unbound[23275:0] info: NSEC3s for the referral proved no DS.
May 23 13:48:50 unbound[23275:0] info: Verified that unsigned response is INSECURE

And I don’t have DS/DNSKEY records as I don’t implement DNSSEC.

Does Unbound use IPv6 by any chance? Because I get empty result for A record as well:
https://unboundtest.com/m/A/shirogames.net/JGCNJ7UF

Now you have created the wrong entry ( https://check-your-website.server-daten.de/?q=shirogames.net ):

Using a screenshot, the colours are visible.

The green "Looks good" entry is correct. You must use

_acme-challenge.shirogames.net as domain name and the value from Certbot as TXT entry.

Not the value _acme-challenge.shirogames.net=WRVKoKAQqN3C-wq7IwXN4bop1SpVoC9ML16Q5ziEjz8, that's always wrong.

That's normal. Unboundtest checks if the zone isn't signed. If the parent zone is signed, this not-existence is signed too.

I have fixed the entry, and added TCP port.


I’m still unable to get A or TXT records for shirogames.net using unbound:
https://unboundtest.com/m/A/shirogames.net/3XODG3MW
https://unboundtest.com/m/TXT/shirogames.net/Z7277WXH

Ah-ah, found the problem: unbound makes requests with random cases:
name: ‘SHIrOGAMes.neT
While I only handle lowercase !

But that's curious. My tool checks that too.

And in older checks unboundtest had sent an error, not only NODATA.

I have fixed the case handling. I’m finally getting the TXT record \o/
https://unboundtest.com/m/TXT/_acme-challenge.shirogames.net/QRXYTGJZ

I was checking everything lowercase so it seems that your tool does not send uppercase requests, at least for TXT extraction.

Thanks for the help !

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.