I’m trying to get a wildcard certificate using a custom Node based DNS server (based on native-dns)
I have checked that I’m getting correct TXT result using:
Failed authorization procedure. shirogames.net (dns-01):
urn:ietf:params:acme:error:unauthorized ::
The client lacks sufficient authorization ::
No TXT record found at _acme-challenge.shirogames.net
I suspect there is something wrong with the DNS server answer (I try setting the aa bit with no chance), but various tools (dig or online websites) that I used seems to correctly get the TXT results.
Fatal error: Nameserver isn't defined or has timeout
X
Fatal error: Nameserver doesn't support TCP connection: master.shirogames.net / 37.187.27.57: Fatal error - no NameServer IP-Address or connection. Details: One or more errors occurred. - No connection could be made because the target machine actively refused it 37.187.27.57:53
X
Fatal error: Nameserver doesn't support TCP connection: master2.shirogames.net: Fatal error - no NameServer IP-Address or connection. Details: One or more errors occurred. - No such host is known
X
Fatal error: Nameserver doesn't support EDNS with max. 512 Byte Udp payload or sends more then 512 Bytes: master.shirogames.net
That's bad. Authoritative nameservers must support TCP connections. Looks like a blocking firewall or something else.
Yes I’ve only enabled UDP server for now, as it seemed to be enough. I don’t support EDNS either. Could you confirm which of those are absolutely required for letsencrypt DNS challenge ?
I wait quite long at the the “Before continuing, verify the record is deployed.” phase.
But upon validation, it failed again with same result:
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Resetting dropped connection: acme-v02.api.letsencrypt.org
Resetting dropped connection: acme-v02.api.letsencrypt.org
Cleaning up challenges
Failed authorization procedure. shirogames.net (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: No TXT record found at _acme-challenge.shirogames.net
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: shirogames.net
Type: unauthorized
Detail: No TXT record found at _acme-challenge.shirogames.net
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
Yes I was in the process of changing things, I have now both ns1 and ns2 pointing to DNS server, and added NS record as well.
I’m still getting no TXT record from either shirogames.net or _acme-challenge.shirogames.net,
May 23 13:48:50 unbound[23275:0] info: response for shirogames.net. TXT IN
May 23 13:48:50 unbound[23275:0] info: reply from <shirogames.net.> 37.187.27.57#53
May 23 13:48:50 unbound[23275:0] info: query response was nodata ANSWER
While dig @ns1.shirogames.net -t txt shirogames.net gives the following
; <<>> DiG 9.11.6 <<>> @ns1.shirogames.net -t txt shirogames.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50236
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;shirogames.net. IN TXT
;; ANSWER SECTION:
shirogames.net. 200 IN TXT "_acme-challenge.shirogames.net=WRVKoKAQqN3C-wq7IwXN4bop1SpVoC9ML16Q5ziEjz8"
;; Query time: 21 msec
;; SERVER: 37.187.27.57#53(37.187.27.57)
;; WHEN: Thu May 23 15:53:35 2019
;; MSG SIZE rcvd: 119
And at the end:
May 23 13:48:50 unbound[23275:0] info: validated DNSKEY net. DNSKEY IN
May 23 13:48:50 unbound[23275:0] info: NSEC3s for the referral proved no DS.
May 23 13:48:50 unbound[23275:0] info: Verified that unsigned response is INSECURE
And I don’t have DS/DNSKEY records as I don’t implement DNSSEC.