No TXT records found

Help
1

Hello!

My domain is: kia-nnmotors.ru

I ran this command: wacs.exe

Then i chosed the dns-01 check, added the TXT record in my DNS control panel (dig shows:
_acme-challenge.kia-nnmotors.ru. 47 IN TXT "2Sfu--ivvtUUxlLptV3JjYvitCedQnnqdxKTktG3e6s"
in output).

It produced this output: Preliminary validation at 213.180.204.213 failed: no TXT records found

Thanks in advance and sorry for my broken English, it's not native for me.

2

Hi @PavelKotov. and welcome to the LE community forum :slight_smile:

The two authoritative DNS servers are not in sync:

kia-nnmotors.ru nameserver = dns1.yandex.net
kia-nnmotors.ru nameserver = dns2.yandex.net

nslookup -q=txt _acme-challenge.kia-nnmotors.ru dns1.yandex.net
Server:  UnKnown
Address:  213.180.204.213
*** UnKnown can't find _acme-challenge.kia-nnmotors.ru: Non-existent domain

nslookup -q=txt _acme-challenge.kia-nnmotors.ru dns2.yandex.net
Server:  UnKnown
Address:  93.158.134.213
_acme-challenge.kia-nnmotors.ru text =
"2Sfu--ivvtUUxlLptV3JjYvitCedQnnqdxKTktG3e6s"
3

And yet they think they are:

nslookup -q=soa kia-nnmotors.ru dns1.yandex.net
Server:  UnKnown
Address:  213.180.204.213
kia-nnmotors.ru
        serial  = 50

nslookup -q=soa kia-nnmotors.ru dns2.yandex.net
Server:  UnKnown
Address:  93.158.134.213
kia-nnmotors.ru
        serial  = 50
4

Sorrym but in dig output i have TXT records in both authoritative DNS servers.

image001
image001670×655 76 KB

5

I am not the expert at DNS that @rg305 is but I also did not see a TXT record from dns1.yandex.net.

Further, I see two different serial numbers. My lookups are using IPv6 but I cannot explain why the serials are different than what Rudy saw

nslookup -q=soa kia-nnmotors.ru dns1.yandex.net
Server:         dns1.yandex.net
Address:        2a02:6b8::213#53
kia-nnmotors.ru
        serial = 50

nslookup -q=soa kia-nnmotors.ru dns2.yandex.net
Server:         dns2.yandex.net
Address:        2a02:6b8:0:1::213#53
kia-nnmotors.ru
        serial = 32

For reference, I see this for TXT on dns1 (dns2 is fine)
(Update: I do see a TXT from dns1 about half the time, dns2 is more consistent)

nslookup -q=txt _acme-challenge.kia-nnmotors.ru dns1.yandex.net
Server:         dns1.yandex.net
Address:        2a02:6b8::213#53
** server can't find _acme-challenge.kia-nnmotors.ru.ec2.internal: REFUSED
6

Sure, now you do. [and so do I]
But NOT then.
I showed you how they were out of sync [then].
Which is the entire problem.

7

Apparently the serial number is being FAKEd:

nslookup -q=soa kia-nnmotors.ru dns1.yandex.net
kia-nnmotors.ru
        serial  = 24

nslookup -q=soa kia-nnmotors.ru dns2.yandex.net
kia-nnmotors.ru
        serial  = 24

[so that is not a clear indication of when they are in sync or out of sync]

8

OR...
They are actually load-balancing their DNS servers across many servers.
And they are not all in sync [not all the time].

Here are three consecutive requests to the same server:

nslookup -q=soa kia-nnmotors.ru dns1.yandex.net
Server:  UnKnown
Address:  213.180.204.213
kia-nnmotors.ru
        serial  = 32

nslookup -q=soa kia-nnmotors.ru dns1.yandex.net
Server:  UnKnown
Address:  213.180.204.213
kia-nnmotors.ru
        serial  = 50

nslookup -q=soa kia-nnmotors.ru dns1.yandex.net
Server:  UnKnown
Address:  213.180.204.213
kia-nnmotors.ru
        serial  = 43

Load-balancing DNS request has got to be one of the dumbest things ever thought up.
[clearly done by someone who doesn't fully grasp the protocol]

9

That would explain why I see TXT records only some of the time on back-back requests. both on dns1 and dns2

10

But, instead of this (i view TXT on both DNS servers through dig and lookup) WACS.EXE still outputs me this error:

Preliminary validation at 213.180.204.213 failed: no TXT records found
The correct record is not yet found by the local resolver. Check your configuration and/or wait for the name servers to synchronize and press to try again. Answer 'N' to try ACME validation anyway. (y*/n)

I totally not understand what i've done wrong and what i need to do now.

11

Are you sure that is still the value it is looking for? Because each new challenge will create a new value that must be added to DNS

Are you using the manual DNS method of WACS?

Maybe ask at the WACS forum. A github issue similar to yours was recently discussed

12

You could also try to ask Yandex about their DNS server synchronization schedule (how to tell when all of the name servers will agree about a newly-created record), and maybe try to delay longer in between creating the DNS record and telling Let's Encrypt to check it.

13

It looks like WACS does a test to see if the TXT exists before sending request to Let's Encrypt (via resolver). It looks like this initial test is what is failing. The github link I provided described a bug in wacs and how to disable that check. Of course LE must still find it using the authoritative servers.

14

Dear friends!
I downloaded wacs 2.1.20 (previous had been 2.1.5), then wacs gave me the same validation string. Then wacs outputed me the following:

[kia-nnmotors.ru] Preliminary validation failed: no TXT records found
Will retry in 30 seconds (retry 5/5)...
[kia-nnmotors.ru] Preliminary validation failed: no TXT records found
It looks like validation is going to fail, but we will try now anyway...
First chance error calling into ACME server, retrying with new nonce...
[kia-nnmotors.ru] Authorization result: VALID
Downloading certificate [Manual] kia-nnmotors.ru

Well, it was kind of joke from wacs? :slight_smile: Error, not found, but in the end i'll download the cert))))

15

Good. Now you have to configure your server to send the new cert.

You are currently sending a cert from DigiCert that expires today.

16

Not likely.
More likely that it took time for things to be as expected.