No TXT records found

Hello!

My domain is: kia-nnmotors.ru

I ran this command: wacs.exe

Then i chosed the dns-01 check, added the TXT record in my DNS control panel (dig shows:
_acme-challenge.kia-nnmotors.ru. 47 IN TXT "2Sfu--ivvtUUxlLptV3JjYvitCedQnnqdxKTktG3e6s"
in output).

It produced this output: Preliminary validation at 213.180.204.213 failed: no TXT records found

Thanks in advance and sorry for my broken English, it's not native for me.

1 Like

Hi @PavelKotov. and welcome to the LE community forum :slight_smile:

The two authoritative DNS servers are not in sync:

kia-nnmotors.ru nameserver = dns1.yandex.net
kia-nnmotors.ru nameserver = dns2.yandex.net

nslookup -q=txt _acme-challenge.kia-nnmotors.ru dns1.yandex.net
Server:  UnKnown
Address:  213.180.204.213
*** UnKnown can't find _acme-challenge.kia-nnmotors.ru: Non-existent domain

nslookup -q=txt _acme-challenge.kia-nnmotors.ru dns2.yandex.net
Server:  UnKnown
Address:  93.158.134.213
_acme-challenge.kia-nnmotors.ru text =
"2Sfu--ivvtUUxlLptV3JjYvitCedQnnqdxKTktG3e6s"
3 Likes

And yet they think they are:

nslookup -q=soa kia-nnmotors.ru dns1.yandex.net
Server:  UnKnown
Address:  213.180.204.213
kia-nnmotors.ru
        serial  = 50

nslookup -q=soa kia-nnmotors.ru dns2.yandex.net
Server:  UnKnown
Address:  93.158.134.213
kia-nnmotors.ru
        serial  = 50
2 Likes

Sorrym but in dig output i have TXT records in both authoritative DNS servers.

I am not the expert at DNS that @rg305 is but I also did not see a TXT record from dns1.yandex.net.

Further, I see two different serial numbers. My lookups are using IPv6 but I cannot explain why the serials are different than what Rudy saw

nslookup -q=soa kia-nnmotors.ru dns1.yandex.net
Server:         dns1.yandex.net
Address:        2a02:6b8::213#53
kia-nnmotors.ru
        serial = 50

nslookup -q=soa kia-nnmotors.ru dns2.yandex.net
Server:         dns2.yandex.net
Address:        2a02:6b8:0:1::213#53
kia-nnmotors.ru
        serial = 32

For reference, I see this for TXT on dns1 (dns2 is fine)
(Update: I do see a TXT from dns1 about half the time, dns2 is more consistent)

nslookup -q=txt _acme-challenge.kia-nnmotors.ru dns1.yandex.net
Server:         dns1.yandex.net
Address:        2a02:6b8::213#53
** server can't find _acme-challenge.kia-nnmotors.ru.ec2.internal: REFUSED
2 Likes

Sure, now you do. [and so do I]
But NOT then.
I showed you how they were out of sync [then].
Which is the entire problem.

2 Likes

Apparently the serial number is being FAKEd:

nslookup -q=soa kia-nnmotors.ru dns1.yandex.net
kia-nnmotors.ru
        serial  = 24

nslookup -q=soa kia-nnmotors.ru dns2.yandex.net
kia-nnmotors.ru
        serial  = 24

[so that is not a clear indication of when they are in sync or out of sync]

2 Likes

OR...
They are actually load-balancing their DNS servers across many servers.
And they are not all in sync [not all the time].

Here are three consecutive requests to the same server:

nslookup -q=soa kia-nnmotors.ru dns1.yandex.net
Server:  UnKnown
Address:  213.180.204.213
kia-nnmotors.ru
        serial  = 32

nslookup -q=soa kia-nnmotors.ru dns1.yandex.net
Server:  UnKnown
Address:  213.180.204.213
kia-nnmotors.ru
        serial  = 50

nslookup -q=soa kia-nnmotors.ru dns1.yandex.net
Server:  UnKnown
Address:  213.180.204.213
kia-nnmotors.ru
        serial  = 43

Load-balancing DNS request has got to be one of the dumbest things ever thought up.
[clearly done by someone who doesn't fully grasp the protocol]

3 Likes

That would explain why I see TXT records only some of the time on back-back requests. both on dns1 and dns2

2 Likes

But, instead of this (i view TXT on both DNS servers through dig and lookup) WACS.EXE still outputs me this error:

Preliminary validation at 213.180.204.213 failed: no TXT records found
The correct record is not yet found by the local resolver. Check your configuration and/or wait for the name servers to synchronize and press to try again. Answer 'N' to try ACME validation anyway. (y*/n)

I totally not understand what i've done wrong and what i need to do now.

Are you sure that is still the value it is looking for? Because each new challenge will create a new value that must be added to DNS

Are you using the manual DNS method of WACS?

Maybe ask at the WACS forum. A github issue similar to yours was recently discussed

1 Like

You could also try to ask Yandex about their DNS server synchronization schedule (how to tell when all of the name servers will agree about a newly-created record), and maybe try to delay longer in between creating the DNS record and telling Let's Encrypt to check it.

2 Likes

It looks like WACS does a test to see if the TXT exists before sending request to Let's Encrypt (via resolver). It looks like this initial test is what is failing. The github link I provided described a bug in wacs and how to disable that check. Of course LE must still find it using the authoritative servers.

3 Likes

Dear friends!
I downloaded wacs 2.1.20 (previous had been 2.1.5), then wacs gave me the same validation string. Then wacs outputed me the following:

[kia-nnmotors.ru] Preliminary validation failed: no TXT records found
Will retry in 30 seconds (retry 5/5)...
[kia-nnmotors.ru] Preliminary validation failed: no TXT records found
It looks like validation is going to fail, but we will try now anyway...
First chance error calling into ACME server, retrying with new nonce...
[kia-nnmotors.ru] Authorization result: VALID
Downloading certificate [Manual] kia-nnmotors.ru

Well, it was kind of joke from wacs? :slight_smile: Error, not found, but in the end i'll download the cert))))

Good. Now you have to configure your server to send the new cert.

You are currently sending a cert from DigiCert that expires today.

2 Likes

Not likely.
More likely that it took time for things to be as expected.

1 Like