NXDOMAIN but records are in place


#1

Hi Everybody,

I always get the error message shown below when requesting a certificate. According to letsdebug.net everything is configured and ok. Nevertheless it doesn’t work.

Can somebody help me out?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: hydra.local.home.goroot.de

I ran this command: docker traefik restart

It produced this output:
time=“2019-01-16T18:06:35Z” level=error msg=“Unable to obtain ACME certificate for domains “hydra.local.home.goroot.de” detected thanksto rule “Host:hydra.local.home.goroot.de; PathPrefix:/grafana” : unable to generate a certificate for the domains [hydra.local.home.goroot.de]: acme: Error -> One or more domains had a problem:\n[hydra.local.home.goroot.de] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.hydra.local.home.goroot.de, url: \n”

My web server is (include version): Traefik 1.7.7

The operating system my web server runs on is (include version): Docker version 18.09.1@ 4.9.0-6-amd64

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

Hi @gorootde

I can’t see an ip address ( https://check-your-website.server-daten.de/?q=hydra.local.home.goroot.de ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
hydra.local.home.goroot.de Name Error yes 1 0
www.hydra.local.home.goroot.de Name Error yes 1 0

No ipv4, no ipv6. Checked manual - the same:

D:\temp>nslookup hydra.local.home.goroot.de.
*** hydra.local.home.goroot.de. Non-existent domain.

Is there a typo?


PS: You are using dns-01 - validation. But (1) there are no txt entries. And (2) there is a CAA entry that may block:

CAA - Entries

Domainname flag Name Value ∑ Queries ∑ Timeout
local.home.goroot.de -3 Name Error - The domain name does not exist 1 0

txt entries don’t exist.


#3

Hi Juergen,

no not a typo. There is simply no IP address, as it is hosting the TXT record only.
Is it required? If so, I wonder why letsdebug doesn’t show any errors.

dig TXT _acme-challenge.hydra.local.home.goroot.de
_acme-challenge.hydra.local.home.goroot.de. 740 IN CNAME ba71bec7-2c7f-4dd3-abef-  20714ad63f64.local.home.goroot.de.
ba71bec7-2c7f-4dd3-abef-20714ad63f64.local.home.goroot.de. 1 IN TXT "3-dRrATy4huKdbG5ppYLme9H-ZYrQheB-pnfFuZnRRc"

Is that not enough?


#4

For DNS validations, Let’s Debug would only check if your DNS servers are functioning normally, or anything that would indirectly affect your validation. (Like CAA records)
And i didn’t see any CAA records that would block the issurance…

I think it’s fine to “not exist” because when the CAA does not exist on this level, it would query the next level, till the root domain itself…

Thank you


#5

Unboundtest actually could find your NS server and query it…

But the answer is NXDOMAIN

https://unboundtest.com/m/TXT/_acme-challenge.hydra.local.home.goroot.de/5GPIG2BV

This is not right… It should return a CNAME right?

Thank you


#6

Hi Steven,

unfortunately this didn’t help anything. Added delayBeforeCheck = 60 to my Traefik configuration.

Why is there is a difference between a dig command and unboundtest.com? Aren’t they asking the same DNS server the exact same question in the end?


#7

You can get a certificate with a domain name.

But hydra.local.home.goroot.de isn’t a defined domain name, the answer is “Not existing domain”.

So the certificate request is incomplete.

You have only a CNAME definition

_acme-challenge.hydra.local.home.goroot.de

But this isn’t a domain name.

So add the domain name in your DNS.


#8

Actually when i query it with dig & TXT. It returns NXDOMAIN too…

When i returns with dig CNAME, it returns the right CNAME, but no answer in there.

Not sure what’s wrong…


#9

The DNS server is behaving incorrectly. It should be returning the CNAME record in response to a TXT query, not NXDOMAIN.

It should never return NXDOMAIN when a name exists (including when it’s an empty non-terminal).

Plus negative responses should have an authority section with an SOA record so that they can be cached.


#10

This needs to work globally not just on your own private DNS system.


#11

The DNS responses across your authoritative name servers are inconsistent:
SOA records are only returned for the full FQDN by:
ns.inwx.de
ns2.inwx.de
The other three return NXDOMAN (for the SOA record) [THIS IS NOT GOOD]

nslookup -q=ns goroot.de. a.nic.de.
goroot.de nameserver = ns.inwx.de
goroot.de nameserver = ns2.inwx.de
goroot.de nameserver = ns3.inwx.eu
goroot.de nameserver = ns4.inwx.com
goroot.de nameserver = ns5.inwx.net

nslookup -q=ns home.goroot.de. ns.inwx.de.
nslookup -q=ns local.home.goroot.de. ns.inwx.de.
nslookup -q=ns hydra.local.home.goroot.de. ns.inwx.de.
all 3 return: NUL [SOA]

nslookup -q=ns home.goroot.de. ns2.inwx.de.
nslookup -q=ns local.home.goroot.de. ns2.inwx.de.
nslookup -q=ns hydra.local.home.goroot.de. ns2.inwx.de.
all 3 return: NUL [SOA]

nslookup -q=ns home.goroot.de. ns3.inwx.eu.
returns: NUL [SOA]
nslookup -q=ns local.home.goroot.de. ns3.inwx.eu.
nslookup -q=ns hydra.local.home.goroot.de. ns3.inwx.eu.
These 2 return: NXDOMAIN

nslookup -q=ns home.goroot.de. ns4.inwx.com.
returns: NUL [SOA]
nslookup -q=ns local.home.goroot.de. ns4.inwx.com.
nslookup -q=ns hydra.local.home.goroot.de. ns4.inwx.com.
These 2 return: NXDOMAIN

nslookup -q=ns home.goroot.de. ns5.inwx.net.
returns: NUL [SOA]
nslookup -q=ns local.home.goroot.de. ns5.inwx.net.
nslookup -q=ns hydra.local.home.goroot.de. ns5.inwx.net.
These 2 return: NXDOMAIN


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.