Nxdomain error using acme.sh

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: uren.acc.softenergy.nl

I ran this command: acme.sh --issue -d uren.acc.softenergy.nl -w ~/www/SoftHours/client --server https://acme-staging.api.letsencrypt.org/directory

It produced this output:
[Mon Oct 9 15:45:59 UTC 2017] Single domain=‘uren.acc.softenergy.nl
[Mon Oct 9 15:45:59 UTC 2017] Getting domain auth token for each domain
[Mon Oct 9 15:45:59 UTC 2017] Getting webroot for domain=‘uren.acc.softenergy.nl
[Mon Oct 9 15:45:59 UTC 2017] Getting new-authz for domain=‘uren.acc.softenergy.nl
[Mon Oct 9 15:46:01 UTC 2017] The new-authz request is ok.
[Mon Oct 9 15:46:02 UTC 2017] Verifying:uren.acc.softenergy.nl
[Mon Oct 9 15:46:06 UTC 2017] uren.acc.softenergy.nl:Verify error:DNS problem: NXDOMAIN looking up A for uren.acc.softenergy.nl
[Mon Oct 9 15:46:06 UTC 2017] Please check log file for more details: /home/pi/.acme.sh/acme.sh.log

My web server is (include version): Nodejs 8.5.0 / Expressjs

The operating system my web server runs on is (include version): Raspbian 4.9.35-v7+

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

I’ve configured port forwarding on my router so my public port 80 is routed to my raspberry pi port 3000, where the server listens. Port 443 is not forwarded, but afaik that shouldn’t be a problem. I have no idea how to troubleshoot this issue further.

2

Hi @bspoel,

This problem relates somehow to your DNS provider, not to your own devices or your own network configuration. I am not sure what the exact nature of the problem is, because I can do a DNS lookup, and I haven’t been able to diagnose it further—but I can see some SERVFAIL errors when I use the host command to try to look up your domain. One possibility (which I haven’t tried to confirm) is that it could be related to an incorrect DNSSEC configuration.

3

Thanks for the reply, i’ve asked my dns provider to clarify.

4

It looks like your server is now replying to DNS queries

image

So you should try again and see if this is now resolved.

Andrei

5

I am still seeing the failures but am still not sure where they’re coming from.

6

I think there are at least 2 issues?

Unbound’s complaint about the negative records (causing it to return SERVFAIL) is clear enough, but i’m not certain what it means.

https://unboundtest.com/m/CAA/uren.acc.softenergy.nl/ZCEPTD4N

Oct 10 07:00:41 unbound[16994:0] debug: NODATA response failed to prove NODATA status with NSEC/NSEC3
Oct 10 07:00:41 unbound[16994:0] info: validate(nodata): sec_status_bogus

Someone correct me if i’m wrong, but i think it means the servers are returning the wrong hostname’s NSEC records?

$ dig +dnssec +cd uren.acc.softenergy.nl aaaa

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +dnssec +cd uren.acc.softenergy.nl aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48139
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;uren.acc.softenergy.nl.                IN      AAAA

;; AUTHORITY SECTION:
softenergy.nl.          2967    IN      SOA     ns1.metaregistrar.nl. beheer.metaregistrar.nl. 1 14400 3600 604800 3600
softenergy.nl.          2967    IN      RRSIG   SOA 8 2 86400 20171019000000 20170928000000 51508 softenergy.nl. DyNwhhs4SqCPQNxXkait1L88PlvfBjuZ5qq5JkmMvwyEi2W2MFrzfFtg L2+0Nl+9XvyxS/gPUdsz22lZB5WQPzBoqwdHUGuBAfMZYKVn3N4Y+WDu EqwuFbz6b4fjAOe077eBWsyd0AxjhQ8bJa8clZRAHeLhvYMfX5HJRzMg W9o=
softenergy.nl.          2967    IN      NSEC    crm.softenergy.nl. A NS SOA MX TXT RRSIG NSEC DNSKEY
softenergy.nl.          2967    IN      RRSIG   NSEC 8 2 3600 20171019000000 20170928000000 51508 softenergy.nl. biJ0D0cehbdKdw3tET3NoCJZoisfLYc8VUclLIKRof5aNUwTND3q62qH nBhb0R8szHIyuQ2wemFi/P9wtYIJGjwC7BZ90NfqlGz9LJxtf6mJMXmW C2qHlPx4nBIDAQvi5elUr9J8d4DXMtPDlA4NWh5oFLz7NJ55CoVjf8pB PHY=

;; Query time: 612 msec
;; SERVER: ::1#53(::1)
;; WHEN: Tue Oct 10 06:59:24 UTC 2017
;; MSG SIZE  rcvd: 498

Versus, for example (real domain name substituted with example.com):

$ dig +dnssec www.example.com aaaa

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +dnssec www.example.com aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9534
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.example.com.               IN      AAAA

;; AUTHORITY SECTION:
example.com.            3601    IN      SOA     dns1.registrar-servers.com. hostmaster.registrar-servers.com. 2017100900 43200 3600 604800 3601
example.com.            3601    IN      RRSIG   SOA 8 2 3601 20171019000000 20170928000000 43171 example.com. ZOz+Cd4XiEfutqQhvCtQcQYhpodXsS4h7lFLE6gbEhexSpZ4CReLI1Ce EdEnTaWSgsR89Ms5VKFpCvppmj4+4Zf48dL3g4/+/W/FSA6DmKZuwwdK Yk33UUKh4jf1zpW3N2N/X/dy7SO7DkamIVet9617cCPggh3+C/Eybdxa 51k=
www.example.com.        3601    IN      NSEC    example.com. A RRSIG NSEC
www.example.com.        3601    IN      RRSIG   NSEC 8 3 3601 20171019000000 20170928000000 43171 example.com. e4AS2cbeXXSDDNJDvW0m2yjNii3FdYWKP2DoVODM8NUl02teT1B2RHjU XgIhV5GbYV7wIa/pFGUwVDGjGRWX9vEuBPJla49ZKmfjG4IQRNHnuEGA Z9AayomHMrD7GSFpFvVcH2wUjKmgRYz9TplL2Vc3r6MBgPy/sN/9zjKc UpU=

;; Query time: 15 msec
;; SERVER: ::1#53(::1)
;; WHEN: Tue Oct 10 07:02:38 UTC 2017
;; MSG SIZE  rcvd: 492

Additionally, the nameservers incorrectly return NXDOMAIN for empty non-terminals (instead of NODATA NOERROR):

$ dig +dnssec acc.softenergy.nl

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +dnssec acc.softenergy.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 47369
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;acc.softenergy.nl.             IN      A

;; AUTHORITY SECTION:
softenergy.nl.          1912    IN      SOA     ns1.metaregistrar.nl. beheer.metaregistrar.nl. 1 14400 3600 604800 3600
softenergy.nl.          1912    IN      RRSIG   SOA 8 2 86400 20171019000000 20170928000000 51508 softenergy.nl. DyNwhhs4SqCPQNxXkait1L88PlvfBjuZ5qq5JkmMvwyEi2W2MFrzfFtg L2+0Nl+9XvyxS/gPUdsz22lZB5WQPzBoqwdHUGuBAfMZYKVn3N4Y+WDu EqwuFbz6b4fjAOe077eBWsyd0AxjhQ8bJa8clZRAHeLhvYMfX5HJRzMg W9o=
softenergy.nl.          1912    IN      NSEC    crm.softenergy.nl. A NS SOA MX TXT RRSIG NSEC DNSKEY
softenergy.nl.          1912    IN      RRSIG   NSEC 8 2 3600 20171019000000 20170928000000 51508 softenergy.nl. biJ0D0cehbdKdw3tET3NoCJZoisfLYc8VUclLIKRof5aNUwTND3q62qH nBhb0R8szHIyuQ2wemFi/P9wtYIJGjwC7BZ90NfqlGz9LJxtf6mJMXmW C2qHlPx4nBIDAQvi5elUr9J8d4DXMtPDlA4NWh5oFLz7NJ55CoVjf8pB PHY=

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Tue Oct 10 07:16:59 UTC 2017
;; MSG SIZE  rcvd: 493

If Let’s Encrypt runs Unbound with “harden-below-nxdomain: yes” (unboundtest.com’s example configuration doesn’t) it can return NXDOMAIN for “uren.acc.softenergy.nl.”.

http://dnsviz.net/d/uren.acc.softenergy.nl/WdxubA/dnssec/

7

it seems that the problem is with the dns provider, and only for sub-subdomains. I tried the script for a subdomain (acc.softenergy.nl) and it worked without a hitch. For now this is good enough, so thanks everyone for the help.

8

See if you can get them to run “pdnsutil rectify-zone softenergy.nl”. I’m not sure, but it might help. (Or maybe it’s sorted out, after your recent changes.)

Edit: It’s not fully sorted out, though acc.softenergy.nl does work now.

9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.