In the parent zone (xxx.cloud at OVH), vpn.xxx.cloud is delegated via NS to our ADNS: currently gslb-rzka.xxx.cloud (NetScaler/ADC).
We place the ACME TXT only on the NetScaler ADNS (no TXT at OVH).
Procedure:
Created order → received DNS-01 challenge.
Set TXT on _acme-challenge.vpn.xxx.cloud, TTL 60s, value e.g.:
GXYm0m3saDc1z...7hVBCQsI
Ran Send-ChallengeAck.
Finalization fails with:
Submit-OrderFinalize : Order 'vpn.xxx.cloud' status is 'pending'. It must be 'ready' to finalize.
Observations:
The TXT is visible from the internet (DNSChecker shows green in all regions).
Nevertheless, the authorization remains pending.
I suspect an issue with the redirect/delegation, even though everything arrives on the NetScaler and nothing is blocked by the firewall.
Has anyone successfully handled a redirect to a NetScaler and obtained a Let’s Encrypt certificate using DNS validation through it?
You cannot finalize the order until it is ready. Did you check the authorization status before the finalize? Perhaps you just tried to finalize too quickly before the auth was complete and the order set to a ready state.
@MikeMcQ is wise. @nah1883 It sounds like you didn't check the status of your authorizations or refresh your order status after the ChallengeAck call(s).
When using a normal challenge plugin, the module essentially runs Get-PAOrder | Get-PAAuthorization on a loop after calling Send-ChallengeAck waiting for all of the auths to flip to either valid or invalid. If any are invalid, it throws an error with the associated message. If they're all valid, it does a Get-PAOrder -Refresh to get the updated order status and then continues with the finalization.
The domain is "vpn.pluta.cloud". The order should be finalized because after creating the TXT record, I also trigger a DNS refresh to ensure everything is up to date. After that, I can see in the DNS checker that the TXT record is published, but the validation still fails.
If I run a manual request to vpn.pluta.cloud using certbot with the parameters certonly --manual --preferred-challenges dns, I get the following error: Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: vpn.pluta.cloud
Type: dns
Detail: During secondary validation: While processing CAA for vpn.pluta.cloud: DNS problem: SERVFAIL looking up CAA for vpn.pluta.cloud – the domain's nameservers may be malfunctioning.
Hint: The Certificate Authority failed to verify the manually created DNS TXT records. Ensure that you created these in the correct location, or try waiting longer for DNS propagation on the next attempt. Some challenges have failed.
It is also important to note that if I use my script to request a certificate for a domain that does not redirect to the NetScaler, the process works. This indicates that the issue is likely related to the NetScaler.
That error indicates that your Netscalers (or whatever is serving the DNS zone for that specific name) doesn't know how to respond to CAA record requests and instead responds with a SERVFAIL error.
It appears that the issue is that you do not have an SOA record (RFC 1035 section 3.3.13) so recursive name servers such as unbound treat that as a lame delegation (RFC 2308 section 2.2). Dnsviz is probably more useful for debugging this issue. vpn.pluta.cloud | DNSViz
