TTL and DNS server used by Lets Encrypt


#1

Hi there,
I updated the DNS records today, and tried to generate new SSL on a new server immediately, but it failed. The reason is evident: Lets Encrypt server or its internet service provider has a very long TTL for DNS. Even when 4 hours passed - i still cannot validate my DNS ownership and cannot generate new SSL.
Is there any way to clear the DNS cache used by Lets Encrypt? How long the TTL?

thx


#2

Hi,

The DNS server let’s encrypt used to resolve your site’s IP address is your domain name server, so it shouldn’t be a problem for ttl (unless you recently changed name server and hasn’t propergate yet)

Thank you


#3

Let’s Encrypt always asks the authoritive DNS servers and doesn’t cache anything and thus isn’t affected by TTLs.

However, if your DNS server or provider has some kind of delay (some providers only update the zone files on the authorative DNS servers a few times a day), that cĂłuld also introduce a delay in certificate issuing.

If you’d post the hostname in question here, we could help try to debug the issue.


#4

I am not sure, because “nslookup site.com” shows me the right information…


#5

Hi @trialuser,

It would be useful to know the real domain name and also to see why you concluded that this was the underlying reason the certificates couldn’t be issued. Did you see a particular error message from a Let’s Encrypt client that showed an incorrect IP address or a DNS lookup failure?


#6

hi Schoen,
I launched letsencrypt (I am on Amazon Linux) in verbose mode and found out the root cause: our engineers did not remove the IPv6 record (AAAA), just only updated IPv4 (A and CNAME) records when pointed on a new hosting.
And I see there was used IPv6 by default in the response gotten from https://acme-v01.api.letsencrypt.org/acme/new-cert when I submitted the request with letsencrypt.
.
thx


#7

I saw the wrong (old) value in the stack trace, this key was placed in the authorization file previously on old server. In additional I did not see any request from Let’s Encrypt servers in my access log files.
it is why I decided it is related only to DNS :slight_smile:


#8

when you say “you DNS server” - do you mean the name server (NS) where my domain is hosted?
If not - I don’t undertsand why you think that the server “acme-v01.api.letsencrypt.org” can get the information about the DNS servers used in my system, especially if this is my local bind server…


#9

Yes.   


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.