TTL and DNS server used by Lets Encrypt

trialuser · June 27, 2018, 5:54pm

Hi there,
I updated the DNS records today, and tried to generate new SSL on a new server immediately, but it failed. The reason is evident: Lets Encrypt server or its internet service provider has a very long TTL for DNS. Even when 4 hours passed - i still cannot validate my DNS ownership and cannot generate new SSL.
Is there any way to clear the DNS cache used by Lets Encrypt? How long the TTL?

thx

stevenzhu · June 27, 2018, 6:11pm

Hi,

The DNS server let’s encrypt used to resolve your site’s IP address is your domain name server, so it shouldn’t be a problem for ttl (unless you recently changed name server and hasn’t propergate yet)

Thank you

Osiris · June 27, 2018, 6:12pm

Let's Encrypt always asks the authoritive DNS servers and doesn't cache anything and thus isn't affected by TTLs.

However, if your DNS server or provider has some kind of delay (some providers only update the zone files on the authorative DNS servers a few times a day), that cóuld also introduce a delay in certificate issuing.

If you'd post the hostname in question here, we could help try to debug the issue.

trialuser · June 27, 2018, 6:17pm

I am not sure, because “nslookup site.com” shows me the right information…

schoen · June 27, 2018, 6:27pm

Hi @trialuser,

It would be useful to know the real domain name and also to see why you concluded that this was the underlying reason the certificates couldn’t be issued. Did you see a particular error message from a Let’s Encrypt client that showed an incorrect IP address or a DNS lookup failure?

trialuser · June 27, 2018, 7:03pm

hi Schoen,
I launched letsencrypt (I am on Amazon Linux) in verbose mode and found out the root cause: our engineers did not remove the IPv6 record (AAAA), just only updated IPv4 (A and CNAME) records when pointed on a new hosting.
And I see there was used IPv6 by default in the response gotten from https://acme-v01.api.letsencrypt.org/acme/new-cert when I submitted the request with letsencrypt.
.
thx

trialuser · June 27, 2018, 7:07pm

I saw the wrong (old) value in the stack trace, this key was placed in the authorization file previously on old server. In additional I did not see any request from Let's Encrypt servers in my access log files.
it is why I decided it is related only to DNS

trialuser · June 27, 2018, 7:10pm

when you say "you DNS server" - do you mean the name server (NS) where my domain is hosted?
If not - I don't undertsand why you think that the server "acme-v01.api.letsencrypt.org" can get the information about the DNS servers used in my system, especially if this is my local bind server..

Osiris · June 27, 2018, 7:13pm

Yes.

system · July 27, 2018, 7:13pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.