I'm trying to automate issuing and renewal of wildcard certificates for my domains using lego utility. I can't do this using certbot because there is no plugin available for my DNS provider (reg.ru). With lego, I can specify DNS resolvers, which will be checked before trying to validate created TXT record on _acme-challenge.. But I can't be sure that validation will pass, because I don't know exactly what DNS servers Let's Encrypt use to validate my TXT record. Now I use 8.8.8.8, 8.8.4.4, 1.1.1.1 and 1.0.0.1 servers to check the creation of TXT record, but it doesn't work every time. Sometimes I get an error No TXT record found at _acme-challenge.<mydomain>, despite the fact that the record was created in my DNS provider servers and I can see it in other DNS servers. So my question is which DNS servers I can use to ensure that TXT record was successfully created and I can start validation?
P.S.: I saw an opinion that Let's Encrypt making its own queries to the authoritative nameservers for the particular domain in question, but when I use ns1.reg.ru and ns2.reg.ru (reg.ru DNS servers) as a DNS resolvers to check record before validation, it also fails.
Without knowing the domain name there is not much we can say for this kind of problem.
But, yes, the DNS challenge will be validated using your authoritative name servers.
You can use this website to check your TXT records. It uses a method similar to the Let's Encrypt servers. For a TXT lookup be sure to enter the URL as: _acme-challenge.<mydomain> https://unboundtest.com/
Then there is your problem.
All authoritative nameservers must be able to validate the TXT record request.
Perhaps you simply need to allow more time for them to synchronize.
I'm pretty sure that's a fact - you can use https://unboundtest.com/ to test your DNS record query in a similar way to how Let's Encrypt does it.
Generally you do need to leave a minute or so with a lot of DNS hosts for the authoritative nameserver to sync. Most acme clients have an option to adjust for this wait time (or they poll the nameservers to test them).
Thanks for the response! Yes, I can use https://unboundtest.com/ when manually issuing certificate, but it won't help me in automation of the process.
Most acme clients have an option to adjust for this wait time (or they poll the nameservers to test them).
Yes, lego do poll the nameservers, once it got the right response, it will try to validate the record. Also I have set propagation timeout for 40 minutes.
@rg305 I think there is kind of misunderstanding. I use ns{1,2}.reg.ru as a servers to poll before starting validation, and they are responding with the right record, because lego is starting to try to validate the record with acme. But acme is responding that no record found.
I'm trying to get wildcard for *.dev.simple-customer.liis.su so TXT record creates on _acme-challenge.dev.simple-customer.liis.su.
Right now there are no TXT records, because lego creates the record only for passing acme challenge and then removes it in any case, on fail or success.
Yes, sure.
I've created new record on _acme-challenge.dev.simple-customer which contains word "test".
Btw, I've successfully received new certificate by adding in list of DNS servers 187.188.112.16 to poll before validation, because it's one of the servers that synchronize slowly. But I don't think it is really good solution for a long perspective, so if you can suggest any other solutions, it'll be very helpful.
Let me make my point clearer:
You tested only one IP.
The name has eleven IPs.
It might be the case that each IP is a separate cluster member, and it takes time for all the members to synchronize.