Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

weak DNS propagation for CNAME record seems to cause a failure in renewal #26

Open
MdeLv opened this issue Feb 24, 2023 · 2 comments
Open

weak DNS propagation for CNAME record seems to cause a failure in renewal #26

MdeLv opened this issue Feb 24, 2023 · 2 comments

Comments

@MdeLv
Copy link

MdeLv commented Feb 24, 2023
edited
Loading

Hi,

certbot and acme-dns-certbot.py work well to get certificates for several domains, wildcard or not.

I have a problem to renew one wildcard TLS certificate (foo.org,*.foo.org)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: foo.org
   Type:   dns
   Detail: During secondary validation: DNS problem: NXDOMAIN looking
   up TXT for _acme-challenge.foo.org - check that a DNS record
   exists for this domain

   Domain: foo.org
   Type:   dns
   Detail: DNS problem: NXDOMAIN looking up TXT for
   _acme-challenge.foo.org - check that a DNS record exists for
   this domain

The only cause I can see is a limited propagation of the CNAME record for _acme-challenge.foo.org (with a value like 47fc-****.auth.acme-dns.io.):
Only cloudflare shows the expected resourced record while other domain names are propagated on all main nameservers (cloudflare opendns yandex quad9 google).

1/ Have you experienced such problem?
2/ Can you check if some settings could be done on auth.acme-dns.io. to improve propagation ?
3/ Is here an option to force using a nameserver which is known to deliver the expected CNAME record?

Side question: is running one's own instance of acme-dns (with the go program, etc. instead of using auth.acme-dns.io.) is known to improve this issue?

Thanks.

EDIT
I could have the DNS cache flushed for google, etc.
Now _acme-challenge.foo.org has correct CNAME record.
But stil the following errors

 - The following errors were reported by the server:

   Domain: foo.org
   Type:   dns
   Detail: DNS problem: NXDOMAIN looking up TXT for
   _acme-challenge.foo.org - check that a DNS record exists for
   this domain

   Domain: foo.org
   Type:   dns
   Detail: DNS problem: NXDOMAIN looking up TXT for
   _acme-challenge.foo.org - check that a DNS record exists for
   this domain

then simply:

- The following errors were reported by the server:

  Domain: foo.org
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up TXT for
  _acme-challenge.foo.org - check that a DNS record exists for
  this domain

or again and mainly the 2 items error.

I don't understand why there is a "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.foo.org" because there is a CNAME record for _acme-challenge.foo.org to ****.auth.acme-dns.io. where 2 TXT records are generated with a TTL of 1 s.
Is it an incorrect message from cerbot ?
@MdeLv
Copy link
Author

MdeLv commented Mar 2, 2023
edited
Loading

Cause of the trouble: there was a misconfiguration of NS.
That's why the CNAME was poorly propagated on name servers.

Suggestion: what about checking that CNAME record for _acme-challenge.foo.org to ****.auth.acme-dns.io. is CORRECT instead of a cryptic "Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.foo.org - check that a DNS record exists for this domain" because these TXT records are managed by auth.acme-dns.io.

@maddes-b
Copy link

@MdeLv Please close the issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@maddes-b @MdeLv