Issue with Letsencrypt on newly installed 0.61.1 and glued records

rares · February 21, 2023, 3:33pm

Hi,
I’ve recently migrated to 0.61.1, configured a dedicated domain, everything seems to be running smoothly with the exception of TLS (SSL) certificate for the box domain.
Let’s encrypt log:

"DNS problem: SERVFAIL looking up CAA for treelet.email - the domain's nameservers may be malfunctioning

I’ve glued ns1.box.treelet.email and ns2.box.treelet.email, all system checks are green with the exception of TLS (SSL).

Any pointers? Isn’t the box dns supposed to resolve the letsencrypt challenge?

Thank you. In advance but also for this great product.
Rares

rares · February 21, 2023, 3:41pm

I did some further troubleshooting and found the challenge is http based, not DNS.

2023-02-21 17:36:04,693:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/205283304466 HTTP/1.1" 200 989
2023-02-21 17:36:04,693:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 21 Feb 2023 15:36:04 GMT
Content-Type: application/json
Content-Length: 989
Connection: keep-alive
Boulder-Requester: 974507376
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: C4004bMFBrI7J3cHWwteUP5_txN8yKYe5S06-xgXBr5aQF8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "box.treelet.email"
  },
  "status": "invalid",
  "expires": "2023-02-28T15:35:58Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:dns",
        "detail": "DNS problem: SERVFAIL looking up CAA for treelet.email - the domain's nameservers may be malfunctioning",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/205283304466/B1bnow",
      "token": "0PLxwtgueQObsnXnfMUnXX29ZsM2kOo06psHs2ffneQ",
      "validationRecord": [
        {
          "url": "http://box.treelet.email/.well-known/acme-challenge/0PLxwtgueQObsnXnfMUnXX29ZsM2kOo06psHs2ffneQ",
          "hostname": "box.treelet.email",
          "port": "80",
          "addressesResolved": [
            "3.66.149.70"
          ],
          "addressUsed": "3.66.149.70"
        }
      ],
      "validated": "2023-02-21T15:35:59Z"
    }
  ]
}

rares · February 21, 2023, 4:16pm

Did further troubleshooting and I think there is nothing wrong with the http challenge, the .well-known/ path works as intended.

After reading this DNS problem: SERVFAIL looking up CAA - #8 by Raquel - Help - Let's Encrypt Community Support
I am back to thinking this is a MIAB dns server issue.

666666 · February 23, 2023, 11:54am

just check check status of bind9 like : service bind9 status and if any errors found restart like : service bind9 restart then provision TLS (SSL).

rares · February 23, 2023, 12:15pm

Thank you for your suggestion.
Tried it, same result.

KiekerJan · February 25, 2023, 2:47pm

Are you still on this? If I look at the nameservers of the domain treelet.email I get the following

ns-1341.awsdns-39.org
ns-1567.awsdns-03.co.uk
ns-468.awsdns-58.com
ns-821.awsdns-38.net

Are you hosting DNS on your box? If so, you not only need to create the glue records, but also change the nameservers of the domain at your domain registrar.

rares · February 25, 2023, 3:36pm

Thanks.
I have given up and moved to an external DNS.
No more errors.