Let's Encrypt fails on nameserver?

Pzz

Verified User
Joined
May 20, 2013
Messages
138
Location
The Hague area, The Netherlands
Hi,

I just got a new VPS and and DA Personal Plus and I'd tried to set up my initial admin domain, with one own nameserver and Let's Encrypt. And the last one fails.

I'd like to have my own nameserver (ns1.tarpes.nl) and my secondaire nameserver is my IPS's nameserver. I found info about setting this up with AXFR on https://www.transip.be/knowledgebase/artikel/26-nameservers-instellen-transip-nameservers-secondary/ (in Dutch).

And https://intodns.com/tarpes.nl seems happy with it, so I guess it works, from a DNS perspective.
But activating LE gives this result:

Code:
2023/06/05 19:56:11 [INFO] [tarpes.nl] acme: Trying to solve DNS-01
2023/06/05 19:56:11 [INFO] [tarpes.nl] acme: Checking DNS record propagation using [[2001:4860:4860::8888]:53]
2023/06/05 19:56:41 [INFO] Wait for propagation [timeout: 5m0s, interval: 30s]
2023/06/05 19:56:41 [INFO] [tarpes.nl] acme: Waiting for DNS record propagation.
2023/06/05 19:57:11 [INFO] [tarpes.nl] acme: Waiting for DNS record propagation.
2023/06/05 19:57:41 [INFO] [tarpes.nl] acme: Waiting for DNS record propagation.
2023/06/05 19:58:11 [INFO] [tarpes.nl] acme: Waiting for DNS record propagation.
2023/06/05 19:58:41 [INFO] [tarpes.nl] acme: Waiting for DNS record propagation.
2023/06/05 19:59:11 [INFO] [tarpes.nl] acme: Waiting for DNS record propagation.
2023/06/05 19:59:41 [INFO] [tarpes.nl] acme: Waiting for DNS record propagation.
2023/06/05 20:00:11 [INFO] [tarpes.nl] acme: Waiting for DNS record propagation.
2023/06/05 20:00:41 [INFO] [tarpes.nl] acme: Waiting for DNS record propagation.
2023/06/05 20:01:11 [INFO] [tarpes.nl] acme: Waiting for DNS record propagation.
2023/06/05 20:01:41 [INFO] [tarpes.nl] acme: Cleaning DNS-01 challenge
2023/06/05 20:01:41 2023/06/05 20:01:41  info executing task            task=action=dns&do=delete&domain=tarpes.nl&name=_acme-challenge&type=TXT

2023/06/05 20:01:41 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/234210030067
2023/06/05 20:01:42 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/234210030077
2023/06/05 20:01:42 Could not obtain certificates:
    error: one or more domains had a problem:
[*.tarpes.nl] time limit exceeded: last error: NS ns1.tarpes.nl. did not return the expected TXT record [fqdn: _acme-challenge.tarpes.nl., value: GA1koiJxXuhZEQwqE9AGFiusdSPVgiuindXOZDu_i3k]:
[tarpes.nl] time limit exceeded: last error: NS ns1.transip.nl. did not return the expected TXT record [fqdn: _acme-challenge.tarpes.nl., value: bxXA7lQ_2rK2vy6y9AHaUGNCsHGkLIQJqYv4IfTyuE4]:
Certificate generation failed.

I'm missing something somewhere...

GJ
 
Do you have setup ipv6 nameservers too?
Because the check is done at ipv6 and nothing is found there.
So if you have ipv6 but only ipv4 nameservers than this can be the cause.
 
  • Like
Reactions: Pzz
Another thing... don't you want to have a decent hostname like server.tarpes.nl instead of the xxx-colo.transip.net hostname?
If yes (or if you already have) you should also fix your rDNS/PTR record.
 
  • Like
Reactions: Pzz
I did have a decent hostname (it worked) but I've created a PTR now, and my ip6 range /48 was already available in DA. But can I create automaticly (sort of) an AAAA record with one of my available IP6 addresses?

IP6 settings seem to be active (new install, it should work out of the box)

(https://docs.directadmin.com/directadmin/general-usage/managing-ips.html):
You can assign IPs to Users normally, as with IPv4. As of 1.37.0, the multi-IP system allows you to assign both an IPv4 and IPv6 IP to an account. See the above guide on how to do that.
Does this also work for admin domains? Or should I just pick one of the IP6-addresses and create a record by hand?
 
Last edited:
I'm moving forward.

The problems seem to be reduced to my hostname server.tarpes.nl. This one hasn't a certificate yet. The domain does have a certificate.

I checked Using the free "Let's Encrypt" tool to secure Port 2222 via the Hostname but that doesn't seem to work, due to an error

Code:
Setting up certificate for a hostname: server.tarpes.nl
server.tarpes.nl was skipped due to unreachable http://server.tarpes.nl/.well-known/acme-challenge/ file.
No domains pointing to this server to generate the certificate for.

I didn't create a subdomain (should I? I guess not. And DA wouldn't let me because it's the servername). I did create an A and AAAA record in my DNS.
 
I didn't create a subdomain (should I? I guess not. And DA wouldn't let me because it's the servername). I did create an A and AAAA record in my DNS.
I'm almost sure that is what is causing your issue. The fact that you have it in your tarpes.nl DNS.

Also, it's called an FQDN hostname, not a subdomain, although the name looks like a subdomain. But a subdomain is created from the domain name in DNS in DA, the hostname is not.

So imho the best way to fix this.
1.) As user, remove server.tarpes.nl from the tarpes.nl domain (only the server entries A and AAAA records, not the whole domain)
2.) As admin, go into DNS administration, create a new DNS zone and use server.tarpes.nl as domain name there, enter the default ns1 and ns2 and the main ip addres.
3.) Go into SSH as root and request the SSL certificate as should be done:
Code:
cd /usr/local/directadmin/scripts
./letsencrypt.sh request_single server.tarpes.nl 4096

You might want to wait with step 3 for half an hour, so the hostname will be really reachable and be found by the whole world (including Letsencrypt).
 
  • Like
Reactions: Pzz
I works with your tips @Richard G!

I tried to find some info about this admin-level DNS zone but failed so far to find out what I missed scanning the DA docs. Now that I know what to look for I still can't find a proper explanation or tutorial.
 
I still can't find a proper explanation or tutorial.
It's because it is not in there.
Up to a few versions ago (1.641), Directadmin would take the hostname and create a DNS zone for it automatically and all was fine.
Then they stopt with it and started using a new method.
This was done that even when hostname was not setup correctly, it was possible to get an SSL certificate for it.

This will be a 192-168-0-1.da.direct hostname where 192-168-0-1 is the ip of the server. I didn't check, but you might find a DNS entry like that in DNS administration.

However, problem is this is not your hostname, it's from DA. Probably it's usable, but you can't manage DNS for it and I don't even know of SPF can be set up for it. So yes, it might have SSL, but other issues are encountered then at a later stage, so I don't quite yet understand the benefit of this.

So imho best practice is to (after installation) setup everything correctly with your own hostname.

I don't know if DA thinks a proper own hostname is not needed anymore, or why this is not to be found in the docs (yet).
Maybe @fln can enlighten us about that.
 
  • Like
Reactions: Pzz
Back
Top