Let's Encrypt wildcard certificates failing with version 2 letsencrypt script.

Hi again,
I have still troubles with domains which has sdns2.ovh.net as secondary NS server.... and only if I want SSL WILDCARD, without wildcard it's working fine.... why?! any ideas why only with ovh?
It have to be something with SDNS2.OVH.NET but I don't know what.... it's 4-5 different servers and every time the same problem with that stupid DNS and WIldcard....
TTL is 5....


Code: 
Found wildcard domain name and http challenge type, switching to dns-01 validation.
2022/09/22 11:52:30 [INFO] [domain.com, *.domain.com] acme: Obtaining SAN certificate
2022/09/22 11:52:30 [INFO] [*.domain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/155972872137
2022/09/22 11:52:30 [INFO] [domain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/156253323067
2022/09/22 11:52:30 [INFO] [domain.com] acme: authorization already valid; skipping challenge
2022/09/22 11:52:30 [INFO] [*.domain.com] acme: use dns-01 solver
2022/09/22 11:52:30 [INFO] [*.domain.com] acme: Preparing to solve DNS-01
2022/09/22 11:52:33 [INFO] [*.domain.com] acme: Trying to solve DNS-01
2022/09/22 11:52:33 [INFO] [*.domain.com] acme: Checking DNS record propagation using [[2001:4860:4860::8888]:53]
2022/09/22 11:53:03 [INFO] Wait for propagation [timeout: 5m0s, interval: 30s]
2022/09/22 11:53:03 [INFO] [*.domain.com] acme: Waiting for DNS record propagation.
2022/09/22 11:53:34 [INFO] [*.domain.com] acme: Waiting for DNS record propagation.
2022/09/22 11:54:04 [INFO] [*.domain.com] acme: Waiting for DNS record propagation.
2022/09/22 11:54:34 [INFO] [*.domain.com] acme: Waiting for DNS record propagation.
2022/09/22 11:55:04 [INFO] [*.domain.com] acme: Waiting for DNS record propagation.
2022/09/22 11:55:34 [INFO] [*.domain.com] acme: Waiting for DNS record propagation.
2022/09/22 11:56:04 [INFO] [*.domain.com] acme: Waiting for DNS record propagation.
2022/09/22 11:56:35 [INFO] [*.domain.com] acme: Waiting for DNS record propagation.
2022/09/22 11:57:05 [INFO] [*.domain.com] acme: Waiting for DNS record propagation.
2022/09/22 11:57:35 [INFO] [*.domain.com] acme: Waiting for DNS record propagation.
2022/09/22 11:58:05 [INFO] [*.domain.com] acme: Cleaning DNS-01 challenge
2022/09/22 11:58:07 [INFO] retry due to: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/authz-v3/155972872137 :: urn:ietf:params:acme:error:badNonce :: JWS has an invalid anti-replay nonce: "0002FOcOiN8H77uPvHHb_mJL4-eq-c2C5xRbpRH_4C2Pksc"
2022/09/22 11:58:08 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/155972872137
2022/09/22 11:58:08 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/156253323067
2022/09/22 11:58:08 Could not obtain certificates:
    error: one or more domains had a problem:
[*.domain.com] time limit exceeded: last error: NS sdns2.ovh.net. did not return the expected TXT record [fqdn: _acme-challenge.domain.com., value: 92QPvZ0rtEpMUcalTGyS6IRrhBWSnkC-0kGRbD0uvQY]: 4xeRc0v_haOWcolsq1jzvFLBnSxmKdPMgqrtwO1p9CI
Certificate generation failed.
 
ShinJii said:
last error: NS sdns2.ovh.net. did not return the expected TXT record [fqdn: _acme-challenge.domain.com., value: 92QPvZ0rtEpMUcalTGyS6IRrhBWSnkC-0kGRbD0uvQY]: 4xeRc0v_haOWcolsq1jzvFLBnSxmKdPMgqrtwO1p9CI Certificate generation failed.
Click to expand...
be sure that this line exist in your DNS
 
It looks like maybe 5 minutes is not much for local domain in directadmin? Even if TTL is only 5.... maybe it should be 10 minutes?
 
I am not certain how your DNS is setup , is your DNS managed by OVH ?, there seems be some sync problems
1663930776300.png
 
Active8 said:
I am not certain how your DNS is setup , is your DNS managed by OVH ?, there seems be some sync problems
View attachment 5986
Click to expand...
I have domain on some domain provider (not ovh) - I wrote there that NS servers and I can manage this domain on my server in DIrectadmin.. that's all.... normal simple thing :)

My /etc/named.conf


Code: 
options {
        allow-transfer { 213.251.188.141; };
        listen-on port 53 { any; };
        listen-on-v6 port 53 { any; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        secroots-file   "/var/named/data/named.secroots";
        recursing-file  "/var/named/data/named.recursing";
        allow-query     { any; };

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion no;

        dnssec-enable yes;
        dnssec-validation yes;

        managed-keys-directory "/var/named/dynamic";
  pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";

        /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
        include "/etc/crypto-policies/back-ends/bind.config";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
 
ShinJii said:
allow-transfer { 213.251.188.141; };
Click to expand...
I don't know what you do, but only the sdns2.ovh.net is allowed to transfer records.

For wildcard, you either need your own nameservers, or use LEGO or create some solution yourself so the records get copied fast enough to your external nameservers.

DA will not copy records automatically to your sdns2.ovh.net server, if that even allows you to change records, because it's from OVH. So i think there is your issue.
 
Richard G said:
I don't know what you do, but only the sdns2.ovh.net is allowed to transfer records.

For wildcard, you either need your own nameservers, or use LEGO or create some solution yourself so the records get copied fast enough to your external nameservers.

DA will not copy records automatically to your sdns2.ovh.net server, if that even allows you to change records, because it's from OVH. So i think there is your issue.
Click to expand...
What should be in that allow-transfer except sdns2.ovh.net ?

it's better to create my own NS? do you have some tutorial how to do that in DA ?
 
ShinJii said:
What should be in that allow-transfer except sdns2.ovh.net ?
Click to expand...
I would think you only use the allow-transfer lines if you have a real slave dns, hwich sdns2.ovh.net is not. So I would remove the line.

ShinJii said:
it's better to create my own NS? do you have some tutorial how to do that in DA ?
Click to expand...
Better.... I don't know, but it makes life a lot easier.

There are some tutorials on DA but I found this one faster and it's with Evo skin and screenshots so....
www.knownhost.com

How to configure Nameservers in DirectAdmin? - KnownHost

Setup and configure the custom nameservers in the DirectAdmin control panel easily. Learn how to configure nameservers in Directadmin?
www.knownhost.com www.knownhost.com

Be aware that after creation you have to set the nameservers at your domainregistrar to your nameservers too. Also for all domains present on the server.
It can take 4-24 hours for nameservers to propagate.

However, once done and running, you can do whatever you want on the DA server and no need to have externale NS anymore or copy records.
 
Richard G said:
I would think you only use the allow-transfer lines if you have a real slave dns, hwich sdns2.ovh.net is not. So I would remove the line.


Better.... I don't know, but it makes life a lot easier.

There are some tutorials on DA but I found this one faster and it's with Evo skin and screenshots so....
www.knownhost.com

How to configure Nameservers in DirectAdmin? - KnownHost

Setup and configure the custom nameservers in the DirectAdmin control panel easily. Learn how to configure nameservers in Directadmin?
www.knownhost.com www.knownhost.com

Be aware that after creation you have to set the nameservers at your domainregistrar to your nameservers too. Also for all domains present on the server.
It can take 4-24 hours for nameservers to propagate.

However, once done and running, you can do whatever you want on the DA server and no need to have externale NS anymore or copy records.
Click to expand...
okay... I did it and now it's working... thanks! weird... weirdest thing is that on Let's Encrypt script 1.x it was always working with sdns2.ovh.net ;P
 
ShinJii said:
weirdest thing is that on Let's Encrypt script 1.x it was always working with sdns2.ovh.net ;P
Click to expand...
I have no clue, we don't use OVH and LE changed security checks several times, maybe it has to do with that.
Glad to see it's working now.

You will see having your own nameservers makes life easier. ;)
 
You must log in or register to reply here.
Back
Top