Letsencrypt ACME record not showing up

J

jordivn

Verified User
Joined
Nov 4, 2016
Messages
60
Hi All,

My problem started with errors of Letsencrypt about problems by renewing certs.
I switched the dns servers in letsencrypt.sh to local (127.0.0.1 and ::1), and changed the timeout to 1000. Also set the TTL to 600 for the hole domain.
When i dig the text records of the domain only 2 showed up (google and spf). Dmarc and amce won't.
dig the record it self:
Code: 
dig -6 _acme-challenge.steedshogermalden.nl
gives 0 anwsers.

I checked named log
Code: 
queries: info: client @0x7effb0041300 ::1#57807 (_acme-challenge.steedshogermalden.nl): query: _acme-challenge.steedshogermalden.nl IN TXT +E(0) (::1)
Here i see it's getting an query.

In the dns table the record is created by the script
_acme-challenge600TXT"2vj66g*****FRXk5w_78CVSAiZyc_hB*****sFESbg"
* for privacy

my named.conf
Code: 
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { any; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };
        allow-transfer {MY_SEC_DNS; MY_THIRD_DNS;};
        allow-recursion { localhost; };
        recursion yes;
        forwarders {8.8.8.8; 8.8.4.4;};
       //       forward only;
        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */

        //edns yes;
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;
        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_log {
                file "/var/log/named/named.log";
                severity dynamic;
                print-time yes;
                print-category yes;
                print-severity yes;
        };
        category default { default_log; };
    category general { default_log; };
    category database { default_log; };
    category security { default_log; };
    category config { default_log; };
    category resolver { default_log; };
    category xfer-in { default_log; };
    category xfer-out { default_log; };
    category notify { default_log; };
    category client { default_log; };
    category unmatched { default_log; };
    category queries { default_log; };
    category network { default_log; };
    category update { default_log; };
    category dispatch { default_log; };
    category dnssec { default_log; };
    category lame-servers { default_log; };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

DNS ZONES FOLLOWED

I also tried the above with csf/firewalld stopped

Someone any idea's? My geus is that the problem is within bind/named, because there is no anwser on ACME query
 
Last edited:
First off all, thank you for your reply.

Caching dns does ring an bell, but didn't changed that the last moths.
I did try to "rndc flush" during an request running... stil get same results.
 
jordivn said:
When i dig the text records of the domain only 2 showed up (google and spf). Dmarc and amce won't.
Click to expand...
That's normal. However it will turn ok if you check with dmarc analyzer for example.

Are you using ipv6? If yes, timeout might need to be 15 minutes (so 900 seconds).
Check what it says about ipv6 here:

for ipv6 scroll a bit down, but it's also wise to check the complete troubleshooter.
 
Thanks for your replies.

As far as i know, bind is running as caching server. Based on the local query respons time and the amount of memory used by named (300MB after a few hours). Are there other ways to check?

I checked the complete troubelshooter. Most of it is looking at the http check. When I request an singel domain (not wildcard) it works.
I did try the
Code: 
wget -6 https://www.google.com
That responded with only ip6 addresses... so my geuss is that the ip6 should be fine.
 
Okay, tried again with
Code: 
dig -t TXT _acme-challenge.steedshogermalden.nl

that gives an anwser. So named looks to work fine. Also worked on the google dns
 
Is your dns hosted on the same server as the domain?
 
You must log in or register to reply here.
Back
Top