DNS / namesilo validation method not working
-
I'm trying to acquire a Lets Encrypt (ACME v2) certificate, using DNS-Namesilo validation, but it's failing. I only ever see the (locally-generated) private key for the host/certificate in question. I sometimes see a message like this (anonymized) screenshot after clicking the Issue/Renew button:
You can also see my anonymized acme_issuecert.log. Oh and I temporarily see the _acme-challenge.www.example.com TXT record in the Namesilo control panel, while the Issue/Request process is running. The record no longer appears after the process completes/fails. Almost as if the process is timing out too quickly--not giving LE/ACME enough time to find/validate the TXT record...?
Any ideas?
-
Hi,
First of all : you saw what Google said about the subject ?
Your image is out of time sync : after 12:48:43 it goes back in time : 12:48:36 ... ?
@regexaurus said in DNS / namesilo validation method not working:
I temporarily see the _acme-challenge.www.example.com TXT record in the Namesilo control panel, while the Issue/Request process is running. The record no longer appears after the process completes/fails.
This means the DNS method 'namesilo' is working : TXT records are added and removed.
I saw you use the 120 seconds delay : a typical delay so the master zone can signal the modification to it's DNS slaves. These have to react upon modification of the zone example.com, they have to sync with the master whenever they feel up to it.But ... => "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.www.example.com"
This means that the name server questionedcouldn't find the sub domain _acme-challenge @ www.example.com -> this could be a slave DNS name server that didn't synced yet.@regexaurus said in DNS / namesilo validation method not working:
Almost as if the process is timing out too quickly--not giving LE/ACME enough time to find/validate the TXT record...?
Try making the DNS-Sleep delay bigger (more then 120 seconds).
You can test the progagtion :
dig example.com NSand you will have all name servers.
Now, spam for each name server :
dig ns1.example.com _acme-challenge.example.com TXTand
dig ns1.example.com _acme-challenge.www.example.com TXT(ns1 is just an example name server for the example.com domain)
If all goes well, the TXT record should show up in the _acme-challenge(.sub).domain.
Btw :
_main_domain='www.example.com'
_alt_domains='no'Why not :
_main_domain='example.com'
_alt_domains='www.example.com'
?edit : you are using acme pfSEnse package version 0.3.2_4 right ?
-
@gertjan said in DNS / namesilo validation method not working:
First of all : you saw what Google said about the subject ?
Yes, I saw that after starting this topic. I noticed the unbalanced parens errors in my case too, but that didn't seem to be the main trouble, or prevent the request process from running.
@gertjan said in DNS / namesilo validation method not working:
Your image is out of time sync : after 12:48:43 it goes back in time : 12:48:36 ... ?
Good catch. The pfSense install in question is a Hyper-V VM. I've experienced clock issues with virtual machines in the past but never on Hyper-V to my recollection. Not sure if that's the case here. Some services really don't like when time goes backward.
@gertjan said in DNS / namesilo validation method not working:
I saw you use the 120 seconds delay : a typical delay so the master zone can signal the modification to it's DNS slaves.
It's the default delay in the ACME package. After your reply, I tried 300 seconds, then 960 seconds. After changing to 960 seconds, I attempted twice to acquire a certificate. The second attempt succeeded. The process didn't take anywhere near 16 minutes, or even 5 for that matter. So the validation delay setting didn't work as expected. Maybe it's a clock/timing problem. If the VM frequently adjusts its time backward to compensate for drift, that might very well precipitate trouble for timing/delays...
@gertjan said in DNS / namesilo validation method not working:
edit : you are using acme pfSEnse package version 0.3.2_4 right ?
Yup