AutoSSL DNS DCV errorr with LetsEncrypt
I'm receiving many warnings for several domains like this:
“Let’s Encrypt™” DNS DCV error (*.domain.com): 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: query timed out looking up TXT for _acme-challenge.domain.com)
“Let’s Encrypt™” DNS DCV error (domain.com): 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: query timed out looking up TXT for _acme-challenge.domain.com)
when doing a checking from an outer server it shows how it works:
dig _acme-challenge.domain.com TXT
;; ANSWER SECTION:
_acme-challenge.domain.com. 14400 IN TXT "20-3Thdasdasdasdewq5nySgTK9JIbI...."
also, I check: /usr/local/cpanel/bin/autossl_check --user=userdomain , and then
I see the DNS requests from LetsEncrypt with: tcpdump -i any -n port 53 | grep acme
and here I can check how the requests are entering. And also when I check the iptables logs: there is no blocked access. Therefore there is no any obstacle in the server.
And please, check here this apparent strange behavour from LetsEncrypt:
Local DNS DCV OK: *.domain.com (via domain.com)
Analyzing “domain.com”’s DCV results …
Trying 1 wildcard domain (*.domain.com) to maximize coverage …
“Let’s Encrypt™” HTTP DCV error (domain.com): Timeout after 30 seconds!
“Let’s Encrypt™” DNS DCV error (*.domain.com): 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: query timed out looking up TXT for _acme-challenge.domain.com)
“Let’s Encrypt™” DNS DCV error (domain.com): 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: query timed out looking up TXT for _acme-challenge.domain.com)
Retrying DCV without the failed wildcard domain …
Analyzing “domain.com”’s DCV results …
Trying 1 wildcard domain (*.domain.com) to maximize coverage …
“Let’s Encrypt™” HTTP DCV error (domain.com): Timeout after 30 seconds!
“Let’s Encrypt™” DNS DCV error (*.domain.com): 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: query timed out looking up TXT for _acme-challenge.domain.com)
“Let’s Encrypt™” DNS DCV error (domain.com): 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: query timed out looking up TXT for _acme-challenge.domain.com)
Retrying DCV without the failed wildcard domain …
Let’s Encrypt DCV for “cpcontacts.domain.com” is valid until 27/1/26, 15:27 UTC.
“Let’s Encrypt™” DCV OK: cpcontacts.domain.com
Let’s Encrypt DCV for “webdisk.domain.com” is valid until 27/1/26, 15:27 UTC.
“Let’s Encrypt™” DCV OK: webdisk.domain.com
Let’s Encrypt DCV for “mail.domain.com” is valid until 27/1/26, 15:27 UTC.
“Let’s Encrypt™” DCV OK: mail.domain.com
Let’s Encrypt DCV for “www.domain.com” is valid until 27/1/26, 15:27 UTC.
“Let’s Encrypt™” DCV OK: www.domain.com
first it shows that there are problems to reach the main domain with timeout, although later it checks the validity of the subdomains without any apparent problems.
It doesn't seem to have logics. What happens?.
I'm really worried becuase several domains will expire in the coming days. All these domains in the same server have the same exact DNS zone configurations like many others which are renewed without problems
Please, give me some help or ideas to solve this issue. What's the cause of these errors to renew the certificates?
What can I do to check what really happens beyond all the previous things?
And a second related problem : Recently the CPanel certificate for the hostname and cpanel services was expired. And after that the LE certificate was not created. And I was not able to find into the WHM some way to create a LetsEncrypt certificate. How this can be made?
Now I'm with a provisonal ZeroSSL certificate for the hostname. Please, explain how I can create again a LE certificate wuith WHM or terminal for the hostname.
Please, some help for these questions because the many certificates will expire very soon and the AutoSSL doesn't work.
thank you
-
mistery solved.
If this could be of some help for similar problems, the cause was when LetsEncrypt is using the AWS network for their requests.It was not the fault of AutoSSL, it works well. As everybody knows the AWS network is massively used for malicious scanning and spam. Some of the LE ip's were blocked inside block lists because a past malicious activity of related ASN and CDIR with a significant percent of ip's.
This was the cause for the random behavior with the renewals, depending from the IP origin. Some of LE ip's belonged to ISGR, while others to AWS. In a first time I reviewed only two ip's from ISGR, and from there the mess until I have realized the other AWS ips.
An analysis of their DNS petitions by launching a renewal:
/usr/local/cpanel/bin/autossl_check --user=username
and then monitoring with:
tcpdump -i any -n port 53 | grep acme
it can show the renewal traffic, and it can help to extract and discard the possible ips blocked
Also, it is needed allowing one exception into the mod_security rules:
SecRule REQUEST_URI "@rx ^/\.well-known/acme-challenge(/.*)?$" "phase:1,id:199990,nolog,allow"
although note this is a risky situation because the possibilities of exploitation of that folder:
https://www.zscaler.com/blogs/security-research/abuse-hidden-well-known-directory-https-sites
therefore it can request of more measures to limit the creation of files into that folder, and some monitoring.
Also one should be aware about LE don't facilitate their IP ranges neither detailed information of errors. The ISGR ips ranges can be whitelisted, although no the AWS because this is very risky.
The "Lets Debug" online tool is mostly an useless thing. And careful is needed with consecutive attempts of a domain renewal in order to understand the failures. Because it can cause a blockage of the domain renewal. In their public board there are advices to shutdown the firewalls to try the success in the renewals. Don't do it, it is a very bad idea. .
Hope it helps, and good luck in case of errors in the renewal process.
0 -
Thanks for sharing that solution!
0
Please sign in to leave a comment.
Comments
2 comments