search

letsencrypt / boulder

An ACME-based certificate authority, written in Go.
Mozilla Public License 2.0
5.22k stars 608 forks source link

My complicated DNS setup no longer lets me successfully use DNS auth #3305

Closed hfinucane closed 6 years ago

hfinucane commented 6 years ago

I am trying to generate a cert with a headline domain of 2x2devtest45.ilabs.io and a SAN of gslb454647.ilabs.io with a dns-01 challenge auth.

gslb454647.ilabs.io is a CNAME to gslb454647.gslb.ilabs.io, and gslb.ilabs.io has its own, separate nameservers.

This complicated setup worked in October, but now I'm getting this back-

{
  "type": "dns-01",
  "status": "invalid",
  "error": {
    "type": "urn:acme:error:connection",
    "detail": "DNS problem: query timed out looking up CAA for gslb454647.ilabs.io",
    "status": 400
  },

I can verify that the acme challenge TXT record exists on the ilabs.io nameservers, so I'm concerned that it's checking the gslb.ilabs.io nameserver instead, but I don't know. I'm also not totally sure if this should work.

jsha commented 6 years ago

This looks more likely to be a configuration error with your DNS than a bug in Boulder. Could you post it on https://community.letsencrypt.org/ instead? There's a larger community of people monitoring threads there who can help you diagnose the issue. Thanks!