starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-11 22:30:44 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

wait in case of NXDOMAIN with the DNS challenge #240

New Issue
Closed
opened 2025-12-29 01:19:36 +01:00 by adam · 2 comments
adam commented 2025-12-29 01:19:36 +01:00
Owner
Copy Link

Originally created by @mapreri on GitHub (Jul 22, 2017).

Originally reported at https://bugs.debian.org/869255

DSA [Debian System Administrators] are using dehydrated and the DNS mode of it, via a cron job run under chronic. Occasionally we get mails containing failures like the one below. I suspect this is because the DNS update for the challenge hasn't synced to Debian's DNS providers by the time the LE servers do the request. It would be nice if the NXDOMAIN could trigger a retry after a certain amount of time, maybe 5 minutes. This would avoid us getting non-actionable mails for slight delays in DNS synchronisation.

Processing dsa.debian.org
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Aug 21 00:16:00 2017 GMwriting RSA key
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "dns-01",
  "status": "invalid",
  "error": {
    "type": "urn:acme:error:connection",
    "detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.dsa.debian.org",
    "status": 400
  },
  "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/...",
  "token": "...",
  "keyAuthorization": "..."
})
T Certificate will expire
(Less than 30 days). Renewing!
 + Signing domains...
 + Generating signing request...
 + Requesting challenge for dsa.debian.org...
 + Responding to challenge for dsa.debian.org...
Originally created by @mapreri on GitHub (Jul 22, 2017). Originally reported at https://bugs.debian.org/869255 DSA [Debian System Administrators] are using dehydrated and the DNS mode of it, via a cron job run under chronic. Occasionally we get mails containing failures like the one below. I suspect this is because the DNS update for the challenge hasn't synced to Debian's DNS providers by the time the LE servers do the request. It would be nice if the NXDOMAIN could trigger a retry after a certain amount of time, maybe 5 minutes. This would avoid us getting non-actionable mails for slight delays in DNS synchronisation. ``` Processing dsa.debian.org + Checking domain name(s) of existing cert... unchanged. + Checking expire date of existing cert... + Valid till Aug 21 00:16:00 2017 GMwriting RSA key ERROR: Challenge is invalid! (returned: invalid) (result: { "type": "dns-01", "status": "invalid", "error": { "type": "urn:acme:error:connection", "detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.dsa.debian.org", "status": 400 }, "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/...", "token": "...", "keyAuthorization": "..." }) T Certificate will expire (Less than 30 days). Renewing! + Signing domains... + Generating signing request... + Requesting challenge for dsa.debian.org... + Responding to challenge for dsa.debian.org... ```
adam closed this issue 2025-12-29 01:19:36 +01:00
adam commented 2025-12-29 01:19:37 +01:00
Author
Owner
Copy Link

@txr13 commented on GitHub (Jul 22, 2017):

Under ACME spec, once a challenge is marked invalid, it can't be retried. A new challenge must be issued instead.

It doesn't help in of itself to catch an invalid challenge and retry again later. The next challenge (since it must propagate a new value into DNS) is also at risk of suffering a slight delay and therefore being marked invalid.

The correct way of handling this is to modify the hook script with a function that checks all authoritative nameservers for the presence of the challenge value. (LE picks a random NS from the set of authoritative servers for the domain.) Only when all authoritative nameservers have the correct challenge value, should the hook return to dehydrated for further processing.

An example of such a function can be found in the hook script at https://github.com/bennettp123/dehydrated-email-notify-hook

@txr13 commented on GitHub (Jul 22, 2017): Under ACME spec, once a challenge is marked invalid, it can't be retried. A new challenge must be issued instead. It doesn't help in of itself to catch an invalid challenge and retry again later. The next challenge (since it must propagate a new value into DNS) is also at risk of suffering a slight delay and therefore being marked invalid. The correct way of handling this is to modify the hook script with a function that checks all authoritative nameservers for the presence of the challenge value. (LE picks a random NS from the set of authoritative servers for the domain.) Only when all authoritative nameservers have the correct challenge value, should the hook return to dehydrated for further processing. An example of such a function can be found in the hook script at https://github.com/bennettp123/dehydrated-email-notify-hook
adam commented 2025-12-29 01:19:38 +01:00
Author
Owner
Copy Link

@mapreri commented on GitHub (Jul 23, 2017):

Thank you for your explanation, that means they will have to fix/improve their hook script instead.

@mapreri commented on GitHub (Jul 23, 2017): Thank you for your explanation, that means they will have to fix/improve their hook script instead.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#240
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?