0

I'm trying to debug my DNS setup for the letsencrypt challenge.

I understand that BIND9 may not be receiving the requests, although it was earlier in the day. The .jnl does not get created, unfortunately.

What I'd like to know is how can I send a request from a remote computer to eventually see what fails on the other end. What does letsencrypt do to send us a TXT field update? What command line command(s) can I run?

That would be an equivalent to the nsupdate command, but from a remote computer.

Alexis Wilke
  • 2,210
  • 1
  • 20
  • 37

2 Answers2

3

Use Let's Encrypt staging environment with your ACME client of choice.

Test with staging first, to not get rate limited from production.

Note that it is not Let's Encrypt sending you DNS update requests, but the API tells you what they should be set to. Various clients have hooks to automate DNS. Read your favorite hooks and the nsupdate man page to get an idea of how they delete and add the TXT records, and if the DNS server is configurable.

John Mahowald
  • 32,050
  • 2
  • 19
  • 34
  • I'm definitely not anywhere near the limits. It gets stuck just before the "wait 60 sec. before checking TXT field"... as if it were trying to send the UDP packets but it looks like I never receive them. I can connect to the HTTPS servers `wget -S https://acme-v02.api.letsencrypt.org/directory` works (the test too). – Alexis Wilke Feb 22 '22 at 05:55
  • Let's Encrypt staging is useful for reasons other than the quotas. Separate rooted chain so certs issued with it are not nearly as valuable. Features are enabled in staging first. – John Mahowald Feb 22 '22 at 13:02
  • I now posted a question on the [letsencrypt forum](https://community.letsencrypt.org/t/certbot-gets-stuck-before-saying-waiting-60-seconds-for-dns-changes-to-propagate/172497/3). It feels like something is blocking the UDP packets from their end to my server. I don't see any other technical reasons to prevent the flow at the moment... I'll give the latest version a try, though. – Alexis Wilke Feb 22 '22 at 18:12
1

That would be an equivalent to the nsupdate command, but from a remote computer.

nsupdate works from a remote computer.

Simply run nsupdate -k keyfile and issue the command server example.com when nsupdate has started to tell it which server to send updates to.

vidarlo
  • 6,654
  • 2
  • 18
  • 31