[Letsencrypt-devel] Bug#869255: DNS: wait a bit longer when NXDOMAIN returned in response to challenges

Paul Wise pabs at debian.org
Sat Jul 22 04:09:38 UTC 2017

Source: dehydrated
Version: 0.3.1-3
Severity: wishlist
X-Debbugs-Cc: debian-admin at lists.debian.org
User: debian-admin at lists.debian.org
Usertags: needed-by-DSA-Team

DSA are using dehydrated and the DNS mode of it, via a cron job run
under chronic. Occasionally we get mails containing failures like the
one below. I suspect this is because the DNS update for the challenge
hasn't synced to Debian's DNS providers by the time the LE servers do
the request. It would be nice if the NXDOMAIN could trigger a retry
after a certain amount of time, maybe 5 minutes. This would avoid us
getting non-actionable mails for slight delays in DNS synchronisation.

Processing dsa.debian.org
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Aug 21 00:16:00 2017 GMwriting RSA key
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "dns-01",
  "status": "invalid",
  "error": {
    "type": "urn:acme:error:connection",
    "detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.dsa.debian.org",
    "status": 400
  "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/...",
  "token": "...",
  "keyAuthorization": "..."
T Certificate will expire
(Less than 30 days). Renewing!
 + Signing domains...
 + Generating signing request...
 + Requesting challenge for dsa.debian.org...
 + Responding to challenge for dsa.debian.org...


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/letsencrypt-devel/attachments/20170722/955a18bd/attachment.sig>

More information about the Letsencrypt-devel mailing list