That’s the relevant part. It means that Let’s Encrypt is unable to retrieve the expected challenge from your registration server.
Things to check:
*.synk.xyz domain. This will need to be configured with your domain host.I am able to create certificate on host using
letsencrypt certonly --standalone -d gatewayraj.synk.xyz
but still facing this error. I am using azure for ubuntu VM.
what should be the option to resolve this issue?
is gateway using letsencrypt or registration-server after /dnsconfig request?
please give your valuable input.
I forgot to comment on this part. You’ll need to build and install geoipupdate from here: https://dev.maxmind.com/geoip/geoipupdate/
After doing so, add it to your crontab as that page describes. That will update the geoip database for you. I updated the docker repo’s README as well.
The Let’s Encrypt flow is a bit complicated because of the tunnel and DNS configuration. Check out this document for a better explanation.
$ dig +short NS mozilla-iot.org
ns2.mozilla-iot.org.
ns1.mozilla-iot.org.
$ dig +short NS synk.xyz
ns1-08.azure-dns.com.
ns3-08.azure-dns.org.
ns2-08.azure-dns.net.
ns4-08.azure-dns.info.
thank you I will check that.
Actually api.synk.xyz work on 8443 port as per the setup.
In registration server,I am getting below log
INFO:<unknown>: GET /subscribe {"email": "rajan.shah2000@gmail.com", "name": "jaja"}
INFO:<unknown>: subscribe(): Trying to subscribe: jaja.synk.xyz.
INFO:<unknown>: iire
INFO:<unknown>: unwrap
INFO:<unknown>: GET /dnsconfig {"challenge": "W3TcHcelgvlNAzCxy14z8lpzbrlnXJKiaJju4qbheVI", "token": "209af3cd-357d-4e57-902f-1e6d347b32ab"}
ts=5d38833d; t=2019-07-24T16:11:41; ll=1a0; accept=~62.52:55864; id=s0
ts=5d38833d; t=2019-07-24T16:11:41; ll=1a1; debug=No back-end; on_port=4443; proto=http; domain=ping.pagekite; is=FE; id=s3b/~62.52:55864
ts=5d38833d; t=2019-07-24T16:11:41; ll=1a2; wrote=409; wbps=0; read=0; eof=1; id=s3b/~62.52:55864
ts=5d38833e; t=2019-07-24T16:11:42; ll=1a3; accept=~62.52:55866; id=s0
ts=5d38833e; t=2019-07-24T16:11:42; ll=1a4; debug=No back-end; on_port=4443; proto=http; domain=ping.pagekite; is=FE; id=s3c/~62.52:55866
ts=5d38833e; t=2019-07-24T16:11:42; ll=1a5; wrote=409; wbps=0; read=0; eof=1; id=s3c/~62.52:55866
ts=5d38833e; t=2019-07-24T16:11:42; ll=1a6; accept=~62.52:55868; id=s0
ts=5d38833e; t=2019-07-24T16:11:42; ll=1a7; debug=No tunnels configured, idling...; id=s3d/~62.52:55868
ts=5d38833f; t=2019-07-24T16:11:43; ll=1a8; err=Quota lookup failed: [Errno -2] Name or service not known
ts=5d38833f; t=2019-07-24T16:11:43; ll=1a9; BE=Live; proto=https; domain=jaja.synk.xyz; add_kites=True; version=1.0.0.190225; id=s3d/~62.52:55868
ts=5d38834c; t=2019-07-24T16:11:56; ll=1aa; debug=Not sure which servers to contact, making no changes.
ts=5d388370; t=2019-07-24T16:12:32; ll=1ab; debug=Not sure which servers to contact, making no changes.
ts=5d388394; t=2019-07-24T16:13:08; ll=1ac; debug=Not sure which servers to contact, making no changes.
ts=5d388394; t=2019-07-24T16:13:08; ll=1ad; debug=Ping; host=x.x.x.x:x; id=s23/~62.52:55772That’s great! It looks like your tunnel may be working now.
Hi,
Thànks for your help.
I am using azure instance as my host so my NS name does not contain synk.xyz but actually it is able to resolve the host synk.xyz.
but still getting same error on gateway side.
acme-v2 error as mentioned before.
I don’t believe the Let’s Encrypt stage will work properly without the NS records set up. With Azure set as the nameserver, LE will not get the required TXT record, so certificate generation will never succeed.
Azure should still let you set your own NS records. You’ll need them to be “ns1.synk.xyz” and “ns2.synk.xyz”.
Maybe this will help: https://azure4you.com/2017/07/05/azure-dns-records-and-limitations/
I have setup dns
root@mozila-iot:/home/admin_mozila# dig +short NS synk.xyz
ns1-08.azure-dns.com.
ns2-08.azure-dns.net.
ns3-08.azure-dns.org.
ns4-08.azure-dns.info.
ns1.synk.xyz.
ns2.synk.xyz.
Still facing same error. I have open debug log in gateway and find below error
2019-07-25 14:23:13.476 INFO : [greenlock/lib/core.js] calling greenlock.acme.getCertificateAsync jauau.synk.xyz [ 'jauau.synk.xyz' ]
2019-07-25 14:23:13.484 DEBUG : [acme-v2] DEBUG get cert 1
2019-07-25 14:23:13.489 DEBUG : [acme-v2] accounts.create
2019-07-25 14:23:14.691 DEBUG : [acme-v2] agreeToTerms
2019-07-25 14:23:14.763 DEBUG : [acme-v2] accounts.create JSON body:
2019-07-25 14:23:14.768 DEBUG : { protected: 'eyJub25jZSI6InZVRGo4b1hSWlZoQkxxY25sQTVBSUk4N2M5OFZkWWpiZ2JaZkMzTHJhdUUiLCJhbGciOiJSUzI1NiIsInVybCI6Imh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1hY2N0IiwiandrIjp7Imt0eSI6IlJTQSIsIm4iOiJwbUdiNWhPc3RRTmF2VzNCd2ZHcjd0YmNTR2k5dlZobDBhRXpYMVJESE9Ic1V2Z281WW53V1dET3NIclcybm0zSDg1T1EzUEhuSFJTVkhSR0llSG81Z0tEcGJmRmRYVWxVM3RrV2t1a2FUQXlVMGxWeWNCNGNxWk03VFNUN205MXlWYlo2TlluWDhTTXV5cXRSZ1VVTkdmMVdOTlItRzBkQ1J6emVrYkxnMjhtY3pDbm50dTRxdmJYeEdwZnF6Nm1NbDFVSDQ1Z214aXBXckt0Y2FvMjJDT1BEMTVIbnMxRTBGS0kwUVZVTE1vU1RhR1Jrb1VJY3E4eks4Nml6aGZqYXFlQTBaQmlMank5aXJMTnhtQW9ZbldnaHF3TktwZXBmZy1VOFZlenpVYjkxM2xyand3SGV0Yl9YN1hMckpoQlRSMkZTQUtkbGdySDZMQlQ2bFI0YlEiLCJlIjoiQVFBQiJ9fQ',
payload: 'eyJ0ZXJtc09mU2VydmljZUFncmVlZCI6dHJ1ZSwib25seVJldHVybkV4aXN0aW5nIjpmYWxzZX0',
signature: 'A3rQMIWYjpntJsTnJb9uWayd_TR3WRtkLuK1htzSykdPXkxsdL68fK3tOoC5zw3Z-eBepmB0ezSh9DBtAF_yiSKKtV7Y8Jw9XfuENx1ogLGzhG4qFDydx1MkpZUblM4DSXWIZpmmIEO1b31CzqQvfoUCRcJ3SAsdziq1yMQU9JmvynL2LgHXvxEaJc58zJpq5AbCagKlcmqj3pPLamSymP71RMAW7A8x1jUlJE_JoXVPjnIRA7wm8EEiIwEHeI7d5r43yJtiG0vYPmfMH4aFhUCPDgaR_s4cM5HbledHJeVTTh4v1G-f5VzUVK_tWx2Ez1y4EaOk5dFh71GRDE4sgQ' }
2019-07-25 14:23:16.194 DEBUG : [DEBUG] new account location:
2019-07-25 14:23:16.197 DEBUG : https://acme-v02.api.letsencrypt.org/acme/acct/61960492
2019-07-25 14:23:16.206 DEBUG : { statusCode: 200,
body:
{ id: 61960492,
key:
{ kty: 'RSA',
n: 'pmGb5hOstQNavW3BwfGr7tbcSGi9vVhl0aEzX1RDHOHsUvgo5YnwWWDOsHrW2nm3H85OQ3PHnHRSVHRGIeHo5gKDpbfFdXUlU3tkWkukaTAyU0lVycB4cqZM7TST7m91yVbZ6NYnX8SMuyqtRgUUNGf1WNNR-G0dCRzzekbLg28mczCnntu4qvbXxGpfqz6mMl1UH45gmxipWrKtcao22COPD15Hns1E0FKI0QVULMoSTaGRkoUIcq8zK86izhfjaqeA0ZBiLjy9irLNxmAoYnWghqwNKpepfg-U8VezzUb913lrjwwHetb_X7XLrJhBTR2FSAKdlgrH6LBT6lR4bQ',
e: 'AQAB' },
contact: [ 'mailto:rajansha@cisco.com' ],
initialIp: '182.76.108.106',
createdAt: '2019-07-25T05:15:13Z',
status: 'valid' },
headers:
{ server: 'nginx',
'content-type': 'application/json',
'content-length': '570',
link: '<https://acme-v02.api.letsencrypt.org/directory>;rel="index"',
location: 'https://acme-v02.api.letsencrypt.org/acme/acct/61960492',
'replay-nonce': 'uDUlReD6GP9XbrWRq6UJG9lRO4MMugg3_MKoavQ2iT0',
'x-frame-options': 'DENY',
'strict-transport-security': 'max-age=604800',
expires: 'Thu, 25 Jul 2019 13:23:16 GMT',
'cache-control': 'max-age=0, no-cache, no-store',
pragma: 'no-cache',
date: 'Thu, 25 Jul 2019 13:23:16 GMT',
connection: 'close' },
request:
{ uri:
Url {
protocol: 'https:',
slashes: true,
auth: null,
host: 'acme-v02.api.letsencrypt.org',
port: null,
hostname: 'acme-v02.api.letsencrypt.org',
hash: null,
search: null,
query: null,
pathname: '/acme/new-acct',
path: '/acme/new-acct',
href: 'https://acme-v02.api.letsencrypt.org/acme/new-acct' },
method: 'POST',
headers:
{ 'Content-Type': 'application/jose+json',
'Content-Length': 1139 } } }
2019-07-25 14:23:16.223 DEBUG : [acme-v2] DEBUG get cert 1
2019-07-25 14:23:16.266 DEBUG : [acme-v2] certificates.create
2019-07-25 14:23:16.317 DEBUG :
[DEBUG] newOrder
2019-07-25 14:23:16.960 DEBUG : https://acme-v02.api.letsencrypt.org/acme/order/61960492/779101421
2019-07-25 14:23:16.963 DEBUG : { statusCode: 201,
body:
{ status: 'pending',
expires: '2019-08-01T13:23:16.779816787Z',
identifiers: [ [Object] ],
authorizations:
[ 'https://acme-v02.api.letsencrypt.org/acme/authz/rZiUMjKFMmTGg1zQKL7-BwfZFU1g-ko94wS9BH4t2dI' ],
finalize: 'https://acme-v02.api.letsencrypt.org/acme/finalize/61960492/779101421' },
headers:
{ server: 'nginx',
'content-type': 'application/json',
'content-length': '373',
'boulder-requester': '61960492',
link: '<https://acme-v02.api.letsencrypt.org/directory>;rel="index"',
location: 'https://acme-v02.api.letsencrypt.org/acme/order/61960492/779101421',
'replay-nonce': '9x0OxqPbxblQBRt06O4RrhHQc9ILi9m7nnjMcLsdn0s',
'x-frame-options': 'DENY',
'strict-transport-security': 'max-age=604800',
expires: 'Thu, 25 Jul 2019 13:23:16 GMT',
'cache-control': 'max-age=0, no-cache, no-store',
pragma: 'no-cache',
date: 'Thu, 25 Jul 2019 13:23:16 GMT',
connection: 'close' },
request:
{ uri:
Url {
protocol: 'https:',
slashes: true,
auth: null,
host: 'acme-v02.api.letsencrypt.org',
port: null,
hostname: 'acme-v02.api.letsencrypt.org',
hash: null,
search: null,
query: null,
pathname: '/acme/new-order',
path: '/acme/new-order',
href: 'https://acme-v02.api.letsencrypt.org/acme/new-order' },
method: 'POST',
headers:
{ 'Content-Type': 'application/jose+json',
'Content-Length': 720 } } }
2019-07-25 14:23:16.971 DEBUG : [acme-v2] POST newOrder has authorizations
2019-07-25 14:23:16.973 DEBUG :
[DEBUG] getChallenges
2019-07-25 14:23:17.733 INFO : [greenlock/lib/core.js] setChallenge called for 'jauau.synk.xyz'
2019-07-25 14:23:18.523 DEBUG : Set DNS token on registration server
2019-07-25 14:23:23.531 DEBUG :
[DEBUG] waitChallengeDelay 500
2019-07-25 14:23:24.997 DEBUG : [acme-v2.js] challenge accepted!
2019-07-25 14:23:25.001 DEBUG : { server: 'nginx',
'content-type': 'application/json',
'content-length': '223',
'boulder-requester': '61960492',
link: '<https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz/rZiUMjKFMmTGg1zQKL7-BwfZFU1g-ko94wS9BH4t2dI>;rel="up"',
location: 'https://acme-v02.api.letsencrypt.org/acme/challenge/rZiUMjKFMmTGg1zQKL7-BwfZFU1g-ko94wS9BH4t2dI/18712316473',
'replay-nonce': '62LeaJ2MoWqYcmbPSuyfzNy_vzWI9I8hZZAAaOCIgZo',
'x-frame-options': 'DENY',
'strict-transport-security': 'max-age=604800',
expires: 'Thu, 25 Jul 2019 13:23:24 GMT',
'cache-control': 'max-age=0, no-cache, no-store',
pragma: 'no-cache',
date: 'Thu, 25 Jul 2019 13:23:24 GMT',
connection: 'close' }
2019-07-25 14:23:25.007 DEBUG : { type: 'dns-01',
status: 'pending',
url: 'https://acme-v02.api.letsencrypt.org/acme/challenge/rZiUMjKFMmTGg1zQKL7-BwfZFU1g-ko94wS9BH4t2dI/18712316473',
token: '1MduQ1Fhspz1RVyIXE3ypXylhVb5sD_0ZOdKY8xvRbI' }
2019-07-25 14:23:25.011 DEBUG :
2019-07-25 14:23:25.014 DEBUG : respond to challenge: resp.body:
2019-07-25 14:23:25.018 DEBUG : { type: 'dns-01',
status: 'pending',
url: 'https://acme-v02.api.letsencrypt.org/acme/challenge/rZiUMjKFMmTGg1zQKL7-BwfZFU1g-ko94wS9BH4t2dI/18712316473',
token: '1MduQ1Fhspz1RVyIXE3ypXylhVb5sD_0ZOdKY8xvRbI' }
2019-07-25 14:23:26.025 DEBUG :
[DEBUG] statusChallenge
2019-07-25 14:23:26.622 ERROR : [acme-v2] handled(?) rejection as errback:
your help will be solve this error as now it close all the debug point.
You’re still failing at the same point. Is there any way to remove the Azure nameservers? Could you try hosting somewhere else temporarily? A free EC2 micro instance would be sufficient. At least then we could narrow down your issue and verify that it’s really the nameservers.
i try to do that but here my debug on register server side when try to ping.
INFO:<unknown>: process_request(): No record for: rajan.synk.xyz.
Jul 31 05:56:33 Exception building answer packet for rajan.synk.xyz/A (Parsing record content (try 'pdnsutil check-zone'): missing field at the end of record content '') sending out servfail
looks like pdns server is not setup properly on registration server
output of pdnsuti command:
/home/user# pdnsutil check-zone synk.xyz
Jul 31 09:01:37 Reading random entropy from '/dev/urandom'
Error: Parsing record content (try 'pdnsutil check-zone'): missing field at the end of record content ''
is there any config or database need to be setup for pdns?
Yes, you do need to configure PowerDNS. In your config directory, you should have a pdns.conf similar to this:
daemon=no
local-port=53
local-address=0.0.0.0
socket-dir=.
launch=remote
remote-connection-string=unix:path=/tmp/pdns_tunnel.sock
write-pid=no
log-dns-details=no
log-dns-queries=no
loglevel=4
query-cache-ttl=0
cache-ttl=0
that is already there still getting above error…!!
I now get no results at all for $ dig +short NS synk.xyz
that is because I get following error in registration server
Aug 01 06:40:42 Remote 172.253.2.2 wants ‘synk.xyz|NS’, do = 0, bufsize = 512: packetcache MISS
Aug 01 06:40:42 Exception building answer packet for synk.xyz/NS (Parsing record content (try ‘pdnsutil check-zone’): missing field at the end of record content ‘’) sending out servfail
looks like something wrong in pdns_server
Is there any chance you’d be willing to give me temporary access to your server so that I can poke around and see what’s going on? If so, email me at mstegeman@mozilla.com and I can give you my SSH public key. Alternatively, you could email me a tarball of your entire config directory.
Im also having this problem. can you explain how you stetted up the DB ?
The database is created automatically when the Docker container first starts up.
Hi,
I’m setting up a mozilla registration server on kubernetes(aws eks) and i’m using the amazon load balancer instead of nginx reverse proxy, how should i use the acm certificate, where should i install it??