Hi,
Thànks for your help.
I am using azure instance as my host so my NS name does not contain synk.xyz but actually it is able to resolve the host synk.xyz.
but still getting same error on gateway side.
acme-v2 error as mentioned before.
I don’t believe the Let’s Encrypt stage will work properly without the NS records set up. With Azure set as the nameserver, LE will not get the required TXT record, so certificate generation will never succeed.
Azure should still let you set your own NS records. You’ll need them to be “ns1.synk.xyz” and “ns2.synk.xyz”.
Maybe this will help: https://azure4you.com/2017/07/05/azure-dns-records-and-limitations/
I have setup dns
root@mozila-iot:/home/admin_mozila# dig +short NS synk.xyz
ns1-08.azure-dns.com.
ns2-08.azure-dns.net.
ns3-08.azure-dns.org.
ns4-08.azure-dns.info.
ns1.synk.xyz.
ns2.synk.xyz.
Still facing same error. I have open debug log in gateway and find below error
2019-07-25 14:23:13.476 INFO : [greenlock/lib/core.js] calling greenlock.acme.getCertificateAsync jauau.synk.xyz [ 'jauau.synk.xyz' ]
2019-07-25 14:23:13.484 DEBUG : [acme-v2] DEBUG get cert 1
2019-07-25 14:23:13.489 DEBUG : [acme-v2] accounts.create
2019-07-25 14:23:14.691 DEBUG : [acme-v2] agreeToTerms
2019-07-25 14:23:14.763 DEBUG : [acme-v2] accounts.create JSON body:
2019-07-25 14:23:14.768 DEBUG : { protected: 'eyJub25jZSI6InZVRGo4b1hSWlZoQkxxY25sQTVBSUk4N2M5OFZkWWpiZ2JaZkMzTHJhdUUiLCJhbGciOiJSUzI1NiIsInVybCI6Imh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1hY2N0IiwiandrIjp7Imt0eSI6IlJTQSIsIm4iOiJwbUdiNWhPc3RRTmF2VzNCd2ZHcjd0YmNTR2k5dlZobDBhRXpYMVJESE9Ic1V2Z281WW53V1dET3NIclcybm0zSDg1T1EzUEhuSFJTVkhSR0llSG81Z0tEcGJmRmRYVWxVM3RrV2t1a2FUQXlVMGxWeWNCNGNxWk03VFNUN205MXlWYlo2TlluWDhTTXV5cXRSZ1VVTkdmMVdOTlItRzBkQ1J6emVrYkxnMjhtY3pDbm50dTRxdmJYeEdwZnF6Nm1NbDFVSDQ1Z214aXBXckt0Y2FvMjJDT1BEMTVIbnMxRTBGS0kwUVZVTE1vU1RhR1Jrb1VJY3E4eks4Nml6aGZqYXFlQTBaQmlMank5aXJMTnhtQW9ZbldnaHF3TktwZXBmZy1VOFZlenpVYjkxM2xyand3SGV0Yl9YN1hMckpoQlRSMkZTQUtkbGdySDZMQlQ2bFI0YlEiLCJlIjoiQVFBQiJ9fQ',
payload: 'eyJ0ZXJtc09mU2VydmljZUFncmVlZCI6dHJ1ZSwib25seVJldHVybkV4aXN0aW5nIjpmYWxzZX0',
signature: 'A3rQMIWYjpntJsTnJb9uWayd_TR3WRtkLuK1htzSykdPXkxsdL68fK3tOoC5zw3Z-eBepmB0ezSh9DBtAF_yiSKKtV7Y8Jw9XfuENx1ogLGzhG4qFDydx1MkpZUblM4DSXWIZpmmIEO1b31CzqQvfoUCRcJ3SAsdziq1yMQU9JmvynL2LgHXvxEaJc58zJpq5AbCagKlcmqj3pPLamSymP71RMAW7A8x1jUlJE_JoXVPjnIRA7wm8EEiIwEHeI7d5r43yJtiG0vYPmfMH4aFhUCPDgaR_s4cM5HbledHJeVTTh4v1G-f5VzUVK_tWx2Ez1y4EaOk5dFh71GRDE4sgQ' }
2019-07-25 14:23:16.194 DEBUG : [DEBUG] new account location:
2019-07-25 14:23:16.197 DEBUG : https://acme-v02.api.letsencrypt.org/acme/acct/61960492
2019-07-25 14:23:16.206 DEBUG : { statusCode: 200,
body:
{ id: 61960492,
key:
{ kty: 'RSA',
n: 'pmGb5hOstQNavW3BwfGr7tbcSGi9vVhl0aEzX1RDHOHsUvgo5YnwWWDOsHrW2nm3H85OQ3PHnHRSVHRGIeHo5gKDpbfFdXUlU3tkWkukaTAyU0lVycB4cqZM7TST7m91yVbZ6NYnX8SMuyqtRgUUNGf1WNNR-G0dCRzzekbLg28mczCnntu4qvbXxGpfqz6mMl1UH45gmxipWrKtcao22COPD15Hns1E0FKI0QVULMoSTaGRkoUIcq8zK86izhfjaqeA0ZBiLjy9irLNxmAoYnWghqwNKpepfg-U8VezzUb913lrjwwHetb_X7XLrJhBTR2FSAKdlgrH6LBT6lR4bQ',
e: 'AQAB' },
contact: [ 'mailto:rajansha@cisco.com' ],
initialIp: '182.76.108.106',
createdAt: '2019-07-25T05:15:13Z',
status: 'valid' },
headers:
{ server: 'nginx',
'content-type': 'application/json',
'content-length': '570',
link: '<https://acme-v02.api.letsencrypt.org/directory>;rel="index"',
location: 'https://acme-v02.api.letsencrypt.org/acme/acct/61960492',
'replay-nonce': 'uDUlReD6GP9XbrWRq6UJG9lRO4MMugg3_MKoavQ2iT0',
'x-frame-options': 'DENY',
'strict-transport-security': 'max-age=604800',
expires: 'Thu, 25 Jul 2019 13:23:16 GMT',
'cache-control': 'max-age=0, no-cache, no-store',
pragma: 'no-cache',
date: 'Thu, 25 Jul 2019 13:23:16 GMT',
connection: 'close' },
request:
{ uri:
Url {
protocol: 'https:',
slashes: true,
auth: null,
host: 'acme-v02.api.letsencrypt.org',
port: null,
hostname: 'acme-v02.api.letsencrypt.org',
hash: null,
search: null,
query: null,
pathname: '/acme/new-acct',
path: '/acme/new-acct',
href: 'https://acme-v02.api.letsencrypt.org/acme/new-acct' },
method: 'POST',
headers:
{ 'Content-Type': 'application/jose+json',
'Content-Length': 1139 } } }
2019-07-25 14:23:16.223 DEBUG : [acme-v2] DEBUG get cert 1
2019-07-25 14:23:16.266 DEBUG : [acme-v2] certificates.create
2019-07-25 14:23:16.317 DEBUG :
[DEBUG] newOrder
2019-07-25 14:23:16.960 DEBUG : https://acme-v02.api.letsencrypt.org/acme/order/61960492/779101421
2019-07-25 14:23:16.963 DEBUG : { statusCode: 201,
body:
{ status: 'pending',
expires: '2019-08-01T13:23:16.779816787Z',
identifiers: [ [Object] ],
authorizations:
[ 'https://acme-v02.api.letsencrypt.org/acme/authz/rZiUMjKFMmTGg1zQKL7-BwfZFU1g-ko94wS9BH4t2dI' ],
finalize: 'https://acme-v02.api.letsencrypt.org/acme/finalize/61960492/779101421' },
headers:
{ server: 'nginx',
'content-type': 'application/json',
'content-length': '373',
'boulder-requester': '61960492',
link: '<https://acme-v02.api.letsencrypt.org/directory>;rel="index"',
location: 'https://acme-v02.api.letsencrypt.org/acme/order/61960492/779101421',
'replay-nonce': '9x0OxqPbxblQBRt06O4RrhHQc9ILi9m7nnjMcLsdn0s',
'x-frame-options': 'DENY',
'strict-transport-security': 'max-age=604800',
expires: 'Thu, 25 Jul 2019 13:23:16 GMT',
'cache-control': 'max-age=0, no-cache, no-store',
pragma: 'no-cache',
date: 'Thu, 25 Jul 2019 13:23:16 GMT',
connection: 'close' },
request:
{ uri:
Url {
protocol: 'https:',
slashes: true,
auth: null,
host: 'acme-v02.api.letsencrypt.org',
port: null,
hostname: 'acme-v02.api.letsencrypt.org',
hash: null,
search: null,
query: null,
pathname: '/acme/new-order',
path: '/acme/new-order',
href: 'https://acme-v02.api.letsencrypt.org/acme/new-order' },
method: 'POST',
headers:
{ 'Content-Type': 'application/jose+json',
'Content-Length': 720 } } }
2019-07-25 14:23:16.971 DEBUG : [acme-v2] POST newOrder has authorizations
2019-07-25 14:23:16.973 DEBUG :
[DEBUG] getChallenges
2019-07-25 14:23:17.733 INFO : [greenlock/lib/core.js] setChallenge called for 'jauau.synk.xyz'
2019-07-25 14:23:18.523 DEBUG : Set DNS token on registration server
2019-07-25 14:23:23.531 DEBUG :
[DEBUG] waitChallengeDelay 500
2019-07-25 14:23:24.997 DEBUG : [acme-v2.js] challenge accepted!
2019-07-25 14:23:25.001 DEBUG : { server: 'nginx',
'content-type': 'application/json',
'content-length': '223',
'boulder-requester': '61960492',
link: '<https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz/rZiUMjKFMmTGg1zQKL7-BwfZFU1g-ko94wS9BH4t2dI>;rel="up"',
location: 'https://acme-v02.api.letsencrypt.org/acme/challenge/rZiUMjKFMmTGg1zQKL7-BwfZFU1g-ko94wS9BH4t2dI/18712316473',
'replay-nonce': '62LeaJ2MoWqYcmbPSuyfzNy_vzWI9I8hZZAAaOCIgZo',
'x-frame-options': 'DENY',
'strict-transport-security': 'max-age=604800',
expires: 'Thu, 25 Jul 2019 13:23:24 GMT',
'cache-control': 'max-age=0, no-cache, no-store',
pragma: 'no-cache',
date: 'Thu, 25 Jul 2019 13:23:24 GMT',
connection: 'close' }
2019-07-25 14:23:25.007 DEBUG : { type: 'dns-01',
status: 'pending',
url: 'https://acme-v02.api.letsencrypt.org/acme/challenge/rZiUMjKFMmTGg1zQKL7-BwfZFU1g-ko94wS9BH4t2dI/18712316473',
token: '1MduQ1Fhspz1RVyIXE3ypXylhVb5sD_0ZOdKY8xvRbI' }
2019-07-25 14:23:25.011 DEBUG :
2019-07-25 14:23:25.014 DEBUG : respond to challenge: resp.body:
2019-07-25 14:23:25.018 DEBUG : { type: 'dns-01',
status: 'pending',
url: 'https://acme-v02.api.letsencrypt.org/acme/challenge/rZiUMjKFMmTGg1zQKL7-BwfZFU1g-ko94wS9BH4t2dI/18712316473',
token: '1MduQ1Fhspz1RVyIXE3ypXylhVb5sD_0ZOdKY8xvRbI' }
2019-07-25 14:23:26.025 DEBUG :
[DEBUG] statusChallenge
2019-07-25 14:23:26.622 ERROR : [acme-v2] handled(?) rejection as errback:
your help will be solve this error as now it close all the debug point.
You’re still failing at the same point. Is there any way to remove the Azure nameservers? Could you try hosting somewhere else temporarily? A free EC2 micro instance would be sufficient. At least then we could narrow down your issue and verify that it’s really the nameservers.
i try to do that but here my debug on register server side when try to ping.
INFO:<unknown>: process_request(): No record for: rajan.synk.xyz.
Jul 31 05:56:33 Exception building answer packet for rajan.synk.xyz/A (Parsing record content (try 'pdnsutil check-zone'): missing field at the end of record content '') sending out servfail
looks like pdns server is not setup properly on registration server
output of pdnsuti command:
/home/user# pdnsutil check-zone synk.xyz
Jul 31 09:01:37 Reading random entropy from '/dev/urandom'
Error: Parsing record content (try 'pdnsutil check-zone'): missing field at the end of record content ''
is there any config or database need to be setup for pdns?
Yes, you do need to configure PowerDNS. In your config directory, you should have a pdns.conf similar to this:
daemon=no
local-port=53
local-address=0.0.0.0
socket-dir=.
launch=remote
remote-connection-string=unix:path=/tmp/pdns_tunnel.sock
write-pid=no
log-dns-details=no
log-dns-queries=no
loglevel=4
query-cache-ttl=0
cache-ttl=0
that is already there still getting above error…!!
I now get no results at all for $ dig +short NS synk.xyz
that is because I get following error in registration server
Aug 01 06:40:42 Remote 172.253.2.2 wants ‘synk.xyz|NS’, do = 0, bufsize = 512: packetcache MISS
Aug 01 06:40:42 Exception building answer packet for synk.xyz/NS (Parsing record content (try ‘pdnsutil check-zone’): missing field at the end of record content ‘’) sending out servfail
looks like something wrong in pdns_server
Is there any chance you’d be willing to give me temporary access to your server so that I can poke around and see what’s going on? If so, email me at mstegeman@mozilla.com and I can give you my SSH public key. Alternatively, you could email me a tarball of your entire config directory.
Im also having this problem. can you explain how you stetted up the DB ?
The database is created automatically when the Docker container first starts up.
Hi,
I’m setting up a mozilla registration server on kubernetes(aws eks) and i’m using the amazon load balancer instead of nginx reverse proxy, how should i use the acm certificate, where should i install it??
I’m not sure the load balancer is going to serve you well, especially if you’re using multiple servers behind it. You need to have a way to route traffic to the proper back end in order to route through the tunnel.
hi,
Do you know how to create additional nameserver with custom domain name in AWS, i tried to add additional name server but it’s not working.
2020-05-05 14:44:25.175 ERROR : Failed to generate certificate: Error: No TXT record found at _acme-challenge.domain.com(domain hidden)
at verifyFn (/home/node/mozilla-iot/gateway/node_modules/acme-client/src/client.js:386:23)
at processTicksAndRejections (internal/process/task_queues.js:97:5)
at retryPromise (/home/node/mozilla-iot/gateway/node_modules/acme-client/src/util.js:23:22)
at /home/node/mozilla-iot/gateway/node_modules/acme-client/src/auto.js:124:13
i’m getting above error, can you tell me why it’s coming for let’s encrypt certificate
Can you just point both NS records to the same IP address, i.e. to your registration server?
Hi,
I’ve created 4 name servers pointing to the same ip address. Still the issue is same.
Also i’ve kept my company certificate in the working environment which is of Digicert one but i’m getting the following error
Error: CAA record for gw.domain.com(domain name hidden) prevents issuance.
please suggest the solutions for the above.
Is dig showing your proper NS records?
$ dig +short NS mozilla-iot.org
ns2.mozilla-iot.org.
ns1.mozilla-iot.org.