Registration server setup

rajan.shah · July 19, 2019, 4:51am

nginx.conf

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	# server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;


# HTTP version of the main registration server. We redirect to TLS port 8443 to
# avoid conflicting with tunneled domains.
server {
    listen 80;
    listen [::]:80;
    server_name api.synk.xyz;
    return 301 https://$server_name:8443$request_uri;
}

# This default server handles tunneled domains, i.e. myhost.mydomain.org.
#server {
#    listen 80 default_server;
#    listen [::]:80 default_server;
#    return 301 https://$host$request_uri;
#}

# This is the main registration server.
#
# This section assumes you're using Let's Encrypt to generate a host
# certificate. Adjust accordingly if necessary.
server {
    listen 8443 ssl http2 default_server;
    listen [::]:8443 ssl http2 default_server;
    server_name api.synk.xyz;

    ssl_certificate "/etc/letsencrypt/live/api.synk.xyz/fullchain.pem";
    ssl_certificate_key "/etc/letsencrypt/live/api.synk.xyz/privkey.pem";
    # It is *strongly* recommended to generate unique DH parameters
    # Generate them with: openssl dhparam -out /etc/pki/nginx/dhparams.pem 2048
    ssl_dhparam "/etc/pki/nginx/dhparams.pem";
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP;
    ssl_prefer_server_ciphers on;

    location / {
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://127.0.0.1:81;
    }
}





}


#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# 
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
# 
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
# 
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}

config.toml

[general]
host = "0.0.0.0"
http_port = 81
https_port = 0
domain = "synk.xyz"
db_path = "/home/user/data/domains.sqlite"
# Uncomment to use TLS
# identity_directory = "/home/user/config"
# identity_password = "mypassword"

[pdns]
api_ttl = 1
dns_ttl = 86400
tunnel_ttl = 60
socket_path = "/tmp/pdns_tunnel.sock"
caa_record = "0 issue \"letsencrypt.org\""
mx_record = ""
ns_records = [
  [ "ns1.mydomain.org.", "5.6.7.8" ],
  [ "ns2.mydomain.org.", "4.5.6.7" ],
]
# Uncomment to set a PSL authentication record
# psl_record = "https://github.com/publicsuffix/list/pull/XYZ"
# Check your DNS configuration to fill in this field.
soa_record = "ns1.mydomain.org. dns-admin.mydomain.org. 2018082801 900 900 1209600 60"
txt_record = ""

  [pdns.geoip]
  default = "5.6.7.8"
  database = "/home/user/geoip/GeoLite2-Country.mmdb"

    [pdns.geoip.continent]
    AF = "1.2.3.4"
    AN = "2.3.4.5"
    AS = "3.4.5.6"
    EU = "4.5.6.7"
    NA = "5.6.7.8"
    OC = "6.7.8.9"
    SA = "9.8.7.6"

[email]
server = "mail.gandi.net"
user = "accounts@mydomain.org"
password = "******"
sender = "accounts@mydomain.org"
reclamation_title = "Reclaim your Mozilla WebThings Gateway Domain"
reclamation_body = """Hello,
<br>
<br>
Your reclamation token is: {token}
<br>
<br>
If you did not request to reclaim your gateway domain, you can ignore this email."""
confirmation_title = "Welcome to your Mozilla WebThings Gateway"
confirmation_body = """Hello,
<br>
<br>
Welcome to your Mozilla WebThings Gateway! To confirm your email address, navigate to <a href="{link}">{link}</a>.
<br>
<br>
Your gateway can be accessed at <a href="https://{domain}">https://{domain}</a>."""
success_page = """<!DOCTYPE html>
<html>
  <head><title>Email Confirmation Successful!</title></head>
  <body>
    <h1>Thank you for verifying your email.</h1>
  </body>
</html>"""
error_page = """<!DOCTYPE html>
<html>
  <head><title>Email Confirmation Error!</title></head>
  <body>
    <h1>An error happened while verifying your email.</h1>
  </body>
</html>"""

would you please suggest where I can see registration server log in docker?
I have run nginx on host now and removed from docker.

put database setup for sqlite on docker

and docker command
docker run
-d
-v /opt/docker/registration-server/config:/home/user/config
-v /opt/docker/registration-server/data:/home/user/data
-p 127.0.0.1:81:81
-p 443:4443
-p 53:53
-p 53:53/udp
–restart unless-stopped
–name registration-server-synk1
registration-server-synk1

In nginx , I found below error
2019/07/19 04:51:02 [error] 5710#5710: *115 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 219.65.62.52, server: api.synk.xyz, request: “GET /subscribe?name=rajan&email=a@x.mnn HTTP/2.0”, upstream: “http://127.0.0.1:81/subscribe?name=rajan&email=a@x.mnn”, host: “api.synk.xyz:8443”
2019/07/19 04:51:02 [error] 5710#5710: *115 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 219.65.62.52, server: api.synk.xyz, request: “GET /favicon.ico HTTP/2.0”, upstream: “http://127.0.0.1:81/favicon.ico”, host: “api.synk.xyz:8443”, referrer: “https://api.synk.xyz:8443/subscribe?name=rajan&email=a@x.mnn”

rajan.shah · July 19, 2019, 9:44am

I am also getting below error when try to run

/home/user/registration_server/target/release/main --config-file=/home/user/config/config.toml

ERROR:: MySQL connection URLs must be in the form mysql://[[user]:[password]@]host[:port][/database]

where should I set mysql database?

mstegeman · July 22, 2019, 5:24pm

I answered the MySQL question in your other thread.

A couple problems I see:

You need to configure the [pdns] section with the proper IP addresses, otherwise nothing at all will work.
You also need to configure the [email] section so that emails can get sent out. You should be able to use any SMTP host you want.
With nginx on the host, your config looks right.

To see the logs, you can just use docker logs -f registration-server-synk1

Let me know if you see anything relevant in the logs after you configure the other sections indicated above.

rajan.shah · July 23, 2019, 10:50am

Thank you for your guideline. Now, I am able to setup registration server. one problem is that geoio dir and database is not there in /home/user/ of docker as per config.toml.

I need one more help. Now, I am facing problem in raspberry when change config and run npm start

2019-07-23 11:42:34.368 ERROR  : [acme-v2] handled(?) rejection as errback:
2019-07-23 11:42:34.947 ERROR  : Error: [acme-v2] (E_STATE_INVALID) challenge state for 'gatewayraj.synk.xyz': 'invalid'
    at /home/pi/gateway/build/webpack:/node_modules/acme-v2/node.js:784:1
    at <anonymous>
    at process._tickCallback (internal/process/next_tick.js:189:7)
2019-07-23 11:42:34.953 ERROR  : Registration failed: Error: [acme-v2] (E_STATE_INVALID) challenge state for 'gatewayraj.synk.xyz': 'invalid'
    at /home/pi/gateway/build/webpack:/node_modules/acme-v2/node.js:784:1
    at <anonymous>
    at process._tickCallback (internal/process/next_tick.js:189:7)
2019-07-23 11:42:35.219 ERROR  : TypeError: Cannot read property 'then' of undefined
    at Object../src/app.js.TunnelService.switchToHttps (/home/pi/gateway/build/webpack:/src/app.js:432:1)
    at cb (/home/pi/gateway/build/webpack:/src/controllers/settings_controller.js:122:1)
    at Object.register (/home/pi/gateway/build/webpack:/src/certificate-manager.js:205:1)
    at <anonymous>
2019-07-23 11:42:37.671 ERROR  : Error: Can't set headers after they are sent.
    at validateHeader (_http_outgoing.js:491:11)
    at ServerResponse.setHeader (_http_outgoing.js:498:3)
    at ServerResponse.header (/home/pi/gateway/node_modules/express/lib/response.js:771:10)
    at ServerResponse.send (/home/pi/gateway/node_modules/express/lib/response.js:170:12)
    at Socket.pagekiteProcess.stdout.on (/home/pi/gateway/build/webpack:/src/ssltunnel.js:111:1)
    at emitOne (events.js:116:13)
    at Socket.emit (events.js:211:7)
    at addChunk (_stream_readable.js:263:12)
    at readableAddChunk (_stream_readable.js:250:11)
    at Socket.Readable.push (_stream_readable.js:208:10)
    at Pipe.onread (net.js:601:20)
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! webthings-gateway@0.9.0 start: `webpack --display errors-only && node build/gateway.js`
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the webthings-gateway@0.9.0 start script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/pi/.npm/_logs/2019-07-23T10_42_37_738Z-debug.log

would you please help me? looks like /subscribe and /dnsconfig call are good to registration server and after that I get this error.

mstegeman · July 23, 2019, 9:31pm

That’s the relevant part. It means that Let’s Encrypt is unable to retrieve the expected challenge from your registration server.

Things to check:

The NS records for your domain need to be pointed at your server, as it will serve DNS for the entire *.synk.xyz domain. This will need to be configured with your domain host.
Ensure that you have the following ports open (to the world) on your server:
- TCP ports 53, 80, 443, and 8443
- UDP port 80

rajan.shah · July 24, 2019, 3:34pm

I am able to create certificate on host using

letsencrypt certonly --standalone -d gatewayraj.synk.xyz

but still facing this error. I am using azure for ubuntu VM.

what should be the option to resolve this issue?
is gateway using letsencrypt or registration-server after /dnsconfig request?

please give your valuable input.

mstegeman · July 24, 2019, 4:48pm

I forgot to comment on this part. You’ll need to build and install geoipupdate from here: https://dev.maxmind.com/geoip/geoipupdate/

After doing so, add it to your crontab as that page describes. That will update the geoip database for you. I updated the docker repo’s README as well.

mstegeman · July 24, 2019, 4:57pm

The Let’s Encrypt flow is a bit complicated because of the tunnel and DNS configuration. Check out this document for a better explanation.

I can see that your host (api.synk.xyz) does not have port 80 open. You’ll need to do that.
Your NS records are configured wrong. Check out the difference below:

$ dig +short NS mozilla-iot.org
ns2.mozilla-iot.org.
ns1.mozilla-iot.org.

$ dig +short NS synk.xyz
ns1-08.azure-dns.com.
ns3-08.azure-dns.org.
ns2-08.azure-dns.net.
ns4-08.azure-dns.info.

rajan.shah · July 24, 2019, 6:08pm

thank you I will check that.

Actually api.synk.xyz work on 8443 port as per the setup.

In registration server,I am getting below log

INFO:<unknown>: GET /subscribe {"email": "rajan.shah2000@gmail.com", "name": "jaja"}
INFO:<unknown>: subscribe(): Trying to subscribe: jaja.synk.xyz.
INFO:<unknown>: iire
INFO:<unknown>: unwrap
INFO:<unknown>: GET /dnsconfig {"challenge": "W3TcHcelgvlNAzCxy14z8lpzbrlnXJKiaJju4qbheVI", "token": "209af3cd-357d-4e57-902f-1e6d347b32ab"}
ts=5d38833d; t=2019-07-24T16:11:41; ll=1a0; accept=~62.52:55864; id=s0
ts=5d38833d; t=2019-07-24T16:11:41; ll=1a1; debug=No back-end; on_port=4443; proto=http; domain=ping.pagekite; is=FE; id=s3b/~62.52:55864
ts=5d38833d; t=2019-07-24T16:11:41; ll=1a2; wrote=409; wbps=0; read=0; eof=1; id=s3b/~62.52:55864
ts=5d38833e; t=2019-07-24T16:11:42; ll=1a3; accept=~62.52:55866; id=s0
ts=5d38833e; t=2019-07-24T16:11:42; ll=1a4; debug=No back-end; on_port=4443; proto=http; domain=ping.pagekite; is=FE; id=s3c/~62.52:55866
ts=5d38833e; t=2019-07-24T16:11:42; ll=1a5; wrote=409; wbps=0; read=0; eof=1; id=s3c/~62.52:55866
ts=5d38833e; t=2019-07-24T16:11:42; ll=1a6; accept=~62.52:55868; id=s0
ts=5d38833e; t=2019-07-24T16:11:42; ll=1a7; debug=No tunnels configured, idling...; id=s3d/~62.52:55868
ts=5d38833f; t=2019-07-24T16:11:43; ll=1a8; err=Quota lookup failed: [Errno -2] Name or service not known
ts=5d38833f; t=2019-07-24T16:11:43; ll=1a9; BE=Live; proto=https; domain=jaja.synk.xyz; add_kites=True; version=1.0.0.190225; id=s3d/~62.52:55868




ts=5d38834c; t=2019-07-24T16:11:56; ll=1aa; debug=Not sure which servers to contact, making no changes.
ts=5d388370; t=2019-07-24T16:12:32; ll=1ab; debug=Not sure which servers to contact, making no changes.
ts=5d388394; t=2019-07-24T16:13:08; ll=1ac; debug=Not sure which servers to contact, making no changes.
ts=5d388394; t=2019-07-24T16:13:08; ll=1ad; debug=Ping; host=x.x.x.x:x; id=s23/~62.52:55772

mstegeman · July 24, 2019, 6:25pm

That’s great! It looks like your tunnel may be working now.

rajan.shah · July 24, 2019, 6:30pm

Hi,

Thànks for your help.

I am using azure instance as my host so my NS name does not contain synk.xyz but actually it is able to resolve the host synk.xyz.

rajan.shah · July 24, 2019, 6:31pm

but still getting same error on gateway side.

acme-v2 error as mentioned before.

mstegeman · July 24, 2019, 7:20pm

I don’t believe the Let’s Encrypt stage will work properly without the NS records set up. With Azure set as the nameserver, LE will not get the required TXT record, so certificate generation will never succeed.

Azure should still let you set your own NS records. You’ll need them to be “ns1.synk.xyz” and “ns2.synk.xyz”.

Maybe this will help: https://azure4you.com/2017/07/05/azure-dns-records-and-limitations/

rajan.shah · July 25, 2019, 1:26pm

I have setup dns
root@mozila-iot:/home/admin_mozila# dig +short NS synk.xyz
ns1-08.azure-dns.com.
ns2-08.azure-dns.net.
ns3-08.azure-dns.org.
ns4-08.azure-dns.info.
ns1.synk.xyz.
ns2.synk.xyz.

Still facing same error. I have open debug log in gateway and find below error

2019-07-25 14:23:13.476 INFO   : [greenlock/lib/core.js] calling greenlock.acme.getCertificateAsync jauau.synk.xyz [ 'jauau.synk.xyz' ]
2019-07-25 14:23:13.484 DEBUG  : [acme-v2] DEBUG get cert 1
2019-07-25 14:23:13.489 DEBUG  : [acme-v2] accounts.create
2019-07-25 14:23:14.691 DEBUG  : [acme-v2] agreeToTerms
2019-07-25 14:23:14.763 DEBUG  : [acme-v2] accounts.create JSON body:
2019-07-25 14:23:14.768 DEBUG  : { protected: 'eyJub25jZSI6InZVRGo4b1hSWlZoQkxxY25sQTVBSUk4N2M5OFZkWWpiZ2JaZkMzTHJhdUUiLCJhbGciOiJSUzI1NiIsInVybCI6Imh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1hY2N0IiwiandrIjp7Imt0eSI6IlJTQSIsIm4iOiJwbUdiNWhPc3RRTmF2VzNCd2ZHcjd0YmNTR2k5dlZobDBhRXpYMVJESE9Ic1V2Z281WW53V1dET3NIclcybm0zSDg1T1EzUEhuSFJTVkhSR0llSG81Z0tEcGJmRmRYVWxVM3RrV2t1a2FUQXlVMGxWeWNCNGNxWk03VFNUN205MXlWYlo2TlluWDhTTXV5cXRSZ1VVTkdmMVdOTlItRzBkQ1J6emVrYkxnMjhtY3pDbm50dTRxdmJYeEdwZnF6Nm1NbDFVSDQ1Z214aXBXckt0Y2FvMjJDT1BEMTVIbnMxRTBGS0kwUVZVTE1vU1RhR1Jrb1VJY3E4eks4Nml6aGZqYXFlQTBaQmlMank5aXJMTnhtQW9ZbldnaHF3TktwZXBmZy1VOFZlenpVYjkxM2xyand3SGV0Yl9YN1hMckpoQlRSMkZTQUtkbGdySDZMQlQ2bFI0YlEiLCJlIjoiQVFBQiJ9fQ',
  payload: 'eyJ0ZXJtc09mU2VydmljZUFncmVlZCI6dHJ1ZSwib25seVJldHVybkV4aXN0aW5nIjpmYWxzZX0',
  signature: 'A3rQMIWYjpntJsTnJb9uWayd_TR3WRtkLuK1htzSykdPXkxsdL68fK3tOoC5zw3Z-eBepmB0ezSh9DBtAF_yiSKKtV7Y8Jw9XfuENx1ogLGzhG4qFDydx1MkpZUblM4DSXWIZpmmIEO1b31CzqQvfoUCRcJ3SAsdziq1yMQU9JmvynL2LgHXvxEaJc58zJpq5AbCagKlcmqj3pPLamSymP71RMAW7A8x1jUlJE_JoXVPjnIRA7wm8EEiIwEHeI7d5r43yJtiG0vYPmfMH4aFhUCPDgaR_s4cM5HbledHJeVTTh4v1G-f5VzUVK_tWx2Ez1y4EaOk5dFh71GRDE4sgQ' }
2019-07-25 14:23:16.194 DEBUG  : [DEBUG] new account location:
2019-07-25 14:23:16.197 DEBUG  : https://acme-v02.api.letsencrypt.org/acme/acct/61960492
2019-07-25 14:23:16.206 DEBUG  : { statusCode: 200,
  body:
   { id: 61960492,
     key:
      { kty: 'RSA',
        n: 'pmGb5hOstQNavW3BwfGr7tbcSGi9vVhl0aEzX1RDHOHsUvgo5YnwWWDOsHrW2nm3H85OQ3PHnHRSVHRGIeHo5gKDpbfFdXUlU3tkWkukaTAyU0lVycB4cqZM7TST7m91yVbZ6NYnX8SMuyqtRgUUNGf1WNNR-G0dCRzzekbLg28mczCnntu4qvbXxGpfqz6mMl1UH45gmxipWrKtcao22COPD15Hns1E0FKI0QVULMoSTaGRkoUIcq8zK86izhfjaqeA0ZBiLjy9irLNxmAoYnWghqwNKpepfg-U8VezzUb913lrjwwHetb_X7XLrJhBTR2FSAKdlgrH6LBT6lR4bQ',
        e: 'AQAB' },
     contact: [ 'mailto:rajansha@cisco.com' ],
     initialIp: '182.76.108.106',
     createdAt: '2019-07-25T05:15:13Z',
     status: 'valid' },
  headers:
   { server: 'nginx',
     'content-type': 'application/json',
     'content-length': '570',
     link: '<https://acme-v02.api.letsencrypt.org/directory>;rel="index"',
     location: 'https://acme-v02.api.letsencrypt.org/acme/acct/61960492',
     'replay-nonce': 'uDUlReD6GP9XbrWRq6UJG9lRO4MMugg3_MKoavQ2iT0',
     'x-frame-options': 'DENY',
     'strict-transport-security': 'max-age=604800',
     expires: 'Thu, 25 Jul 2019 13:23:16 GMT',
     'cache-control': 'max-age=0, no-cache, no-store',
     pragma: 'no-cache',
     date: 'Thu, 25 Jul 2019 13:23:16 GMT',
     connection: 'close' },
  request:
   { uri:
      Url {
        protocol: 'https:',
        slashes: true,
        auth: null,
        host: 'acme-v02.api.letsencrypt.org',
        port: null,
        hostname: 'acme-v02.api.letsencrypt.org',
        hash: null,
        search: null,
        query: null,
        pathname: '/acme/new-acct',
        path: '/acme/new-acct',
        href: 'https://acme-v02.api.letsencrypt.org/acme/new-acct' },
     method: 'POST',
     headers:
      { 'Content-Type': 'application/jose+json',
        'Content-Length': 1139 } } }
2019-07-25 14:23:16.223 DEBUG  : [acme-v2] DEBUG get cert 1
2019-07-25 14:23:16.266 DEBUG  : [acme-v2] certificates.create
2019-07-25 14:23:16.317 DEBUG  :
[DEBUG] newOrder

2019-07-25 14:23:16.960 DEBUG  : https://acme-v02.api.letsencrypt.org/acme/order/61960492/779101421
2019-07-25 14:23:16.963 DEBUG  : { statusCode: 201,
  body:
   { status: 'pending',
     expires: '2019-08-01T13:23:16.779816787Z',
     identifiers: [ [Object] ],
     authorizations:
      [ 'https://acme-v02.api.letsencrypt.org/acme/authz/rZiUMjKFMmTGg1zQKL7-BwfZFU1g-ko94wS9BH4t2dI' ],
     finalize: 'https://acme-v02.api.letsencrypt.org/acme/finalize/61960492/779101421' },
  headers:
   { server: 'nginx',
     'content-type': 'application/json',
     'content-length': '373',
     'boulder-requester': '61960492',
     link: '<https://acme-v02.api.letsencrypt.org/directory>;rel="index"',
     location: 'https://acme-v02.api.letsencrypt.org/acme/order/61960492/779101421',
     'replay-nonce': '9x0OxqPbxblQBRt06O4RrhHQc9ILi9m7nnjMcLsdn0s',
     'x-frame-options': 'DENY',
     'strict-transport-security': 'max-age=604800',
     expires: 'Thu, 25 Jul 2019 13:23:16 GMT',
     'cache-control': 'max-age=0, no-cache, no-store',
     pragma: 'no-cache',
     date: 'Thu, 25 Jul 2019 13:23:16 GMT',
     connection: 'close' },
  request:
   { uri:
      Url {
        protocol: 'https:',
        slashes: true,
        auth: null,
        host: 'acme-v02.api.letsencrypt.org',
        port: null,
        hostname: 'acme-v02.api.letsencrypt.org',
        hash: null,
        search: null,
        query: null,
        pathname: '/acme/new-order',
        path: '/acme/new-order',
        href: 'https://acme-v02.api.letsencrypt.org/acme/new-order' },
     method: 'POST',
     headers:
      { 'Content-Type': 'application/jose+json',
        'Content-Length': 720 } } }
2019-07-25 14:23:16.971 DEBUG  : [acme-v2] POST newOrder has authorizations
2019-07-25 14:23:16.973 DEBUG  :
[DEBUG] getChallenges

2019-07-25 14:23:17.733 INFO   : [greenlock/lib/core.js] setChallenge called for 'jauau.synk.xyz'
2019-07-25 14:23:18.523 DEBUG  : Set DNS token on registration server
2019-07-25 14:23:23.531 DEBUG  :
[DEBUG] waitChallengeDelay 500

2019-07-25 14:23:24.997 DEBUG  : [acme-v2.js] challenge accepted!
2019-07-25 14:23:25.001 DEBUG  : { server: 'nginx',
  'content-type': 'application/json',
  'content-length': '223',
  'boulder-requester': '61960492',
  link: '<https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz/rZiUMjKFMmTGg1zQKL7-BwfZFU1g-ko94wS9BH4t2dI>;rel="up"',
  location: 'https://acme-v02.api.letsencrypt.org/acme/challenge/rZiUMjKFMmTGg1zQKL7-BwfZFU1g-ko94wS9BH4t2dI/18712316473',
  'replay-nonce': '62LeaJ2MoWqYcmbPSuyfzNy_vzWI9I8hZZAAaOCIgZo',
  'x-frame-options': 'DENY',
  'strict-transport-security': 'max-age=604800',
  expires: 'Thu, 25 Jul 2019 13:23:24 GMT',
  'cache-control': 'max-age=0, no-cache, no-store',
  pragma: 'no-cache',
  date: 'Thu, 25 Jul 2019 13:23:24 GMT',
  connection: 'close' }
2019-07-25 14:23:25.007 DEBUG  : { type: 'dns-01',
  status: 'pending',
  url: 'https://acme-v02.api.letsencrypt.org/acme/challenge/rZiUMjKFMmTGg1zQKL7-BwfZFU1g-ko94wS9BH4t2dI/18712316473',
  token: '1MduQ1Fhspz1RVyIXE3ypXylhVb5sD_0ZOdKY8xvRbI' }
2019-07-25 14:23:25.011 DEBUG  :
2019-07-25 14:23:25.014 DEBUG  : respond to challenge: resp.body:
2019-07-25 14:23:25.018 DEBUG  : { type: 'dns-01',
  status: 'pending',
  url: 'https://acme-v02.api.letsencrypt.org/acme/challenge/rZiUMjKFMmTGg1zQKL7-BwfZFU1g-ko94wS9BH4t2dI/18712316473',
  token: '1MduQ1Fhspz1RVyIXE3ypXylhVb5sD_0ZOdKY8xvRbI' }
2019-07-25 14:23:26.025 DEBUG  :
[DEBUG] statusChallenge

2019-07-25 14:23:26.622 ERROR  : [acme-v2] handled(?) rejection as errback:

your help will be solve this error as now it close all the debug point.

mstegeman · July 25, 2019, 7:45pm

You’re still failing at the same point. Is there any way to remove the Azure nameservers? Could you try hosting somewhere else temporarily? A free EC2 micro instance would be sufficient. At least then we could narrow down your issue and verify that it’s really the nameservers.

rajan.shah · July 31, 2019, 9:02am

i try to do that but here my debug on register server side when try to ping.

INFO:<unknown>: process_request(): No record for: rajan.synk.xyz.
Jul 31 05:56:33 Exception building answer packet for rajan.synk.xyz/A (Parsing record content (try 'pdnsutil check-zone'): missing field at the end of record content '') sending out servfail

looks like pdns server is not setup properly on registration server

output of pdnsuti command:

/home/user# pdnsutil check-zone synk.xyz
Jul 31 09:01:37 Reading random entropy from '/dev/urandom'
Error: Parsing record content (try 'pdnsutil check-zone'): missing field at the end of record content ''

is there any config or database need to be setup for pdns?

mstegeman · July 31, 2019, 3:34pm

Yes, you do need to configure PowerDNS. In your config directory, you should have a pdns.conf similar to this:

daemon=no
local-port=53
local-address=0.0.0.0
socket-dir=.
launch=remote
remote-connection-string=unix:path=/tmp/pdns_tunnel.sock
write-pid=no
log-dns-details=no
log-dns-queries=no
loglevel=4
query-cache-ttl=0
cache-ttl=0

rajan.shah · July 31, 2019, 6:25pm

that is already there still getting above error…!!

mstegeman · July 31, 2019, 6:50pm

I now get no results at all for $ dig +short NS synk.xyz

rajan.shah · August 1, 2019, 6:42am

that is because I get following error in registration server
Aug 01 06:40:42 Remote 172.253.2.2 wants ‘synk.xyz|NS’, do = 0, bufsize = 512: packetcache MISS
Aug 01 06:40:42 Exception building answer packet for synk.xyz/NS (Parsing record content (try ‘pdnsutil check-zone’): missing field at the end of record content ‘’) sending out servfail

looks like something wrong in pdns_server