Score:0

What commands can I use to simulate letsencrypt adding the TXT field to my server?

cn flag

I'm trying to debug my DNS setup for the letsencrypt challenge.

I understand that BIND9 may not be receiving the requests, although it was earlier in the day. The .jnl does not get created, unfortunately.

What I'd like to know is how can I send a request from a remote computer to eventually see what fails on the other end. What does letsencrypt do to send us a TXT field update? What command line command(s) can I run?

That would be an equivalent to the nsupdate command, but from a remote computer.

Score:3
cn flag

Use Let's Encrypt staging environment with your ACME client of choice.

Test with staging first, to not get rate limited from production.

Note that it is not Let's Encrypt sending you DNS update requests, but the API tells you what they should be set to. Various clients have hooks to automate DNS. Read your favorite hooks and the nsupdate man page to get an idea of how they delete and add the TXT records, and if the DNS server is configurable.

cn flag
I'm definitely not anywhere near the limits. It gets stuck just before the "wait 60 sec. before checking TXT field"... as if it were trying to send the UDP packets but it looks like I never receive them. I can connect to the HTTPS servers `wget -S https://acme-v02.api.letsencrypt.org/directory` works (the test too).
John Mahowald avatar
cn flag
Let's Encrypt staging is useful for reasons other than the quotas. Separate rooted chain so certs issued with it are not nearly as valuable. Features are enabled in staging first.
cn flag
I now posted a question on the [letsencrypt forum](https://community.letsencrypt.org/t/certbot-gets-stuck-before-saying-waiting-60-seconds-for-dns-changes-to-propagate/172497/3). It feels like something is blocking the UDP packets from their end to my server. I don't see any other technical reasons to prevent the flow at the moment... I'll give the latest version a try, though.
Score:1
ar flag

That would be an equivalent to the nsupdate command, but from a remote computer.

nsupdate works from a remote computer.

Simply run nsupdate -k keyfile and issue the command server example.com when nsupdate has started to tell it which server to send updates to.

cn flag
Indeed! That worked just fine. I don't understand why letsencrypt gets stuck now... Hmmm...
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.