TXT record is not found by LE

[TatyanaBol]

We provide a service that orders certificates from LE.
We use Lego library, DNS-01 challenges.
A customer creates a config with his DNS provider credentials and we make everything for him.
Our code implements functions Present, CleanUp, it adds/removes the TXT record through DNS provider API
Usually everything works, we have a lot of customers.

Recently orders started failing for one specific customer, he uses Softlayer DNS provider.
In our log, I can see that a challenge was set, but when Lego calls LE it returns the error "acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.logs-epfp01-00465.qradar.ibmcloud.com - check that a DNS record exists for this domain".

We increased the polling interval to wait between the set challenge and validation to 10 minutes for case of slow propagation. The customer complains that 7 of 15 orders still fail.

Please help to understand what is the issue.
Does Lego poll both authoritative DNS servers?
What can be a reason that Lego finds TXT record and LE not?

Thanks in advance

[ldez]

Hello,

Lego and LE don't use the same DNS servers because LE doesn't communicate publically on the DNS servers they use.

The DNS propagation can be very very long with some DNS providers, but we check the propagation of the TXT record and if the domain doesn't exist the check will stop before the end of the propagation check.

The NXDOMAIN error seems to indicate that the A record is very slow to propagate.
So I recommend your customer checks the propagation of the A records before trying to get a certificate.

A bit off-topic but I recommend using CNAME instead of asking for the DNS credentials of your customers.
https://letsencrypt.org/2019/10/09/onboarding-your-customers-with-lets-encrypt-and-acme.html#the-advantages-of-a-cname

[TatyanaBol]

it feels wrong that we increase interval and not one-time delay.
So the polling works with intervals of 10-12 minutes, the orders are very long, and it still doesn't ensure that the orders will succeed.
We could check with interval 1-2 minutes, then wait 5 min and chances for success would be much higher.

[ldez]

So the polling works with intervals of 10-12 minutes, the orders are very long, and it still doesn't ensure that the orders will succeed.

the delay will also not ensure that the orders will succeed, because it's a delay and not accurate information about the propagation.

You can add a custom preCheck via dns01.WrapPreCheck(): preCheck is the function called during the propagation check, so you can add an extra sleep when the check of the propagation succeeds.

[TatyanaBol]

Thanks! I'll look at it

[ldez]

Something like that:

err = client.Challenge.SetDNS01Provider(provider,
	dns01.CondOption(len(resolvers) > 0, dns01.AddRecursiveNameservers(resolvers)),
	dns01.WrapPreCheck(func(domain, fqdn, value string, check dns01.PreCheckFunc) (bool, error) {
		if delayBeforeCheck > 0 {
			logger.Debugf("Delaying %d rather than validating DNS propagation now.", delayBeforeCheck)
			time.Sleep(time.Duration(delayBeforeCheck))
		}

		b, err := check(fqdn, value)
		if err == nil {
			logger.Debugf("Delaying %d ", extraDelay)
			time.Sleep(extraDelay)
		}

		return b, err
	}),
)

[TatyanaBol]

Thank you, we are going with your last advice.