CD
Cloudflare Developers•4w ago
Jacob

DNS issue in MEL Datacenter

I'm trying to debug why new TXT records created via the API are visible in the dashboard but not resolvable. I'm test ACME dns-01 tls challenges. After way to many hours and looking at the dash analytics, the only NXDOMAIN responses are coming from MEL, but not from other locations. Furthermore, US based looking glasses resolve correctly (I'm based in New Zealand). I can't see any current issues that related to this. Any idea how i can debug further or resolve?
9 Replies
fry69
fry69•4w ago
I'm doing dns-01 via python3-certbot-dns-cloudflare (Debian package) plugin for certbot, it works great. Also I have written a script that updates DANE records in Cloudflare DNS via API after a certificate got renewed via certbot, see here -> https://github.com/fry69/certbot-cloudflare-dns-updaters/blob/main/dane.py Maybe this inspires a bit?
GitHub
certbot-cloudflare-dns-updaters/dane.py at main · fry69/certbot-clo...
Automates the process of creating and updating DANE TLSA and MTA-STS records in Cloudflare DNS - fry69/certbot-cloudflare-dns-updaters
fry69
fry69•4w ago
Or is this a regional issue?
Jacob
JacobOP•4w ago
I'm using the caddy cloudflare dns plugin, so i expect it works properly. lots of stars in github and no other issues as i can see the records in the web ui, and cant resolve them, i don't think its an issue with the acme process just can't resolve any of the _acme-challange.* records
fry69
fry69•4w ago
I ditched caddy when I moved to Cloudflare and use nginx with 15 year Cloudflare certificates and authenticated origin pulls (aka clients cert verification) -> https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level/ Works great and disables any attempt to communicate with the severs except via Cloudflare proxy. I only use Let's Encrypt / certbot for other services that cannot be hidden via Cloudflare proxy.
Jacob
JacobOP•4w ago
My services aren't on the interent so can't use cloudflare proxy but I think this is a dns issue, not a caddy issue
fry69
fry69•4w ago
With caddy your services are on the internet, at least visible in the certificate transparency logs 🙂
Jacob
JacobOP•4w ago
the names are if i don't use wildcard, but not the actual services
fry69
fry69•4w ago
Are 100% sure? I'd try getting a certificate with certbot + dns-01, just to test it. It seems so unlikely that Cloudflare DNS would not work (and not not create a massive upheaval) If certbot also does not work, you have a good reason to yell IMHO.
Jacob
JacobOP•4w ago
I think it's a DNS issue as I can't query TXT requests, regardless of certs.
Want results from more Discord servers?
Add your server