Skip to content

Instantly share code, notes, and snippets.

@b0bu

b0bu/dns_propagation.md

Last active May 24, 2021 11:26
Show Gist options
  • Save b0bu/b8cb69c5d1f3a1131ba91a2c554e35fd to your computer and use it in GitHub Desktop.
Save b0bu/b8cb69c5d1f3a1131ba91a2c554e35fd to your computer and use it in GitHub Desktop.
Download ZIP
Checking that dns has propagated
Raw
dns_propagation.md

If you're using letsencrypt with a third party public dns provider who don't support a mature api you'll have to ensure that the nameservers have propagated the newly created txt record before exiting your manual-auth scripts, returning control back to LE. LE will issue a challenge expecting the record to exist. Depending on the method used by the provider this challenge can fail, actually it likely will if it takes minutes or even 20 to 30 seconds.

This is part of a larger script which will ensure that your dns record is propagated before returning control to LE. The way that I construct text records in this script (not shown here) is done in such a way that something.something.something...example.com can be chained for as long a domain name is as allowed but here I'm manually setting the _acme-challenge. prefix which always comes at the start regardless of the length.

Also note that I'm using 8.8.8.8 to gather a list of public provider NS servers for doamin example.com. This is an api problem solved in basic bash in just a few lines but it guarantees that the challenge record is available. I'm using simple console logging here but the output can be redirected to /var/log/letsencrypt. Or whatever.

DOMAIN=example.com
TXT_RECORD_NAME=_acme-challenge.${SUBDOMAIN}
CERTBOT_VALIDATION=${NONCE}

if /usr/bin/nc -zv 8.8.8.8 53 -w 1 &> /dev/null
then
    for nameserver in $(/usr/bin/dig @8.8.8.8 ns ${DOMAIN} | grep NS|grep -v \^\; | awk '{print $5}'); do
        echo $(date) Starting lookup of challange ${CERTBOT_VALIDATION} @${nameserver}
        while :
            do
            echo trying dig @${nameserver} txt ${TXT_RECORD_NAME}.${DOMAIN}
            sleep 3
            if /usr/bin/dig @${nameserver} txt ${TXT_RECORD_NAME}.${DOMAIN} | grep TXT | grep -- "${CERTBOT_VALIDATION}"
            then
                echo $(dig @${nameserver} txt ${TXT_RECORD_NAME}.${DOMAIN} | grep TXT | grep ${CERTBOT_VALIDATION})
                echo $(date) Resolved for @${nameserver}
                break
            fi
        done
    done
else
 echo $(date "+%Y-%m-%d %T") ERROR from /data/scripts/<provider>/create_txt_record.sh: 8.8.8.8:53 out is not open for this server, put in a ticket. >> /var/log/letsencrypt/letsencrypt.log
 echo $(date "+%Y-%m-%d %T") ERROR from /data/scripts/<provider>/create_txt_record.sh: If 8.8.8.8 is blocked you may also have to unblock the <provider> ns $(dig @8.8.8.8 ns ${DOMAIN} | grep NS|grep -v \^\; | awk '{print $5}') >> /var/log/letsencrypt/letsencrypt.log
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment