After having noticed a problem when renewing SLL certificates with Let’s Encrypt, I realised that I had an incomprehensible bug with DNSSEC (which crashes the let’s encrypt challenge).
This bug only appears on a handful of domain names (3 out of 22).
The errors seem to indicate a signature inconsistency at the SOA level, but that I clearly don’t understand:
• “Trying to verify SOA RRset with signature 36504 gave error ‘Bogus DNSSEC signature’.”
• “No RRSIG correctly signed the SOA RRset.”
• “Nameserver ns1.une-issue.com/188.8.131.52 responded with an RRSIG which can not be verified with corresponding DNSKEY (with keytag 36504).”
• “Nameserver nssec.online.net/184.108.40.206 responded with an RRSIG which can not be verified with corresponding DNSKEY (with keytag 36504).”
Out of ideas, on a non critical domain, I even deleted the DNSSEC keys from my zone, the DS Record at my registrar, deleted the domain on my DNS Slave service, checked the zone file (which has no errors, is very trivial and is identical to other non problematic domains), put my slave back, recreated my DNSSEC keys and put my DS keys back at my registrar (without forgetting to restart bind when necessary).
The weird thing is that after this procedure, the problem seems to be solved for a few minutes, I can recreate my SSL certificates without any problem and the diagnostic tools don’t give me any error.
Then, again, the same error, as if something was wrong with the propagation (or else, when trying to create a new SSL certificate).
In short, I’m a bit lost, especially since this problem seems recent, at least since I did an update containing only Usermin (1.812 → 1.823), Webmin (1.962 → 1.973) and Webmin-virtual-server (6.14.gpl → 6.15.gpl), I receive every hour emails from the server telling me that the renewal has failed
If you have any ideas, I’m realy interested!
• DNSViz Results: mrsoul.org | DNSViz
• ZoneMaster Results: Zonemaster
• Let’s Debug (http-01) Results: Let's Debug
• Let’s Debug (dns-01) Results: Let's Debug