Hi, I’m building an authoritative dns server for my domain on Fly but I can’t generate certs for the apex domain even though the A and AAAA records for the apex domain and the CNAME record for _acme-challenge.
are set.
For context, the dns server is a clone of local-ip.co. It allows someone to hit http://127-0-0-1.local-ip.sh and get directed to whatever is running on 127.0.0.1. It becomes useful once I can get HTTPS working for *.local-ip.sh but that’s not my concern yet.
Right now I want to host a page on https://local-ip.sh but for some obscure reason, my certificate haven’t been issued yet.
$ fly certs show local-ip.sh
The certificate for local-ip.sh has not been issued yet.
Hostname = local-ip.sh
DNS Provider = nic
Certificate Authority = Let's Encrypt
Issued =
Added to App = 42 minutes ago
Source = fly
You are creating a certificate for local-ip.sh
We are using lets_encrypt for this certificate.
You can direct traffic to local-ip.sh by:
1: Adding an A record to your DNS service which reads
A @ 213.188.218.137
You can validate your ownership of local-ip.sh by:
2: Adding an AAAA record to your DNS service which reads:
AAAA @ 2a09:8280:1::9165
$ dig local-ip.sh a +short
213.188.218.137
$ dig local-ip.sh aaaa +short
2a09:8280:1::9165
$ dig _acme-challenge.local-ip.sh cname +short
local-ip.sh.n2kl11.flydns.net.
The dns server’s code is available here: GitHub - m5r/local-ip.sh: DNS service for local IP addresses (with HTTPS support coming soon)
Edit: I’ve found this post of someone running into the same certificate issue using self-hosted authoritative dns server for their domain, might be relevant
Edit 2: Another maybe-relevant item, I’m running this Node.js app on Fly and the following code throws an ESERVFAIL
error:
import { resolve4 } from "dns/promises";
const resolvedIPs = await resolve4("192-168-1-29.local-ip.sh"); // this throws ESERVFAIL
Running dig also fails:
$ dig local-ip.sh +trace
; <<>> DiG 9.16.33-Debian <<>> local-ip.sh +trace
;; global options: +cmd
. 516298 IN NS e.root-servers.net.
. 516298 IN NS h.root-servers.net.
. 516298 IN NS l.root-servers.net.
. 516298 IN NS i.root-servers.net.
. 516298 IN NS a.root-servers.net.
. 516298 IN NS d.root-servers.net.
. 516298 IN NS c.root-servers.net.
. 516298 IN NS b.root-servers.net.
. 516298 IN NS j.root-servers.net.
. 516298 IN NS k.root-servers.net.
. 516298 IN NS g.root-servers.net.
. 516298 IN NS m.root-servers.net.
. 516298 IN NS f.root-servers.net.
. 516298 IN RRSIG NS 8 0 518400 20221112170000 20221030160000 18733 . PleNHyMwfRtZt2c8rzXxndFj+LoAyxzxqqga/LUmgcTMx33XcrkUGS2V i1BK/DNiadqHI7EAV0yPslCqA/K7jh/vuoDhau5pJLnHST9eZU2gKBjK pnG1dt9v96kSL1rqa7/wgBdgeCXILNgyrTh299kmK3N8nj6R+zOrPtNC UlpzsIhHSCk/ZRGsEMe2uGZ2qIEwr69sk8BmJ8xzWezSl8nuRn/xZY+j eMSXyt7H6EfR4eBzSbxTEq5/I46gtCKeR4D0i2QiP0fL/wxYM3J0xo4B 23bFXqOINql9nc6kNba8vA5AZVeL3qzEjYdGE/yOCpYqwC4Pc/sdbywh DGZ0QQ==
;; Received 525 bytes from fdaa::3#53(fdaa::3) in 0 ms
sh. 172800 IN NS a0.nic.sh.
sh. 172800 IN NS b0.nic.sh.
sh. 172800 IN NS c0.nic.sh.
sh. 172800 IN NS a2.nic.sh.
sh. 86400 IN DS 55297 8 2 BA339AD6E081DAD292A3F473CBDD5ADC53A0222769A7C6125F506DD6 A813787F
sh. 86400 IN RRSIG DS 8 1 86400 20221112170000 20221030160000 18733 . TpRC3vCXM+Grqeq433EqxzdM4nOBRsDBQyXgFeGA0AvwIKI2AvZbq+9w 7fR8hZN9inKDknPSrorwRmIs6N7wzJF2Xcinubv9/VIydPl+7esbEcfi 4yhA+jpb+R3zWPElP/uFgpGqPkm900wKoXEAo9PkUhFN+BgwjwSrvd2+ 3qc3hRKD9HBTYktQhNw0zregs+iUpdDoCNNWL1YbD84Wy0VnYgkqJwKM YDypmLH9+8IpGqOVMZMLN22X/TNFtnq9EfzwxN/2wsMvdEKLj697pw+s TNkMAP8dJ8G1gUrao7fUeFJ93wSpZjkwObUvvt15LnycSWIXBs7MNc6j aadYaw==
;; Received 623 bytes from 192.58.128.30#53(j.root-servers.net) in 4 ms
local-ip.sh. 3600 IN NS ns2.local-ip.sh.
local-ip.sh. 3600 IN NS ns1.local-ip.sh.
mci9ncnblgquoevrhl6iu1oet1rqmea4.sh. 3600 IN NSEC3 1 1 10 332539EE7F95C32A MCM97ECBOBN240E95GDE0TTL8EP5O0SF NS SOA RRSIG DNSKEY NSEC3PARAM
mci9ncnblgquoevrhl6iu1oet1rqmea4.sh. 3600 IN RRSIG NSEC3 8 2 3600 20221120222309 20221030212309 47916 sh. mXNVj5/CToswlpEGq07XOleJ44Gt2FgQ2qRSF9lL5EP8VQBZbEuKaWkE 6fV1ePXPP7algN49BbUv10/v13ODX2kihcdEqBqP3qNkAHAVTgrF7B4X N4/c55IvRpWuJTywKLDJ3ETQocPsvqW/ZhDxziLw2iSIZ9IlnMrCAMZt ZbQ=
n56jk7cb7o0k66krbdaiqs8595l3cc3t.sh. 3600 IN NSEC3 1 1 10 332539EE7F95C32A N8AD6L0KDBU315BUF71G0S81KV5J74LK NS DS RRSIG
n56jk7cb7o0k66krbdaiqs8595l3cc3t.sh. 3600 IN RRSIG NSEC3 8 2 3600 20221115155801 20221025145801 47916 sh. OAAWvClbPTIbv7RKAxPp1AlLypcY7uW4pFDB/fGO9AjmrRfErQBePcff q0olbxobWxOAHWShL4uNOZFRetTNNBxxLqnGkptu2oux86ZGPBCdpYyF h10c670YUGRM5LIOgZv9aScpi0taS+g1/Mvpc9x4drJ32t9abrNtItQa UQQ=
couldn't get address for 'ns2.local-ip.sh': failure
couldn't get address for 'ns1.local-ip.sh': failure
dig: couldn't get address for 'ns2.local-ip.sh': no more
Not sure what’s happening exactly but I have a feeling this has something to do with my certs problem