The joys of being a #sysadmin and #selfhosting continue.

The other day, I got a pleasant email from the folks at #letsencrypt informing me that two of my domains, both hosted on a server in the basement, would be expiring because I hadn't renewed them. Mighty kind of them to remind me, but since the script that renews them had been working flawlessly for years, I still had a frown on my face as I knew troubleshooting this would not be fun.

I was not wrong.

After much poking around, I discovered that what was failing was the DNS update that I was using to prove that the machine requesting the certificate signature was authorized to do so. That's odd, because I haven't touched anything in there that I could recall. More poking about using nsupdate to try to manually update DNS from that machine with the proper key resulted in a cryptic error back: NOTIMP. Subsequent investigations revealed that meant that DNS updates were NOT IMPlemented by my server. Hmm.

After confirming that they seemed to be enabled in the server configuration, I poked around some more only to discover that DNS updates were working, just not from the machine in the basement. Or my desktop machine at home. Yet they worked just fine from a remote machine.

That's really strange.

Somewhere in there, I enabled my mesh router's (Eero) "security" features, and apparently it's blocking the DNS updates from going out. It's also possible that my ISP (Comcast) is blocking DNS updates as some kind of perverted way to block DNS attacks, similar to how they don't allow outbound TCP on port 25 (SMTP). I have no way to know which is the guilty party.

But I'm still stuck without a way to update my certs. So after about half an hour of mucking about, I was able to tweak my server's configuration to use webroot authentication, tidied things up a bit, and got the renewals to work automatically again.

Self-hosting is a never-ending series of joys just like this.

There are no comments yet.