TL;DR; I suspect a custom IDN domain might be at fault - сяурт.com. Are IDN domain supported?
- Let’s encrypt cert setup fails: “Something went wrong while obtaining the Let’s Encrypt certificate for сяурт.com. To retry visit your domain details.”
- I have tried to redo the process. Domain is valid, public, HTTP/S works with gitlab cert, just the Let’s encrypt cert fails.
- It is GitLab.com Enterprise Edition 14.4.0-pre f1930dccb0f
- These did not help:
Hi,
can you share the DNS settings in a screenshot? (redact the verification challenge value)
When I try querying the domain, I get a SERVFAIL error which could mean that the DNS entries are wrong, or the zone is not served correctly by the nameservers.
$ dig xn--p1abec3d.com ns
xn--p1abec3d.com. 10800 IN NS ns-238-b.gandi.net.
xn--p1abec3d.com. 10800 IN NS ns-252-a.gandi.net.
xn--p1abec3d.com. 10800 IN NS ns-91-c.gandi.net.
returns the nameservers but querying for an A record fails.
Cheers,
Michael
Hi Michael,
Aha, my dig is quite different:
$ dig xn--p1abec3d.com
; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> xn--p1abec3d.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61923
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 7
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;сяурт.com. IN A
;; ANSWER SECTION:
сяурт.com. 300 IN A 35.185.44.232
;; AUTHORITY SECTION:
сяурт.com. 172800 IN NS ns-91-c.gandi.net.
сяурт.com. 172800 IN NS ns-238-b.gandi.net.
сяурт.com. 172800 IN NS ns-252-a.gandi.net.
;; ADDITIONAL SECTION:
ns-91-c.gandi.net. 600 IN A 217.70.187.92
ns-91-c.gandi.net. 600 IN AAAA 2604:3400:aaac::5c
ns-238-b.gandi.net. 80748 IN A 213.167.230.239
ns-238-b.gandi.net. 16949 IN AAAA 2001:4b98:aaab::ef
ns-252-a.gandi.net. 42846 IN A 173.246.100.253
ns-252-a.gandi.net. 42846 IN AAAA 2001:4b98:aaaa::fd
;; Query time: 119 msec
;; SERVER: 10.77.0.1#53(10.77.0.1)
;; WHEN: Sat Oct 09 08:39:11 CEST 2021
;; MSG SIZE rcvd: 270
My DNS zone:
@ 86400 IN SOA ns1.gandi.net. hostmaster.gandi.net. 1633633740 10800 3600 604800 10800
@ 10800 IN ALIAS BrightOpen.gitlab.io.
@ 10800 IN MX 10 spool.mail.gandi.net.
@ 10800 IN MX 50 fb.mail.gandi.net.
@ 10800 IN TXT "v=spf1 a mx -all"
_2eef56abcc223ea4199c7e195e0ca70a 10800 IN CNAME 912d1d10874b76ad98a9cd757cd159c6.5937f297409b1d42eabe87c2dab5d696.0bf31d0d702fcac8c8e0.comodoca.com.
_gitlab-pages-verification-code 10800 IN TXT "gitlab-pages-verification-code=6b7c0c7eadbc6d2776a974e9d7b665d5"
_imap._tcp 10800 IN SRV 0 0 0 .
_imaps._tcp 10800 IN SRV 0 1 993 mail.gandi.net.
_pop3._tcp 10800 IN SRV 0 0 0 .
_pop3s._tcp 10800 IN SRV 10 1 995 mail.gandi.net.
_submission._tcp 10800 IN SRV 0 1 465 mail.gandi.net.
gm1._domainkey 10800 IN CNAME gm1.gandimail.net.
gm2._domainkey 10800 IN CNAME gm2.gandimail.net.
gm3._domainkey 10800 IN CNAME gm3.gandimail.net.
webmail 10800 IN CNAME webmail.gandi.net.
The ALIAS is handled by the name servers to produce an A record tracking the GitLab pages IP.
Not sure why is my detailed answer still on hold… @dnsmichi the DNS details are held as SPAM.
I’ve noticed while in a train that their name servers did not serve the records there. Could it be that your NS does not support IDN?
dig xn--p1abec3d.com @8.8.8.8
doesn’t show. My home router doesn’t show either.
My office NS does show the detail and so does Network Tools: DNS,IP,Email so it could be incompatibility or I’m getting suspicious of some form of blacklisting/censoring. It is weird.
Hi,
Discourse uses Akismet to determine potential spam. Maybe your source IP address is known for abusive behaviour (tor or VPN exit nodes, public facing servers, etc.). That’s something which gets into the moderation queue, which I have now approved for this post.
I’m not sure about the implementation state of IDN. For German umlauts, I remember this being added to .at domains in 2011 though being a challenge. Yet it seems that each ccTLD and gTLD implements that differently, and recursive resolvers do weird things as well.
I don’t know which resolver is used on GitLab.com SaaS and Pages, as I am not on the infrastructure team. Since it runs in Google Cloud, something similar to the Google public resolver I guess.
It might be worthwhile to ask Gandi support if they know about IDN problems with public resolvers. Or, how to troubleshoot them.
Cheers,
Michael