23:20 <drkokandy> Is anyone around able to help me diagnose sandcats.io SSL issues? My certificate has expired & renewing has been failing. I created a gist with an excerpt of the log, but can provide additional details if needed. It seems the DNS challenge is failing. https://gist.github.com/drkokandy/e18916d9735e8be9616661fd40726f3b

23:20 <abliss> Hi! Yes we can take a look

23:20 <JacobWeisz[m]> Also yes :)

23:20 <kentonv> hello

23:21 <abliss> `routines:OPENSSL_internal:SSLV3_ALERT_CERTIFICATE_EXPIRED`

23:21 <kentonv> Error: queryTxt ENODATA _acme-challenge.trdaisuke.sandcats.io

23:23 <kentonv> drkokandy, what does this server use for outgoing DNS?

23:23 <kentonv> it looks like it requested that sandcats.io set the TXT record on _acme-challenge.trdaisuke.sandcats.io, but then when it tried to read back the DNS record, it couldn't find it

23:23 <drkokandy> should be the cloudflare DNS for outgoing

23:24 <drkokandy> oh hmmm but i have a local DNS resolver in pfsense to make sure it works internally due to DNS pinching or whatever the term is

23:24 <drkokandy> that is probably the issue

23:25 <kentonv> cool yeah... could be that the resolver doesn't like TXT records, or that it doesn't like underscores, or something.

23:30 <kentonv> in other news it looks like there are ~57 sandcats.io servers that don't have auto-updates enabled so are still requesting globalsign certs, ugh. I guess they're going to break after the next update.

23:30 <kentonv> errr

23:30 <drkokandy> I removed the rules for it and sure enough: Certificate was successfully renewed!

23:30 <kentonv> not break from the update, obviously, since the whole point is they aren't getting updates, but break when I shut down globalsign

23:31 <kentonv> drkokandy, sweet!

23:32 <drkokandy> thank you for your help!

23:32 <kentonv> np