NullPointerException in DnsRecordObserver.findAuthoritativeNameservers

Question

NullPointerException in DnsRecordObserver.findAuthoritativeNameservers

Closed this issue 7 years ago · 4 comments

If the DNS root record hasn't propagated yet, the DnsRecordObserver will crash. This is a minor issue, as the logs suggest it retries (although as mentioned in #72, exponential backoff would reduce the load on the DNS servers).

lookup.run returns null when no records are found, so perhaps this case could be logged as "No records for {root} found - retrying".

Exception in thread "Thread-3" java.lang.NullPointerException
	at com.google.common.collect.ImmutableList.copyOf(ImmutableList.java:267)
	at in.tazj.k8s.letsencrypt.util.DnsRecordObserver.findAuthoritativeNameservers(DnsRecordObserver.kt:76)
	at in.tazj.k8s.letsencrypt.util.DnsRecordObserver.observeDns(DnsRecordObserver.kt:24)
	at in.tazj.k8s.letsencrypt.acme.CertificateRequestHandler.prepareDnsChallenge(CertificateRequestHandler.kt:179)
	at in.tazj.k8s.letsencrypt.acme.CertificateRequestHandler.authorizeDomain(CertificateRequestHandler.kt:77)
	at in.tazj.k8s.letsencrypt.acme.CertificateRequestHandler.access$authorizeDomain(CertificateRequestHandler.kt:27)
	at in.tazj.k8s.letsencrypt.acme.CertificateRequestHandler$requestCertificate$1.accept(CertificateRequestHandler.kt:41)
	at in.tazj.k8s.letsencrypt.acme.CertificateRequestHandler$requestCertificate$1.accept(CertificateRequestHandler.kt:27)
	[SNIP: java.util.*]
	at in.tazj.k8s.letsencrypt.acme.CertificateRequestHandler.requestCertificate(CertificateRequestHandler.kt:41)
	at in.tazj.k8s.letsencrypt.kubernetes.ServiceManager.handleCertificateRequest(ServiceManager.kt:64)
	at in.tazj.k8s.letsencrypt.kubernetes.ServiceManager.access$handleCertificateRequest(ServiceManager.kt:20)
	at in.tazj.k8s.letsencrypt.kubernetes.ServiceManager$reconcileService$1.run(ServiceManager.kt:45)
	at java.lang.Thread.run(Thread.java:745)

Answer 1 · 2017-08-21T12:50:58.000Z

If the DNS root record hasn't propagated yet

Presumably this is in case of the initial domain registration, right?

Answer 2 · 2017-08-21T13:03:43.000Z

The root domain is registered (cloudrobotics.com) although the new subdomain (cschuet.cloudrobotics.com) doesn't work yet - does that answer your question?

I'm not sure what host is being resolved by findAuthoritativeNameservers. I'm also not sure if it's a problem that cschuet.cloudrobotics.com isn't resolving, but I'm hoping it's just because it hasn't propagated yet.

Answer 3 · 2017-08-21T13:25:21.000Z

I'm not sure what host is being resolved by findAuthoritativeNameservers

It's the equivalent of dig NS $domain, i.e. figuring out which nameservers are responsible for this domain. Checking that against Google's DNS currently doesn't return anything for your subdomain (try e.g. dig @8.8.8.8 NS cschuet.cloudrobotics.com.)

I'm assuming this will sort itself out once the subdomain is correctly delegated, but either way this should have a less "scary" looking message - thanks for reporting!

Answer 4 · 2018-03-23T16:11:44.000Z

It would be awesome to have this in a new release. I see that there are not a lot of commits after this patch (so not sure if it is worth a release from your pov).