_acme_challenge not updating

nathanmal · June 2, 2020, 5:39pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: reshft.com

I ran this command: Using Plesk

It produced this output:

My web server is (include version): Apache/2.2.15 (Unix)

The operating system my web server runs on is (include version): CentOS 6.10

My hosting provider, if applicable, is: MediaTemple

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Yes - Plesk

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

I am unable to reissue a certificate for my domain, due to DNS records not being updated. In PLESK, I attempted to renew a certificate for this domain, it asked me to add the _acme_challenge TXT record “ZycrPQFFFKlHe415y0UzBFAAQjvi3Xqs9HJ6mEEHaMA”. I did that, lowered my DNS TTL and waited for a while.

I verified the DNS had propagated with this tool. Every server saw the new string
https://www.whatsmydns.net/#TXT/_acme-challenge.reshft.com

I SSH’ed into my server as root and ran this command, which confirmed the new string
dig -t txt _acme-challenge.reshft.com +short

But when i click “Reload”, I get this response

“Detail: During secondary validation: Incorrect TXT record “Pv1ftqoljAI3mrHgKxrtMuEC9gW-MchJ9TANVogLc00” found at _acme-challenge.reshft.com”

How is it that every other DNS server is seeing the new data, but LetsEncrypt is not? When I click reload and it fails, I cannot try reloading again, I have to update the entry and start all over again. This used to take a few minutes to propagate and this last time I tried I waited several hours.

Please advise. How can I check to see if LE sees the new TXT entry without failing the process and having to start over again. Do I have to wait 3 days in order to be sure?

thanks

JuergenAuer · June 2, 2020, 5:57pm

Hi @nathanmal

does that tool check every name server or only one?

You have two name servers, both with errors - https://check-your-website.server-daten.de/?q=reshft.com

X	Fatal error: Nameserver doesn't support EDNS with max. 512 Byte Udp payload or sends more then 512 Bytes: ns1.mediatemple.net
X	Fatal error: Nameserver doesn't support EDNS with max. 512 Byte Udp payload or sends more then 512 Bytes: ns2.mediatemple.net
X	Nameserver Timeout checking EDNS512: ns1.mediatemple.net

Checked your both name server ip addresses now the TXT entry is correct.

Your error:

The primary Letsencrypt servers see the correct TXT entry. One of the secondary not.

Your name servers

•  ns1.mediatemple.net
	64.207.128.246
Culver City/California/United States (US) - Media Temple, Inc.	•

•  ns2.mediatemple.net / pdns01.iad01.mtsvc.net
	70.32.65.137
Washington/District of Columbia/United States (US) - GoDaddy.com, LLC

One Media Temple, one Godaddy.

Use

dig TXT _acme-challenge.reshft.com. @64.207.128.246
dig TXT _acme-challenge.reshft.com. @70.32.65.137

to check both raw ip addresses.

nathanmal · June 2, 2020, 6:19pm

Okay thanks for the info, I updated the TXT record again and waited to propagate

I checked the DNS propagation tool, then did what you suggested

dig TXT _acme-challenge.reshft.com. @70.32.65.137 +short
“OhmdVseFcrHw3ntmBTXzwQ8ghpiEFjmjpq7XHzjkIE”

dig TXT _acme-challenge.reshft.com. @64.207.128.246 +short
“OhmdVseFcrHw3ntmBTXzwQ8ghpiEFjmjpq7XHzjkIE”

Both nameservers report the new string

but again, when I go to reload the certificate validation in Plesk, still getting the same message

Details

Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/4976680406.

Details:

Type: urn:ietf:params:acme:error:unauthorized

Status: 403

Detail: Incorrect TXT record “Pv1ftqoljAI3mrHgKxrtMuEC9gW-MchJ9TANVogLc00” found at _acme-challenge.reshft.com

I’ve changed the record a few times now, and still it see the old old one.

What do the EDNS errors mean? Could that be blocking validation?

thanks again

JuergenAuer · June 2, 2020, 6:39pm

I see it. And I don't understand it.

There is no blocking, Letsencrypt reports a wrong value.

And you don't have a CNAME or a wildcard definition.

Only idea. These mediatemple name servers have a curious caching.

nathanmal · June 3, 2020, 6:33pm

Juergen, thanks for all your help. Mediatemple did a system migration on my server and enabled the LE cert. They didn’t specify what the issue was which is a bit annoying as I was hoping this thread could help others in my situation, but at least it’s working now.

thanks again!

n

system · July 3, 2020, 6:33pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.