ACMESharp/Route53: Consistently getting "invalid" status when scripting DNS-01 cert request

kevops · August 10, 2017, 4:27pm

Please fill out the fields below so we can help you better.

My domain is:

I ran this command:

$acmeIdentifier = “example.example.com”
$certName = $acmeIdentifier -replace ‘[.]’,’’
$theDate = $(get-date -UFormat “%Y%m%d%H%M%S”)
$alias = “aws1-” + “$theDate”
$pfxFileName = “le-” + “$certName” + “.pfx”
$pfxFilePath = Join-Path E:\LetsEncryptVault $pfxFileName
$pwd = “mimikatz”

Import-Module ACMESHarp
Import-Module AWSPowershell

Start by initializing a Vault to store your Certificates and related artifacts. Default vault - C:\ProgramData\ACMESharp\sysVault Note, if you run as Administrator, your Vault will be created in a system-wide path, otherwise it will be created in a private, user-specific location.

*** run these command before running this script ***

Initialze-ACMEVault

New-ACMERegistration -Contacts mailto:itt@example.com -AcceptTos

Submit a DNS domain name that you want to secure with a PKI certificate

New-ACMEIdentifier -Dns $acmeIdentifier -Alias $alias

sleep - had problems just running flat

start-sleep 10

Automate DNS challenge via awsRoute53 handler

Complete-ACMEChallenge $alias -ChallengeType dns-01 -Handler awsRoute53 -HandlerParameters @{ ‘HostedZoneId’ = ‘’; ‘Region’ = ‘us-east-1’ }

sleep - had problems just running flat

start-sleep 10

#Submit the challenge response
Submit-ACMEChallenge $alias -ChallengeType dns-01

sleep - had problems just running flat

start-sleep 10

#Need a check here for .status = pending before moving on to cert request.

Check the status of the challenge every 6 seconds until we have an answer; fail after a minute

$i = 0
do {
$challenge = (Update-ACMEIdentifier $Alias -ChallengeType dns-01).Challenges | Where-Object {$_.Type -eq “dns-01”}
if($challenge.Status -eq “invalid”) {
write-host "Challenge Response is Invalid"
exit
}
if($challenge.Status -eq “pending”) {
Start-Sleep 60
$i++
}
} until($challenge.Status -eq “valid” -or $i -gt 10)

Create the certificate request the certificate.

New-ACMECertificate $alias -Generate -Alias $certName

Submit the certificate request

Submit-ACMECertificate $certName

Check the status of the certificate every 6 seconds until we have an answer; fail after a minute

$i = 0
do {
$certInfo = Update-AcmeCertificate $certName
if($certinfo.SerialNumber -ne “”) {
Start-Sleep 60
$i++
}
} until($certInfo.SerialNumber -ne “” -or $i -gt 10)

Export the certificate and related assets in PKCS#12 archive

Get-ACMECertificate $certName -ExportPkcs12 $pfxFilePath -CertificatePassword $pwd

It produced this output:

ChallengePart : ACMESharp.Messages.ChallengePart
Challenge : ACMESharp.ACME.DnsChallenge
Type : dns-01
Uri : https://acme-v01.api.letsencrypt.org/acme/challenge/DwRxfVEea_XlXggdLkeXCRwAbi1jqsi7mXd9DkTIVHA/1723491436
Token : oDH8Z_lXJKD8asjWZXII3iglW0yy8HDJLimaT4OLbzE
Status : invalid
OldChallengeAnswer : [, ]
ChallengeAnswerMessage :
HandlerName : awsRoute53
HandlerHandleDate : 8/10/2017 3:37:16 PM
HandlerCleanUpDate :
SubmitDate : 8/10/2017 3:37:38 PM
SubmitResponse : {StatusCode, Headers, Links, RawContent…}

My web server is (include version):

IIS, using AWS DNS validation via ACMESharp ps module

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

mnordhoff · August 11, 2017, 2:26am

Your client ought to give more information… Does it have a log file or something?

In any case, the challenge URL shows:

    "detail": "Correct value not found for DNS challenge",

Do you have any idea why that might be? Are you sure it’s updating the right hosted zone, and setting the right record name and value, for example? What do your DNS records look like now? What do they look like while it’s running?

Note that you can delete the DNS record after Let’s Encrypt has checked it.

Does that wait for Route 53 to say the change is INSYNC, or is it just waiting 10-20 seconds and hoping? In my experience it takes longer for Route 53 to synchronize than that.

kevops · September 6, 2017, 1:51pm

The solution has been to insert a start sleep of > 65 seconds before submitting the challenge. AWS Route53 takes 60 seconds to sync.

mnordhoff · September 6, 2017, 4:41pm

Route 53 has a GetChange API call you can use to poll until the changes are in sync. If you (or the ACMESharp developers) can modify it, it’s possible to make it completely reliable, though probably not much faster.

system · October 6, 2017, 4:42pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.