Authorization invalid (Posh-ACME)

The same script that was working till this morning is throwing Authorization Errors to me now as follows:

Authorization invalid for realdomainchangedforprivacyreasons.com: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.realdomainchangedforprivacyreasons.com
At C:\Program Files\WindowsPowerShell\Modules\Posh-ACME\3.6.0\Private\Wait-AuthValidation.ps1:34 char:17

  • … throw “Authorization invalid for $($auth.fqdn): $message” …
  •             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : OperationStopped: (Authorization r…forprivacyreasons.com:String) , RuntimeException
    • FullyQualifiedErrorId : Authorization invalid for realdomainchangedforprivacyreasons.com: DNS problem: NXDOMAIN looking up
      TXT for _acme-challenge.realdomainchangedforprivacyreasons.com

somebackground:

  • I use Posh-ACME PowerShell (Install-Module Posh-ACME -Force)

  • I use this command:
    New-PACertificate -Domain realdomainchangedforprivacyreasons.com -DnsPlugin Azure -PluginArgs $paPluginArgs -AcceptTOS -Verbos
    the $paPluginArgs is created using azContext and all. I can post the relevant command that builds $paPluginArgs but I know it is irrelevant as I do see challenge TXT records created and deleted in my AzureDNS. which means Azure Token is good.

  • at some point which I don’t know when, I was switched to LE_PROD servers and after a few runs, it told me there was too many certs issued with that domain. switched to LE_STAGE and I don’t see that error, but I see this Authorization error above.

  • even for different hosts at that DNS suffix I still get this Authorization error.

what should I do? will the PROD throttling also affect STAGE servers? if not, what am I doing wrong?

It’ll not. Rate limit from staging and production are completely different.

You should get only one certificate (for each server) and use that, instead of getting multiple certificates and not using those.
If you wish to test the certificate (and how you issue those certificates), you should be using the staging environment, which you now (seems) to have trouble with.

Please see the below link and understand the rate limit:

Also, if you expect us to resolve the issue, you should consider sharing us your domain name.
General advice: Maybe setting the validation time length longer? (e.g. set the time between validation and setting certificate longer than 5 minutes to flush the DNS cache)

Thank you

If you haven’t read it already, the Troubleshooting DNS Challenge Validation page on the project’s wiki might be helpful.

It’s possible something is (temporarily?) slowing down the DNS propagation in Azure and the DnsSleep time you’re using is no longer enough. You could try bumping it up a minute or two and see if that changes the outcome.

As @stevenzhu mentioned, posting the actual domain names would also make it easier for people to help you.

it turned out that some idiot had deleted the subdomain delegation for the zone we own off of corporate DNS. once NS records were restored at corporate DNS, everything became working again.

thanks everyone for their insight.

2 Likes