Authorization result: invalid / DNS Cloudflare

Help
1

Hi,

I have set up a scheduled task to renew letsencrypt certificate for wocobook.com. The domain is DNS hosted with cloudflare, so I am using the Cloudflare API plugin for WinAcme.

As can be seen from below it looks like there is a timeout with the 1.1.1.1 ns - same happens if I switch to 8.8.8.8 ns. Our firewall does not block any requests to either name server, and I can easily connect to both using a simple telnet command like telnet 1.1.1.1 53

So renewal fails with below output and I am not sure where to start - any inputs welcome.

Renewal for [IIS] wocobook.com, (any host) failed, will retry on next run.

Error(s):

  • Validation failed
  • No certificate generated
Hosts
cdn.wocobook.com, wocobook.com, www.wocobook.com
Plugins
Target: IIS
Validation: Cloudflare
Order: Single
Csr: RSA
Store: CertificateStore
Installation: IIS

Log output:

  • Information - Plugin "IIS" generated source "wocobook.com" with 3 identifiers
  • Information - Plugin "Single" created 1 order
  • Information - Renewing "[IIS] wocobook.com, (any host)"
  • Warning - Cached order has status "invalid", discarding
  • Information - ["cdn.wocobook.com"] Cached authorization result: "valid"
  • Information - ["wocobook.com"] Cached authorization result: "valid"
  • Information - ["www.wocobook.com"] Authorizing...
  • Information - ["www.wocobook.com"] Authorizing using "dns-01" validation ("Cloudflare")
  • Warning - Unable to find or contact authoritative name servers for "_acme-challenge.www.wocobook.com": "Query 41098 => wocobook.com IN NS on 1.1.1.1:53 timed out or is a transient error."
  • Error - ["www.wocobook.com"] Authorization result: "invalid"
  • Error - ["www.wocobook.com"] "{"type":"urn:ietf:params:acme:error:unauthorized","detail":"No TXT record found at _acme-challenge.www.wocobook.com","status":403,"instance":null}"
  • Information - ["www.wocobook.com"] Deactivating pending authorization
  • Error - Renewal for "[IIS] wocobook.com, (any host)" failed, will retry on next run
  • Error - Validation failed
  • Error - No certificate generated

Sent by win-acme version 2.2.4.1500 from SERVER_NAME

IIS 10.0.20348.1 / Windows Server 2022 - dedicated server.

Using Winacme

A simple Windows ACMEv2 client (WACS)
Software version 2.2.4.1500 (release, pluggable, standalone, 64-bit)
Connecting to https://acme-v02.api.letsencrypt.org/...
Connection OK!

2

Hi @shapeh, and welcome to the LE community forum :slight_smile:

Telnet uses TCP.
Basic DNS requests use UDP.
Recheck the firewall and ensure it allows both TCP and UDP on port 53.

9 Likes
3

Hi @rg305

I have added a specific outgoing rule now to allow UDP traffic. It seems to be able to communicate (somewhat with the NS - see below):

Running the renewal command I got this:

Plugin IIS generated source wocobook.com with 3 identifiers
Plugin Single created 1 order
Renewing [IIS] wocobook.com, (any host)
Cached order has status invalid, discarding
Failed to create order: Error creating new order
Renewal for [IIS] wocobook.com, (any host) failed, will retry on next run
Unable to create order
No certificate generated

So, instead I revoked the cert and cancelled it. Then I am trying to recreate it and I get below:

Plugin IIS generated source wocobook.com with 3 identifiers
Plugin Single created 1 order
[cdn.wocobook.com] Cached authorization result: valid
[wocobook.com] Cached authorization result: valid
[www.wocobook.com] Authorizing...
[www.wocobook.com] Authorizing using dns-01 validation (Cloudflare)
Unable to find or contact authoritative name servers for _acme-challenge.www.wocobook.com: Query 57051 => wocobook.com IN NS on 8.8.8.8:53 timed out or is a transient error.
[www.wocobook.com] Error submitting challenge answer
(AcmeProtocolException): Problem getting authorization
[www.wocobook.com] Deactivating pending authorization

Create certificate failed, retry? (y/n*) - yes

Plugin IIS generated source wocobook.com with 3 identifiers
Plugin Single created 1 order
Cached order has status invalid, discarding
Failed to create order: Error creating new order

Create certificate failed, retry? (y/n*) - yes

Plugin IIS generated source wocobook.com with 3 identifiers
Plugin Single created 1 order
Cached order has status invalid, discarding
Failed to create order: Error creating new order

Create certificate failed, retry? (y/n*) - yes

Plugin IIS generated source wocobook.com with 3 identifiers
Plugin Single created 1 order
Cached order has status invalid, discarding
[cdn.wocobook.com] Cached authorization result: valid
[wocobook.com] Cached authorization result: valid
[www.wocobook.com] Authorizing...
[www.wocobook.com] Authorizing using dns-01 validation (Cloudflare)
Unable to find or contact authoritative name servers for _acme-challenge.www.wocobook.com: Query 56955 => wocobook.com IN NS on 8.8.8.8:53 timed out or is a transient error.
[www.wocobook.com] Authorization result: invalid
[www.wocobook.com] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"No TXT record found at _acme-challenge.www.wocobook.com","status":403,"instance":null}
[www.wocobook.com] Deactivating pending authorization

It seems to connect faster to 8.8.8.8 NS ever since I added a specific fw rule for UDP traffic but certificate problems remain.
Any ideas?

4

This was a step in the wrong direction:

9 Likes
5

Okay... I figured I should be able to start from scratch but I guess not?

6

You can, but that isn't always the best path.
You could get stuck in the loop:

  • if not working then start over
10 Likes
7

It worked after some time. Cert recreated.
Thanks for the inputs :slight_smile:

2 Likes
8

Too early - now I have the same problem with another domain - getpassword.net

I am just wondering what I am doing wrong / why this happens? Is there anything I can do to remedy the problem going forward?

Plugin IIS generated source getpassword.net with 2 identifiers
Plugin Single created 1 order
Cached order has status invalid, discarding
[getpassword.net] Authorizing...
[getpassword.net] Authorizing using dns-01 validation (Cloudflare)
Unable to find or contact authoritative name servers for _acme-challenge.getpassword.net: Query 45831 => getpassword.net IN NS on 1.1.1.1:53 timed out or is a transient error.
[getpassword.net] Authorization result: invalid
[getpassword.net] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"No TXT record found at _acme-challenge.getpassword.net","status":403,"instance":null}
[getpassword.net] Deactivating pending authorization
[www.getpassword.net] Deactivating pending authorization