Authorization result: invalid / DNS Cloudflare

Hi,

I have set up a scheduled task to renew letsencrypt certificate for wocobook.com. The domain is DNS hosted with cloudflare, so I am using the Cloudflare API plugin for WinAcme.

As can be seen from below it looks like there is a timeout with the 1.1.1.1 ns - same happens if I switch to 8.8.8.8 ns. Our firewall does not block any requests to either name server, and I can easily connect to both using a simple telnet command like telnet 1.1.1.1 53

So renewal fails with below output and I am not sure where to start - any inputs welcome.


Renewal for [IIS] wocobook.com, (any host) failed, will retry on next run.

Error(s):

  • Validation failed
  • No certificate generated
Hosts
cdn.wocobook.com, wocobook.com, www.wocobook.com
Plugins
Target: IIS
Validation: Cloudflare
Order: Single
Csr: RSA
Store: CertificateStore
Installation: IIS

Log output:

  • Information - Plugin "IIS" generated source "wocobook.com" with 3 identifiers
  • Information - Plugin "Single" created 1 order
  • Information - Renewing "[IIS] wocobook.com, (any host)"
  • Warning - Cached order has status "invalid", discarding
  • Information - ["cdn.wocobook.com"] Cached authorization result: "valid"
  • Information - ["wocobook.com"] Cached authorization result: "valid"
  • Information - ["www.wocobook.com"] Authorizing...
  • Information - ["www.wocobook.com"] Authorizing using "dns-01" validation ("Cloudflare")
  • Warning - Unable to find or contact authoritative name servers for "_acme-challenge.www.wocobook.com": "Query 41098 => wocobook.com IN NS on 1.1.1.1:53 timed out or is a transient error."
  • Error - ["www.wocobook.com"] Authorization result: "invalid"
  • Error - ["www.wocobook.com"] "{"type":"urn:ietf:params:acme:error:unauthorized","detail":"No TXT record found at _acme-challenge.www.wocobook.com","status":403,"instance":null}"
  • Information - ["www.wocobook.com"] Deactivating pending authorization
  • Error - Renewal for "[IIS] wocobook.com, (any host)" failed, will retry on next run
  • Error - Validation failed
  • Error - No certificate generated

Sent by win-acme version 2.2.4.1500 from SERVER_NAME

IIS 10.0.20348.1 / Windows Server 2022 - dedicated server.

Using Winacme

A simple Windows ACMEv2 client (WACS)
Software version 2.2.4.1500 (release, pluggable, standalone, 64-bit)
Connecting to https://acme-v02.api.letsencrypt.org/...
Connection OK!

Hi @shapeh, and welcome to the LE community forum :slight_smile:

Telnet uses TCP.
Basic DNS requests use UDP.
Recheck the firewall and ensure it allows both TCP and UDP on port 53.

9 Likes

Hi @rg305

I have added a specific outgoing rule now to allow UDP traffic. It seems to be able to communicate (somewhat with the NS - see below):

Running the renewal command I got this:

Plugin IIS generated source wocobook.com with 3 identifiers
Plugin Single created 1 order
Renewing [IIS] wocobook.com, (any host)
Cached order has status invalid, discarding
Failed to create order: Error creating new order
Renewal for [IIS] wocobook.com, (any host) failed, will retry on next run
Unable to create order
No certificate generated

So, instead I revoked the cert and cancelled it. Then I am trying to recreate it and I get below:

Plugin IIS generated source wocobook.com with 3 identifiers
Plugin Single created 1 order
[cdn.wocobook.com] Cached authorization result: valid
[wocobook.com] Cached authorization result: valid
[www.wocobook.com] Authorizing...
[www.wocobook.com] Authorizing using dns-01 validation (Cloudflare)
Unable to find or contact authoritative name servers for _acme-challenge.www.wocobook.com: Query 57051 => wocobook.com IN NS on 8.8.8.8:53 timed out or is a transient error.
[www.wocobook.com] Error submitting challenge answer
(AcmeProtocolException): Problem getting authorization
[www.wocobook.com] Deactivating pending authorization

Create certificate failed, retry? (y/n*) - yes

Plugin IIS generated source wocobook.com with 3 identifiers
Plugin Single created 1 order
Cached order has status invalid, discarding
Failed to create order: Error creating new order

Create certificate failed, retry? (y/n*) - yes

Plugin IIS generated source wocobook.com with 3 identifiers
Plugin Single created 1 order
Cached order has status invalid, discarding
Failed to create order: Error creating new order

Create certificate failed, retry? (y/n*) - yes

Plugin IIS generated source wocobook.com with 3 identifiers
Plugin Single created 1 order
Cached order has status invalid, discarding
[cdn.wocobook.com] Cached authorization result: valid
[wocobook.com] Cached authorization result: valid
[www.wocobook.com] Authorizing...
[www.wocobook.com] Authorizing using dns-01 validation (Cloudflare)
Unable to find or contact authoritative name servers for _acme-challenge.www.wocobook.com: Query 56955 => wocobook.com IN NS on 8.8.8.8:53 timed out or is a transient error.
[www.wocobook.com] Authorization result: invalid
[www.wocobook.com] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"No TXT record found at _acme-challenge.www.wocobook.com","status":403,"instance":null}
[www.wocobook.com] Deactivating pending authorization

It seems to connect faster to 8.8.8.8 NS ever since I added a specific fw rule for UDP traffic but certificate problems remain.
Any ideas?

This was a step in the wrong direction:

9 Likes

Okay... I figured I should be able to start from scratch but I guess not?

You can, but that isn't always the best path.
You could get stuck in the loop:

  • if not working then start over
10 Likes

It worked after some time. Cert recreated.
Thanks for the inputs :slight_smile:

2 Likes

Too early - now I have the same problem with another domain - getpassword.net

I am just wondering what I am doing wrong / why this happens? Is there anything I can do to remedy the problem going forward?

Plugin IIS generated source getpassword.net with 2 identifiers
Plugin Single created 1 order
Cached order has status invalid, discarding
[getpassword.net] Authorizing...
[getpassword.net] Authorizing using dns-01 validation (Cloudflare)
Unable to find or contact authoritative name servers for _acme-challenge.getpassword.net: Query 45831 => getpassword.net IN NS on 1.1.1.1:53 timed out or is a transient error.
[getpassword.net] Authorization result: invalid
[getpassword.net] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"No TXT record found at _acme-challenge.getpassword.net","status":403,"instance":null}
[getpassword.net] Deactivating pending authorization
[www.getpassword.net] Deactivating pending authorization

Just following up on this one.
I have four additional domains that are now doing the same.

E.g.

 Plugin IIS generated source weddings.com.na with 2 identifiers
 Plugin Single created 1 order
 Renewing [IIS] weddings.com.na, (any host)
 Cached order has status invalid, discarding
 [weddings.com.na] Cached authorization result: valid
 [www.weddings.com.na] Authorizing...
 [www.weddings.com.na] Authorizing using dns-01 validation (Cloudflare)
 Unexpected DNS error while checking weddings.com.na: Query 65039 => weddings.com.na IN NS on 8.8.8.8:53 timed out or is a transient error.
 Unexpected DNS error while checking www.weddings.com.na: Query 12803 => www.weddings.com.na IN NS on 8.8.4.4:53 timed out or is a transient error.
 Unexpected DNS error while checking _acme-challenge.www.weddings.com.na: Query 56483 => _acme-challenge.www.weddings.com.na IN NS on 1.1.1.1:53 timed out or is a transient error.
 [www.weddings.com.na] Authorization result: invalid
 [www.weddings.com.na] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"No TXT record found at _acme-challenge.www.weddings.com.na","status":403,"instance":null}
 [www.weddings.com.na] Deactivating pending authorization
 Renewal for [IIS] weddings.com.na, (any host) failed, will retry on next run
 Validation failed
 No certificate generated

You mentioned revoking + cancelling was a step in the wrong direction. What would be right procedure to move forward?

Those are "unexpected DNS error"s
To IPs: 8.8.8.8 & 8.8.4.4 & 1.1.1.1

How is that related to LE?

edit:

It looks like you need to use more reliable DNS servers.
AND/OR
The ACME client needs to wait longer for the TXT record to propagate

3 Likes

Yeah, the DNS are not related to LE - but they belong Google and Cloudflare, so I believe you won't find more stable servers than that.

Okay re ACME - using https://www.win-acme.com/ - will see if I can increase the propagation wait time. At the moment it is just using standard time.

I think everyone recognizes those IPs.

My point is that you haven't shown if they are working from that IP.
You've only shown that they aren't able to respond in time.
So, saying they are stable [to everyone on the Internet] doesn't prove they are currently for you.
[DNS failures can happen for many reasons]

3 Likes

@rg305 - thank you for pointing me in the right direction. I have managed to create the missing certificates.

How it was resolved:

It seems like the ACME client communicates in part via IPv6 (despite giving IPv4 notation ip-addresses)? I could be wrong though but maybe IPv6 for the DNS lookup.
So, I added an outgoing UDP rule to the firewall to allow IPv6 traffic and I still get errors but at least the certs are now created.

nslookup yields the following:

C:\>nslookup
Default Server:  one.one.one.one
Address:  2606:4700:4700::1111

> weddings.com.na
Server:  one.one.one.one
Address:  2606:4700:4700::1111

Non-authoritative answer:
Name:    weddings.com.na
Addresses:  2606:4700:3035::6815:41aa
          2606:4700:3031::ac43:a4ef
          172.67.164.239
          104.21.65.170

>

ACME-client:

Plugin IIS generated source weddings.com.na with 2 identifiers
 Plugin Single created 1 order
 Renewing [IIS] weddings.com.na, (any host)
 Cached order has status invalid, discarding
 [weddings.com.na] Cached authorization result: valid
 [www.weddings.com.na] Authorizing...
 [www.weddings.com.na] Authorizing using dns-01 validation (Cloudflare)
 Unexpected DNS error while checking weddings.com.na: Query 56351 => weddings.com.na IN NS on 1.1.1.1:53 timed out or is a transient error.
 Unexpected DNS error while checking www.weddings.com.na: Query 50292 => www.weddings.com.na IN NS on 1.1.1.1:53 timed out or is a transient error.
 Unexpected DNS error while checking _acme-challenge.www.weddings.com.na: Query 229 => _acme-challenge.www.weddings.com.na IN NS on 1.1.1.1:53 timed out or is a transient error.
 [www.weddings.com.na] Preliminary validation failed
 Will retry in 30 seconds (retry 1/3)...
 [www.weddings.com.na] Preliminary validation failed
 Will retry in 30 seconds (retry 2/3)...
 [www.weddings.com.na] Preliminary validation failed
 Will retry in 30 seconds (retry 3/3)...
 [www.weddings.com.na] Preliminary validation failed
 It looks like validation is going to fail, but we will try now anyway...
 [www.weddings.com.na] Authorization result: valid
 Downloading certificate [IIS] weddings.com.na, (any host)
 Store with CertificateStore...
 Installing certificate in the certificate store
 Adding certificate [IIS] weddings.com.na, (any host) @ 2023/6/9 17:53:03 to store WebHosting
 Installing with IIS...
 Updating existing https binding weddings.com.na:443 (flags: 1)
 Updating existing https binding www.weddings.com.na:443 (flags: 1)
 Committing 2 https binding changes to IIS while updating site 12
 Uninstalling certificate from the certificate store
 Removing certificate [IIS] weddings.com.na, (any host) @ 2023/4/14 17:04:53 from store WebHosting
 Next renewal due after 2023/8/3 15:49:19
 Renewal for [IIS] weddings.com.na, (any host) succeeded with errors
 Sending e-mail with subject Certificate renewal [IIS] weddings.com.na, (any host) completed with errors to email@example.org

It looks like the ACME client is being blocked from making outbound DNS requests.

Using nslookup uses the logged on user creds.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.