Authorization result: invalid

Hi,

Can you please help me with the following problem:
I have installed Exchange 2016 on my server en follow this tutorial for install a certificate.


However it gives me the error Authorization result: invalid (see below)
I have read that duckdns needs a TXT record which can be read by letsencrypt.
So I tried to create a TXT record but where can I get the txt / key that i have to fill in where i set the question marks below?
https://www.duckdns.org/update?domains={mail,autodiscover}&token={MyToken Number}&txt={???}[&verbose=true]

Thanks a lot if you can help me.
it gives me a headacheā€¦

My domain is:mail.dhavenaar.nl autodiscover.dhavenaar.nl (dhavenaar.duckdns.org)

I ran this command: WACS.EXE as administrator

It produced this output:
[mail.dhavenaar.nl] Authorizingā€¦
[mail.dhavenaar.nl] Authorizing using http-01 validation (SelfHosting)
[mail.dhavenaar.nl] Authorization result: invalid
[mail.dhavenaar.nl] {
ā€œtypeā€: ā€œurn:ietf:params:acme:error:unauthorizedā€,
ā€œdetailā€: "Invalid response from http://mail.dhavenaar.nl/.well-known/acme-challenge/mR_PwpzdycC9KNKHnYkToD_7UrZvMYrni2hdch0vGkc [77.170.52.41]: ā€œ\r\n<html xmlns=\ā€œhttpā€ā€,
ā€œstatusā€: 403

My web server is (include version): No webserver, Exchange 2016

The operating system my web server runs on is (include version): Windows server 2016

My hosting provider, if applicable, is: KPN

I can login to a root shell on my machine (yes or no, or I donā€™t know): Yes

Iā€™m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if youā€™re using Certbot):

2 Likes

Welcome to the Let's Encrypt Community, Dante :slightly_smiling_face:

You are currently attempting to use http-01 authentication, which requires the creation of challenge files at a certain location on your webserver. You want to be using dns-01 authentication, which requires the creation of dns txt records of the form _acme-challenge.(domain).

In your case:
_acme-challenge.mail.dhavenaar.nl
_acme-challenge.autodiscover.dhavenaar.nl

2 Likes

Hi Griffin,

Thanks for your quick reply.
Sorry for my ignorance but I don't know how to use this commands.
Let me explane: I have installed win-acme.v2.1.10.896.x64.pluggable and certbot-beta-installer-win32 on my Windows 2016 server.
How can I use _acme-challenge
Is it a command line in CMD.EXE or do I need to install something else?

Thanks for your patience
Dante

2 Likes

It's basically a parameter in the request to WIN-ACME or CERTBOT(for Windows).
Where you would specific DNS authentication instead of HTTP authentication.

2 Likes

Iā€™ve included a reference to the official manual for win-acme below. I recommend that you start with manual DNS validation (creating the DNS TXT records manually for your domain) then move towards some type of automation for renewal purposes. Check out the Command line arguments and Settings.json entries at the top as well as the DNS validation section to get started.

2 Likes

Hi Griffin,

Can you please help me again?
I get stuck in this menu:

A simple Windows ACMEv2 client (WACS)
Software version 2.1.10.896 (RELEASE, PLUGGABLE)
ACME server https://acme-v02.api.letsencrypt.org/
IIS version 10.0
Running with administrator credentials
Scheduled task not configured yet
Please report issues at https://github.com/win-acme/win-acme

N: Create certificate (default settings)
M: Create certificate (full options)
R: Run renewals (0 currently due)
A: Manage renewals (0 total)
O: More optionsā€¦
Q: Quit

Please choose from the menu: m

Running in mode: Interactive, Advanced

Please specify how the list of domain names that will be included in the
certificate should be determined. If you choose for one of the ā€œall bindingsā€
options, the list will automatically be updated for future renewals to
reflect the bindings at that time.

1: Read site bindings from IIS
2: Manual input
3: CSR created by another program
C: Abort

How shall we determine the domain(s) to include in the certificate?: 2

Enter comma-separated list of host names, starting with the common name: mail.dhavenaar.nl,autodiscover.dhavenaar.nl

Target generated using plugin Manual: mail.dhavenaar.nl and 1 alternatives

Suggested friendly name ā€˜[Manual] mail.dhavenaar.nlā€™, press to accept or type an alternative:

The ACME server will need to verify that you are the owner of the domain
names that you are requesting the certificate for. This happens both during
initial setup and for every future renewal. There are two main methods of
doing so: answering specific http requests (http-01) or create specific dns
records (dns-01). For wildcard domains the latter is the only option. Various
additional plugins are available from https://github.com/win-acme/win-acme/.

1: [http-01] Save verification files on (network) path
2: [http-01] Serve verification files from memory
3: [http-01] Upload verification files via FTP(S)
4: [http-01] Upload verification files via SSH-FTP
5: [http-01] Upload verification files via WebDav
6: [dns-01] Create verification records manually (auto-renew not possible)
7: [dns-01] Create verification records with acme-dns (https://github.com/joohoi/acme-dns)
8: [dns-01] Create verification records with your own script
9: [tls-alpn-01] Answer TLS verification request from win-acme
C: Abort

How would you like prove ownership for the domain(s)?: 7

URL of the acme-dns server:

2 Likes

Happy to help. :slightly_smiling_face:

This is the method to which you are accustomed. It requires manual interaction (creation of dns txt records) every time a certificate is created/renewed. I highly recommend that you start here and successfully get a certificate before proceeding to use #7 (acme-dns).

This method delegates the dns txt challenges to a different domain in order to automate renewals. It's a bit more complicated initially, but it makes renewals cake. It basically involves creating the following CNAME records and a few other steps:
_acme-challenge.mail.dhavenaar.nl
_acme-challenge.autodiscover.dhavenaar.nl

Some resources:

Fortunately for you my friend, I recently walked in the path of automating wildcard certificates with another gentleman who generously documented his process:

1 Like

Hi Griffin,
Thanks for your help so far.
Again I get stuck. My public DNS is DuckDNS. I only can create a TXT record in this way:
https://www.duckdns.org/update?domains=dhavenaar.duckdns.org&token=xxxxxxxxxxxxxxxxxxxxx&txt=LWTAnaK6lt7bRPepgdTnTiAg1YTENTVJKKBDVP4QI1I8&verbose=true

I canā€™t create a TXT record for mail.dhavenaar.nl or autodiscover.dhavenaar.nl
Is there a way to solved the given string from LetsEncript ?

Thanks a lot for your help
Dante

1: [http-01] Save verification files on (network) path
2: [http-01] Serve verification files from memory
3: [http-01] Upload verification files via FTP(S)
4: [http-01] Upload verification files via SSH-FTP
5: [http-01] Upload verification files via WebDav
6: [dns-01] Create verification records manually (auto-renew not possible)
7: [dns-01] Create verification records with acme-dns (https://github.com/joohoi/acme-dns)
8: [dns-01] Create verification records with your own script
9: [tls-alpn-01] Answer TLS verification request from win-acme
C: Abort

How would you like prove ownership for the domain(s)?: 6

After ownership of the domain(s) has been proven, we will create a
Certificate Signing Request (CSR) to obtain the actual certificate. The CSR
determines properties of the certificate like which (type of) key to use. If
you are not sure what to pick here, RSA is the safe default.

1: Elliptic Curve key
2: RSA key
C: Abort

What kind of private key should be used for the certificate?: 2

When we have the certificate, you can store in one or more ways to make it
accessible to your applications. The Windows Certificate Store is the default
location for IIS (unless you are managing a cluster of them).

1: IIS Central Certificate Store (.pfx per host)
2: PEM encoded files (Apache, nginx, etc.)
3: PFX archive
4: Windows Certificate Store
5: No (additional) store steps

How would you like to store the certificate?: 4

1: IIS Central Certificate Store (.pfx per host)
2: PEM encoded files (Apache, nginx, etc.)
3: PFX archive
4: Windows Certificate Store
5: No (additional) store steps

Would you like to store it in another way too?: 5

With the certificate saved to the store(s) of your choice, you may choose one
or more steps to update your applications, e.g. to configure the new
thumbprint, or to update bindings.

1: Create or update https bindings in IIS
2: Create or update ftps bindings in IIS
3: Start external script or program
4: No (additional) installation steps

Which installation step should run first?: 1

1: Default Web Site
2: Exchange Back End

Choose site to create new bindings: 1

1: Create or update https bindings in IIS
2: Create or update ftps bindings in IIS
3: Start external script or program
4: No (additional) installation steps

Add another installation step?: 4

[autodiscover.dhavenaar.nl] Authorizingā€¦
[autodiscover.dhavenaar.nl] Authorizing using dns-01 validation (Manual)

Domain: autodiscover.dhavenaar.nl
Record: _acme-challenge.autodiscover.dhavenaar.nl
Type: TXT
Content: ā€œLWTAnaK6lt7bRPepgdTnTiAg1YTENTVJKKBDVP4QI1Iā€
Note: Some DNS managers add quotes automatically. A single set
is needed.

Please press after youā€™ve created and verified the record

[autodiscover.dhavenaar.nl] Preliminary validation failed: no TXT records found

1 Like

Perhaps this may help?

(Derived from https://www.duckdns.org/spec.jsp)

Your TXT record will apply to all sub-subdomains under your domain (e.g. xxx.yyy.duckdns.org shares the same TXT record as yyy.duckdns.org).

The domain can be a single domain or a comma-separated list of domains.

The domain does not need to include the .duckdns.org part of your domain, just the subname (aka your domain name).


So maybe this?

https://www.duckdns.org/update?domains=dhavenaar&token=xxxxxxxxxxxxxxxxxxxxx&txt=LWTAnaK6lt7bRPepgdTnTiAg1YTENTVJKKBDVP4QI1I8&verbose=true

1 Like

Not exactly.

nslookup -q=ns dhavenaar.nl
dhavenaar.nl    nameserver = nsn1.mijndomein.nl
dhavenaar.nl    nameserver = nsn2.mijndomein.nl
dhavenaar.nl    nameserver = nsn3.mijndomein.nl

You CNAME your names to DuckDNS:

nslookup -q=a mail.dhavenaar.nl
Name:    dhavenaar.duckdns.org
Address:  77.170.52.41
Aliases:  mail.dhavenaar.nl

CNAMEing won't change the DNS servers used to resolve the TXT record.
The TXT record need to placed within the "mijndomein.nl" DNS system (not DuckDNS system).

1 Like

Does he not have CNAMEs for the _acme-challenges? :astonished:

1 Like

I donā€™t think DuckDNS would know how to handle them even if you did send them there.
[it is just a simple DDNS service]

Your instructions, although normally correct, canā€™t apply in such a (basic) DDNS service model.

1 Like

It can because it routes all subdomain requests of a domain to a single txt record.

Are you sure? :wink:

This can be used for example to prove your ownership with letsencrypt.org

1 Like

No CNAME even found for:

nslookup -q=ns _acme-challenge.mail.dhavenaar.nl nsn1.mijndomein.nl
Server: pdns107.ultradns.com
Address: 156.154.64.107
*** pdns107.ultradns.com canā€™t find _acme-challenge.mail.dhavenaar.nl: Non-existent domain

nslookup -q=TXT _acme-challenge.autodiscover.dhavenaar.nl nsn1.mijndomein.nl
Server: pdns107.ultradns.com
Address: 156.154.64.107
*** pdns107.ultradns.com canā€™t find _acme-challenge.autodiscover.dhavenaar.nl: Non-existent domain

1 Like

By jove, youā€™ve found the snag! :face_with_monocle:

1 Like

@dantehavenaar

I think you forgot to create the CNAME records! Thanks be to @rg305 for noticing this.

They should both point to dhavenaar.duckdns.org.

1 Like

For future reference (until they change things):
DDNS services just do one name (to the left of their base name).
{YourName}.service.company
which means you canā€™t reach:
_acme-challenge.{YourName}.service.company
thorough their service.

Not even sure if they handle TXT records for:
{YourName}.service.company
[which would be the closest thing to making it work in this direction]

I propose the original direction: Use the real DNS servers.

1 Like

Not to worry, Rudy. :slightly_smiling_face:

your TXT record will apply to all sub-subdomains under your domain e.g. xxx.yyy.duckdns.org shares the same TXT record as yyy.duckdns.org

How can he automate then? :worried:

1 Like

The simplest would be if "mijndomein.nl" DNS servers support API updates.
If that is NOT possible, then CNAME the TXT records to the DDNS name: "dhavenaar.duckdns.org"
[this would have LE query his IP for those TXT records]
Then run his own DNS server to satisfy the DNS auth requests (himself)
Enters GitHub - joohoi/acme-dns: Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely. to save the day!

2 Likes

Thank you gentlemen,

Itā€™s bedtime now in the Netherlands, tomorrow I will try out your valuable solutions.

Have a nice weekend.
Kind regards,
Dante

3 Likes