Authorization result: invalid

Hi Griffin, rg305,

I have add the CNAME but LetsEncrypt gives an error.
What do I wrong?

First chance error calling into ACME server, retrying with new nonce...
[autodiscover.dhavenaar.nl] Authorizing...
[autodiscover.dhavenaar.nl] Authorizing using dns-01 validation (Manual)

Domain: autodiscover.dhavenaar.nl
Record: _acme-challenge.autodiscover.dhavenaar.nl
Type: TXT
Content: "mY_TJ6y1Q_6e7T_u6I-8vxgbCjO8wgRg__Oc4Oenzs8"
Note: Some DNS managers add quotes automatically. A single set
is needed.

Please press after you've created and verified the record

[autodiscover.dhavenaar.nl] Preliminary validation failed: no TXT records found

The TXT entry shown will not match any request made by LE to satisfy a DNS challenge.

The CNAME entries will match and tell LE to go get the TXT records from "dhavenaar.duckdns.org".
So that these requests:
nslookup -q=txt _acme-challenge.autodiscover.dhavenaar.nl
nslookup -q=txt _acme-challenge.mail.dhavenaar.nl
both then become:
nslookup -q=txt dhavenaar.duckdns.org

For that to work you would need to place both of your TXT entries at: dhavenaar.duckdns.org
If that is possible, there is your answer.
If that is NOT possible, you need to remove the CNAME entries at dhavenaar.nl and replace your TXT record with the two TXT records being requested.
one TXT record for: _acme-challenge.autodiscover.dhavenaar.nl
one TXT record for: _acme-challenge.mail.dhavenaar.nl

Then check their correct response with:
nslookup -q=txt _acme-challenge.autodiscover.dhavenaar.nl 8.8.8.8
nslookup -q=txt _acme-challenge.mail.dhavenaar.nl 8.8.8.8
[or any other global DNS server - I used Google DNS (8.8.8.8) in this example]

Then when they are showing correctly, move to the next step in the authentication process.

This method, although very manual, should work and provide you with a cert for 90 days.

The next step should then be to try to automate this entire process.

Hi rg305,
We will get there
I can create a TXT Record API by DuckDns. See DuckDNS
Or will i use the HTTPS Api ?
If i create a txt record at DuckDNS, do i have keep the CNAME's at dhavenaar.nl ?
mail.dhavenaar.nl and autodiscover.dhavenaar.nl

Kind regards,
Dante

You need the CNAMEs and the TXT record via the API already mentioned at DuckDNS. Don't change the CNAMEs you have, they're good. I honestly think this process is automatable.

Currently, the TXT record is empty. Be sure NOT to include quotes when entering the token given by certbot. When running certbot, you need to:

1. Update the TXT record to the first value given by certbot.
2. Delay a bit so it can propagate.
3. Hit enter.
4. Update the TXT record to the second value given by certbot.
5. Delay a bit so it can propagate.
6. Hit enter.

You can use the TXT button of the following tool at steps 2 and 5 to check that the record is correct:

Check for:
_acme-challenge.autodiscover.dhavenaar.nl
_acme-challenge.mail.dhavenaar.nl

;QUESTION
_acme-challenge.autodiscover.dhavenaar.nl. IN TXT

;ANSWER
_acme-challenge.autodiscover.dhavenaar.nl. 589 IN CNAME dhavenaar.duckdns.org.
dhavenaar.duckdns.org. 49 IN TXT ""

;QUESTION
_acme-challenge.mail.dhavenaar.nl. IN TXT **

;ANSWER
_acme-challenge.mail.dhavenaar.nl. 599 IN CNAME dhavenaar.duckdns.org.
dhavenaar.duckdns.org. 59 IN TXT ""

I'm not sure DuckDNS supports multiple TXT records.
He would need two TXTs active at the same time.
hmm...
Unless there is a way to enter both records into one single update... ? ? ?

In any case, he needs to verify the both records show before proceeding.
Otherwise, he could get individual certs (one at a time - per single TXT record).

From what I see, the dns-01 verifications are being performed serially, as indicated by the quote that follows (remember that @dantehavenaar is using win-acme and not certbot). Ergo, no need to create multiple TXT records simultaneously. A happy coincidence.

Hey guys,
It looks like that i successful have create a certificate. without your help I would not have succeeded.
Thanks.
One question:
Where is the certificate placed on my server. I quess in the Windows Certificate Store. That's what I chose but i can't find him there.

So here is the result of creating the certificate:

[autodiscover.dhavenaar.nl] Authorizing...
[autodiscover.dhavenaar.nl] Authorizing using dns-01 validation (Manual)

Domain: autodiscover.dhavenaar.nl
Record: dhavenaar.duckdns.org
Type: TXT
Content: "mY_TJ6y1Q_6e7T_u6I-8vxgbCjO8wgRg__Oc4Oenzs8"
Note: Some DNS managers add quotes automatically. A single set
is needed.

Please press after you've created and verified the record

[autodiscover.dhavenaar.nl] Preliminary validation succeeded
[autodiscover.dhavenaar.nl] Preliminary validation succeeded
[autodiscover.dhavenaar.nl] Authorization result: valid

Domain: autodiscover.dhavenaar.nl
Record: dhavenaar.duckdns.org
Type: TXT
Content: "mY_TJ6y1Q_6e7T_u6I-8vxgbCjO8wgRg__Oc4Oenzs8"

Please press after you've deleted the record

[mail.dhavenaar.nl] Authorizing...
[mail.dhavenaar.nl] Authorizing using dns-01 validation (Manual)

Domain: mail.dhavenaar.nl
Record: dhavenaar.duckdns.org
Type: TXT
Content: "hu2JSZlYinOH83O_mku582kJ0vS3m2F5QeH0XVz5-eA"
Note: Some DNS managers add quotes automatically. A single set
is needed.

Please press after you've created and verified the record

[mail.dhavenaar.nl] Preliminary validation succeeded
[mail.dhavenaar.nl] Preliminary validation succeeded
First chance error calling into ACME server, retrying with new nonce...
[mail.dhavenaar.nl] Authorization result: valid

Domain: mail.dhavenaar.nl
Record: dhavenaar.duckdns.org
Type: TXT
Content: "hu2JSZlYinOH83O_mku582kJ0vS3m2F5QeH0XVz5-eA"

Please press after you've deleted the record

Requesting certificate [Manual] mail.dhavenaar.nl
Store with CertificateStore...
Installing certificate in the certificate store
Adding certificate [Manual] mail.dhavenaar.nl @ 2020/9/21 12:36:35 to store WebHosting
Installing with None...
Adding Task Scheduler entry with the following settings

• Name win-acme renew (acme-v02.api.letsencrypt.org)
• Path C:\Program Files (x86)\Lets Encrypt
• Command wacs.exe --renew --baseuri "https://acme-v02.api.letsencrypt.org/"
• Start at 09:00:00
• Time limit 02:00:00

Try in here:

image935×496 28.9 KB

Yes thanks,
Shame on me, i have to learn to read Back to school
Adding certificate [Manual] mail.dhavenaar.nl @ 2020/9/21 12:36:35 to store WebHosting

You got your certificate!

Now for the follow-up...

Renewal via a scheduled task is typically non-interactive. That means unless you've scripted the creation of the text records (and the pauses), you won't be able to use the renew function in a scheduled task because it won't give you a chance to manually create the TXT records.

Hi Griffin, rg305,

I have another domain added to my Exchange server. The provider is Strato who host the DNS
I can't add a CNAME _acme-challenge.mail.gergembenthuizen.nl
The DNS see this as a sub subdomain and does not allow that.
Is it possible to create one certificate for both mail.gergembenthuizen.nl and autodiscover.gergembenthuizen.nl ?
For instance _acme-challenge.gergembenthuizen.nl

Thanks for your help again
Dante

@dantehavenaar
Yes, an LE cert is limited to 100 such entries - two is no problem.

But not so sure about the detail you provided to get one cert for those names:

DNS challenges require a TXT that is "_acme-challenge." + the FQDN
[except when the FQDN is the wildcard (*.domain) - then remove the "*."]

So then "_acme-challenge.gergembenthuizen.nl" would only be able to get a cert for:
gergembenthuizen.nl
or
*.gergembenthuizen.nl

If those are your only two choices...
Then maybe the wildcard is the way to go for you (in this case).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.