I’m developing a client to manage certificates. I use the lego/acme package for the communication with the CA server (I’m working in Go).
My problem is that I cannot pass the DNS challenge. For example, let’s say my domain is my.domain.eu. On my side, it seems like everything is correctly set.
I set the TXT record, and when i run
host -t TXT _acme-challenge.my.domain.eu
I get the correct answer with the correct token.
But after, the answer from the CA server is :
No TXT record found at _acme-challenge.my.domain.eu
"Challenge":{"id":1,"type":"dns-01","status":"invalid","error":{"type":"unauthorized","detail":"No TXT record found at _acme-challenge.my.domain.eu","status":403}
As I am still in development, I am working with the boulder
I’m really lost because I don’t understand this error.
Why does the boulder answer that while I can get the txt record ?
How long after setting the record are you submitting the challenge? If you’re doing it immediately, then Boulder may be getting a stale read from Cloudflare.
Also, are you using the staging Boulder server or your own instance? If you’re using your own instance, then it may be affected by the cache of your local resolver.
I submit the challenge only once I’ve checked the txt record myself. So the record is set and the boulder should get the same information as me.
I’m using my own instance of the boulder. How to clear the cache ?
If you’re running local Boulder using the default docker-compose environment, then it doesn’t actually have a real DNS resolver - it uses something called challtestsrv, which is just a simple test/fake responder. Real Boulder environments should point their dnsResolvers to an actual rescursive, non-caching resolver (see /test/config/va.json).
I’m not sure that actually running Boulder is a viable way to go about developing a client. You should use the staging server or at the very least Pebble, as they perform real DNS lookups.
If I add “8.8.8.8” in the field “dnsResolvers” in /test/config/va.json, could it work ?
I don’t use the staging server because there is a rate limit, right ?
8.8.8.8 is a caching resolver, it will work once and then give you caching problems. If you want to do it like Let’s Encrypt, you can run Unbound locally with something like this config.
The staging server has pretty high rate limits to allow for testing. Unless you’re going to be hitting more than 60 validation failures per hour, I think it’s by far your best and easiest option. Even Pebble is a far better choice than Boulder.
@_az it is not really about the original question but when I try to use the staging endpoint (https://acme-staging-v02.api.letsencrypt.org/directory) I have a EOF error when I create a new account. It works very well with the boulder
Do you have any idea why ?
Thanks
It’s a little bit complicated it is a big project. But I use lego/acme package for the communication with the CA server (currently the boulder), and I call the method Register. What is weird is that it works well with the boulder and I change nothing. Just the endpoint url to https://acme-staging-v02.api.letsencrypt.org/directory