Can't get DNS challenge to match as a new one is always being created :)

xabix · March 14, 2020, 1:52pm

Hello,

I am quite desperate as I can't seem to be able to validate my CA with DNS-01 (nsupdate). when I create the certificate I don't see the TXT key to be configured in my DNS therefore anytime I try to issue the CA a new TXT is trying to be verified and never matches the only ongoing.

At what moment should I be aware of the TXT key so I can set it before it gets verified.

[Sat Mar 14 14:35:51 CET 2020] dvlist='xdealmeida.com#ozcWx-gL8CP10Czww6vzXw7up9rxoWwd7pLodg2F4lc.3Twnv7QVFzO1iOy0Oh0bJgFqrqIZjcQw5SMtt9ujjbg#https://acme-v02.api.letsencrypt.org/acme/chall-v3/3354849728/3Hi7cg#dns-01#dns_nsupdate'
[Sat Mar 14 14:35:51 CET 2020] d
[Sat Mar 14 14:35:51 CET 2020] vlist='xdealmeida.com#ozcWx-gL8CP10Czww6vzXw7up9rxoWwd7pLodg2F4lc.3Twnv7QVFzO1iOy0Oh0bJgFqrqIZjcQw5SMtt9ujjbg#https://acme-v02.api.letsencrypt.org/acme/chall-v3/3354849728/3Hi7cg#dns-01#dns_nsupdate,'
[Sat Mar 14 14:35:51 CET 2020] d='xdealmeida.com'
[Sat Mar 14 14:35:51 CET 2020] _d_alias
[Sat Mar 14 14:35:51 CET 2020] txtdomain='_acme-challenge.xdealmeida.com'
[Sat Mar 14 14:35:51 CET 2020] txt='kW5xurqNEMILo5PAFbFxpEkBRQPRlTXBGYM5_3xezbI'

when I am creating the certificate I would have assume that I should get the TXT value to be configured before pressing Issue/Renew

Plugin: os-acme-client (installed) 1.29
GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol v2.8.5

MERCI
XabiX

xabix · March 14, 2020, 1:55pm

I tried pressing each button either at the bottom or on the certificate line

but can’t seem to just re challenge without re creating a key.

I don’t seem to find the Renew option like well described in https://www.reddit.com/r/PFSENSE/comments/5v6b0a/how_to_acme_lets_encrypt_dns_manual/

9peppe · March 14, 2020, 2:37pm

well... your verification token is there:

% dig +short _acme-challenge.xdealmeida.com txt
"kW5xurqNEMILo5PAFbFxpEkBRQPRlTXBGYM5_3xezbI"

you should probably add a --debug 2 option to your acme.sh invocation.

xabix · March 14, 2020, 2:46pm

Yes so I have the right challenge setup. Is there a way to manually (command line) launch a Renew .

I have setup Debug 2

Merci

9peppe · March 14, 2020, 2:50pm

acme.sh --cron --debug 2 should do it.

xabix · March 14, 2020, 3:03pm

I have done it but not sure what to do now to initiate a Renew and not an Issue command.

acme.sh --cron --debug 2

[Sat Mar 14 16:02:57 CET 2020] Lets find script dir.
[Sat Mar 14 16:02:57 CET 2020] SCRIPT='/usr/local/sbin/acme.sh'
[Sat Mar 14 16:02:57 CET 2020] _script='/usr/local/sbin/acme.sh'
[Sat Mar 14 16:02:57 CET 2020] _script_home='/usr/local/sbin'
[Sat Mar 14 16:02:57 CET 2020] Using default home:/home/xabix/.acme.sh
[Sat Mar 14 16:02:57 CET 2020] Using config home:/home/xabix/.acme.sh
[Sat Mar 14 16:02:57 CET 2020] LE_WORKING_DIR='/home/xabix/.acme.sh'
GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol
v2.8.5
[Sat Mar 14 16:02:57 CET 2020] Running cmd: cron
[Sat Mar 14 16:02:57 CET 2020] Using config home:/home/xabix/.acme.sh
[Sat Mar 14 16:02:57 CET 2020] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Sat Mar 14 16:02:57 CET 2020] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
[Sat Mar 14 16:02:57 CET 2020] ===Starting cron===
[Sat Mar 14 16:02:57 CET 2020] Using config home:/home/xabix/.acme.sh
[Sat Mar 14 16:02:57 CET 2020] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Sat Mar 14 16:02:57 CET 2020] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
[Sat Mar 14 16:02:57 CET 2020] _stopRenewOnError
[Sat Mar 14 16:02:57 CET 2020] _set_level='2'
[Sat Mar 14 16:02:57 CET 2020] di='/home/xabix/.acme.sh/./'
[Sat Mar 14 16:02:57 CET 2020] Not directory, skip: /home/xabix/.acme.sh/./
[Sat Mar 14 16:02:57 CET 2020] _error_level='3'
[Sat Mar 14 16:02:57 CET 2020] _set_level='2'
[Sat Mar 14 16:02:57 CET 2020] ===End cron===

9peppe · March 14, 2020, 3:06pm

you need to tell acme.sh where its config is, I am not familiar with the way opnsense integrates it.

xabix · March 14, 2020, 3:10pm

Ok will do, is there any special command to be run (outside of pointing the right config directory which I can find) ? merci

9peppe · March 14, 2020, 3:11pm

I don’t know.

I think the problem is somewhere in the plugin you’re using, it believes to have failed (to add txt record) when it hasn’t.

xabix · March 14, 2020, 5:26pm

Thank you so much 9peppe. I will uninstall and reinstall while looking at the logs to be able to get the challenge before it gets challenged towards my DNS entry.

MERCI

xabix · March 16, 2020, 8:00am

FYI Got it working changing the DNS challenge with CloudFlare

system · April 15, 2020, 8:00am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
DNS-01 validation getting "Correct value not found for DNS challenge" Help	15	6575	October 30, 2017
How to generate DNS-01 keyAuthorization	3	3784	December 20, 2015
DNS Challenge with GoDaddy API Failed Help	4	1099	May 5, 2024
How renew works with dns-01 challenge? Issuance Tech	3	3536	June 23, 2016
Changing nameservers /_acme-challenge key? Help	8	777	January 26, 2024

Can't get DNS challenge to match as a new one is always being created :)

Related topics