Can't Pass ACME Challenge for DNS


#1

Hi, I am trying to complete the DNS challenge, I have updated the RR countless times. Exactly as asked. However the result always comes back as invalid. The Domain is registered with GoDaddy and I’ve tried putting the RR Name as _acme-challenge.p4sadmin.com and also just as _acme-challenge (as I believe GoDaddy adds the domain automatically). I’ve tried leaving it for days at a time before submitted after updating the DNS record but always comes back invalid, what am I doing wrong?

My domain is: p4sadmin.com

I ran this command:
Step 1:
New-ACMEIdentifier -Dns p4sadmin.com -Alias p4sadmin8
Step 2:
Complete-ACMEChallenge p4sadmin8 -ChallengeType dns-01 -Handler manual
Step 3: (only ran this because otherwise I never see the RR details that I need)
(Update-ACMEIdentifier p4sadmin8 -ChallengeType dns-01).Challenges | Where-Object {$_.Type -eq “dns-01”}
Step 4:
Submit-ACMEChallenge p4sadmin8 -ChallengeType dns-01

It produced this output:

ChallengePart : ACMESharp.Messages.ChallengePart
Challenge : ACMESharp.ACME.DnsChallenge
Type : dns-01
Uri : https://acme-v01.api.letsencrypt.org/acme/challenge/uahNf3HY2GhecCcjNUctvCkPs1GAZnsKAcmEoAwFscA/13821854271
Token : arrW68Z6U36t9fSmgaHqwirPg45fwurmBktW2uRmoMU
Status : invalid
OldChallengeAnswer : [, ]
ChallengeAnswerMessage :
HandlerName : manual
HandlerHandleDate : 19/03/2019 17:31:00
HandlerHandleMessage : == Manual Challenge Handler - DNS ==
* Handle Time: [19/03/2019 17:31:00]
* Challenge Token: [arrW68Z6U36t9fSmgaHqwirPg45fwurmBktW2uRmoMU]

                     To complete this Challenge please create a new Resource
                     Record (RR) with the following characteristics:
                       * RR Type:  [TXT]
                       * RR Name:  [_acme-challenge.p4sadmin.com]
                       * RR Value: [QbISuOApE8CsPGIJ_BNUqM0DvBv4BkEic-wCJ2SHzwY]
                     ------------------------------------

HandlerCleanUpDate :
HandlerCleanUpMessage :
SubmitDate : 20/03/2019 08:28:58
SubmitResponse : {StatusCode, Headers, Links, RawContent…}

My web server is (include version):

IIS 10.0.14393.0

The operating system my web server runs on is (include version):

Windows Server 2016

My hosting provider, if applicable, is:

Self Hosted

I can login to a root shell on my machine (yes or no, or I don’t know):

Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

ACMESharp

Any help would be appreciated. Thanks


#2

Whether or not the _acme-challenge validation record is correct, the domain has a CAA record blocking Let’s Encrypt:

p4sadmin.com.  3599  CAA  0 issue "camerfirma.com"

You have to add 0 issue "letsencrypt.org" or remove the CAA record set entirely.


#3

@mnordhoff You my friend, are a legend! That was it! Thank you!


#4

Hi @ovi,

I’m glad to see you and @mnordhoff were able to solve the problem :tada:

One question for you: What version of ACMESharp are you using?

There is a friendly error message returned from the Let’s Encrypt server when a CAA record prevents issuance that I would have expected to see in the output you shared originally.

I think newer versions of ACMESharp (Maybe 0.8.1.0+?) have better error reporting. It might be worth trying to upgrade if you aren’t on the latest so that you can get more error information shown to you if something similar goes wrong in the future.

Thanks!


#5

Hi @cpu I don’t know how to establish which version I have, I installed it into powershell last week with the following command:
Install-Module -Name ACMESharp

I would have thought this would be the latest version?


#6

I’m afraid I’m not familiar enough with PowerShell and ACMESharp to know :frowning:

If you think you were using the latest version and it didn’t show you any kind of error message about the CAA policy preventing issuance it might be worth opening a bug with the ACMESharp developers to see if they can fix it.


closed #7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.