Certificate renewal error with dehydrated

Hi All,
This morning when I tried to renew my domain's certificate I got the following error:
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"] "dns-01"

My domain is:
dwarfish.duckdns.org

I ran this command:
./dehydrated -c

It produced this output:

# INFO: Using main config file /home/pi/dehydrated_0.7.2/config
Unknown hook this_hookscript_is_broken__dehydrated_is_working_fine__please_ignore_unknown_hooks_in_your_script
Processing dwarfish.duckdns.org
Unknown hook this_hookscript_is_broken__dehydrated_is_working_fine__please_ignore_unknown_hooks_in_your_script
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Jun 25 06:41:08 2024 GMT (Less than 30 days). Renewing!
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for dwarfish.duckdns.org
 + 1 pending challenge(s)
 + Deploying challenge tokens...
OK
 + Responding to challenge for dwarfish.duckdns.org authorization...
Unknown hook invalid_challenge
 + Cleaning challenge tokens...
OK
 + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"]      "dns-01"
["url"] "https://acme-v02.api.letsencrypt.org/acme/chall-v3/367230212927/gHfjqw"
["status"]      "invalid"
["validated"]   "2024-06-22T09:14:22Z"
["error","type"]        "urn:ietf:params:acme:error:unauthorized"
["error","detail"]      "Incorrect TXT record \"\" found at _acme-challenge.dwarfish.duckdns.org"
["error","status"]      403
["error"]       {"type":"urn:ietf:params:acme:error:unauthorized","detail":"Incorrect TXT record \"\" found at _acme-challenge.dwarfish.duckdns.org","status":403}
["token"]       "zi58bazOHE_lnzHz6OwhvLDKj2R58shZRN73rnOgtpg")

My web server is (include version):
Server version: Apache/2.4.25 (Raspbian)
Server built: 2022-03-18T12:54:25

The operating system my web server runs on is (include version):
debian 9.13

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Dehydrated version: 0.7.2

Thanks for the help,
SiMoNe

I do not know dehydrated very well. So these are just general comments maybe this helps.

The TXT record in the DNS exists but is empty. So, first check that your duckdns script for dehydrated is working properly. See if it has any logs. It should be adding the needed TXT record and deleting it after the cert request. Maybe it did add it properly but needs to wait longer for your duckdns auth servers to sync so check if you can add delays. Usually only a few minutes at most it is not TTL based.

Use https://unboundtest.com to check the TXT record for _acme-challenge.dwarfish.duckdns.org

Second, does your Apache server reply to HTTP requests on port 80? It isn't right now but if it should then you could try using the HTTP Challenge instead. These are often easier to get working than DNS Challenges. The DNS Challenge is needed for a wildcard cert but your last cert was not a wildcard.

And, if Apache can receive HTTP on port 80 or HTTPS on port 443 you could look at using the mod_md feature in Apache. It is a built-in ACME Client and you would then not need dehydrated at all. See: mod_md - Apache HTTP Server Version 2.4

This person has what looks like a problem with duckdns today too. It is possible that is related to your problem somehow. I am not sure.

You may want to check duckdns system status too

Thanks MikeMcQ for the suggestions,
this morning without doing anything, I managed to renew the certificate without problems

Have a nice day,
SiMoNe

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.