Challenge start failed: could not install DNS challenge, no hooks succeeded

I’m operating a production server already containing multiple let’s encrypt certificates. While trying to install one new certificate, it fails stating:

[DEBUG] acme.solver: challenge start failed: could not install DNS challenge, no hooks succeeded
[ERROR] acme.storageops: could not obtain authorization for t-stor.teagasc.ie: failed all combinations
[ERROR] acme.storageops: Target(t-stor.teagasc.ie;https://acme-v01.api.letsencrypt.org/directory;0): failed to request certificate: failed all combinations

The /.well-known/acme-challenge location is accessible for the hostname, and the Apache logs clearly indicate there’s no problem retrieving the files:
52.208.117.227 - - [11/Jan/2018:16:11:05 +0000] “GET /.well-known/acme-challenge/JFj-pdUNMDtDEFBtwtufOeeuMBB-GzBUdBfKb8sD3IY HTTP/1.1” 200 87 “-” "Go-http-client/1.1"
66.133.109.36 - - [11/Jan/2018:16:11:07 +0000] “GET /.well-known/acme-challenge/JFj-pdUNMDtDEFBtwtufOeeuMBB-GzBUdBfKb8sD3IY HTTP/1.1” 200 87 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”

I can still add other domains, but this particular domain is rejected.
Most problems I can find on the internet state either a HTTP->HTTPS redirect is in place, or the /.well-known/acme-challenge is not accessible due to a proxy setting. These issues are not applicable here (I’ve verified writing a file to /var/lib/acme/.well-known/acme-challenge/ and accessing it)

Any input on what else can be blocking the request would be welcome

My domain is: t-stor.teagasc.ie

I ran this command: acmetool want t-stor.teagasc.ie --xlog.severity=debug

It produced this output:

[DEBUG] acme.responder: writing webroot file /var/lib/acme/.well-known/acme-challenge/JFj-pdUNMDtDEFBtwtufOeeuMBB-GzBUdBfKb8sD3IY
[DEBUG] acme.responder: writing webroot file /var/run/acme/acme-challenge/JFj-pdUNMDtDEFBtwtufOeeuMBB-GzBUdBfKb8sD3IY
[DEBUG] acme.hooks: calling hook script: /usr/libexec/acme/hooks/haproxy
[DEBUG] acme.hooks: calling hook script: /usr/libexec/acme/hooks/reload
[DEBUG] acme.responder: http-01 self test
[DEBUG] acme.responder: http-01 started
[DEBUG] acme.api: request: https://acme-v01.api.letsencrypt.org/acme/challenge/8QxyRncmNWlshybUJw-zWJqK4xOEblK4tPXRF867N4Y/3056555713
[DEBUG] acme.api: response: &{202 Accepted 202 HTTP/1.1 1 1 map[Date:[Thu, 11 Jan 2018 16:11:06 GMT] Connection:[keep-alive] Content-Type:[application/json] Cache-Control:[max-age=0, no-cache, no-store] Pragma:[no-cache] Link:[https://acme-v01.api.letsencrypt.org/acme/authz/8QxyRncmNWlshybUJw-zWJqK4xOEblK4tPXRF867N4Y;rel=“up”] Location:[https://acme-v01.api.letsencrypt.org/acme/challenge/8QxyRncmNWlshybUJw-zWJqK4xOEblK4tPXRF867N4Y/3056555713] Replay-Nonce:[GjbPExoRM2ZTjY1a-H6ivOMTnDmkD-K2rebksGeHOyM] Expires:[Thu, 11 Jan 2018 16:11:06 GMT] Server:[nginx] Content-Length:[336] Boulder-Requester:[20605555]] 0xc420444580 336 [] false false map[] 0xc420198900 0xc4201b49a0}
[DEBUG] acme.solver: waiting to poll challenge
[DEBUG] acme.solver: querying challenge status
[DEBUG] acme.api: request: https://acme-v01.api.letsencrypt.org/acme/challenge/8QxyRncmNWlshybUJw-zWJqK4xOEblK4tPXRF867N4Y/3056555713
[DEBUG] acme.api: response: &{202 Accepted 202 HTTP/1.1 1 1 map[Content-Type:[application/json] Link:[https://acme-v01.api.letsencrypt.org/acme/authz/8QxyRncmNWlshybUJw-zWJqK4xOEblK4tPXRF867N4Y;rel=“up”] Location:[https://acme-v01.api.letsencrypt.org/acme/challenge/8QxyRncmNWlshybUJw-zWJqK4xOEblK4tPXRF867N4Y/3056555713] Replay-Nonce:[qmJSX0_Y47ByUIkX7ixs-XwEh602-MYX3ZlJF1N-uUs] Expires:[Thu, 11 Jan 2018 16:11:11 GMT] Pragma:[no-cache] Date:[Thu, 11 Jan 2018 16:11:11 GMT] Server:[nginx] Content-Length:[830] Cache-Control:[max-age=0, no-cache, no-store] Connection:[keep-alive]] 0xc420444640 830 [] false false map[] 0xc420198b00 0xc4201b49a0}
[DEBUG] acme.solver: challenge now in final state
[DEBUG] acme.responder: removing webroot file /var/lib/acme/.well-known/acme-challenge/JFj-pdUNMDtDEFBtwtufOeeuMBB-GzBUdBfKb8sD3IY
[DEBUG] acme.responder: removing webroot file /var/run/acme/acme-challenge/JFj-pdUNMDtDEFBtwtufOeeuMBB-GzBUdBfKb8sD3IY
[DEBUG] acme.hooks: calling hook script: /usr/libexec/acme/hooks/haproxy
[DEBUG] acme.hooks: calling hook script: /usr/libexec/acme/hooks/reload
[DEBUG] acme.api: request: https://acme-v01.api.letsencrypt.org/acme/new-authz
[DEBUG] acme.api: response: &{201 Created 201 HTTP/1.1 1 1 map[Link:[https://acme-v01.api.letsencrypt.org/acme/new-cert;rel=“next”] X-Frame-Options:[DENY] Strict-Transport-Security:[max-age=604800] Date:[Thu, 11 Jan 2018 16:11:12 GMT] Server:[nginx] Content-Type:[application/json] Content-Length:[732] Boulder-Requester:[20605555] Location:[https://acme-v01.api.letsencrypt.org/acme/authz/wrkDVfLYW2Qbx7WSafYLBB60qlQwYrapWufbQb_nS-Q] Replay-Nonce:[FnHi78g8UryqHpEiPhiiubXUYRbb_MFP3aDd_4oStj8] Expires:[Thu, 11 Jan 2018 16:11:12 GMT] Cache-Control:[max-age=0, no-cache, no-store] Pragma:[no-cache] Connection:[keep-alive]] 0xc420184d80 732 [] false false map[] 0xc42054c200 0xc4201b49a0}
[DEBUG] acme.solver: attempting challenge type dns-01
[DEBUG] acme.hooks: calling hook script: /usr/libexec/acme/hooks/haproxy
[DEBUG] acme.hooks: calling hook script: /usr/libexec/acme/hooks/reload
[DEBUG] acme.solver: challenge start failed: could not install DNS challenge, no hooks succeeded
[ERROR] acme.storageops: could not obtain authorization for t-stor.teagasc.ie: failed all combinations
[ERROR] acme.storageops: Target(t-stor.teagasc.ie;https://acme-v01.api.letsencrypt.org/directory;0): failed to request certificate: failed all combinations

My web server is (include version): Apache/2.2.32

The operating system my web server runs on is (include version): Amazon Linux version 2017.03

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

There seems to be a problem looking up the CAA record for this domain:

https://unboundtest.com/m/CAA/t-stor.teagasc.ie/JJEC7NJG

You don’t have to actually have a CAA record, but you do need to respond to a request for it with a negative response rather than an error.

You might need to update your DNS servers I guess?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.