Challenge validation has failed

mario · February 26, 2022, 7:45pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
mmrmedia.xs4all.nl

I ran this command:
/usr/bin/dehydrated -c

It produced this output:

INFO: Using main config file /etc/dehydrated/config

INFO: Running /usr/bin/dehydrated as xxxxx/wheel

INFO: Using main config file /etc/dehydrated/config

Processing mmrmedia.xs4all.nl

Signing domains...
Generating private key...
Generating signing request...
Requesting new certificate order from CA...
Received 1 authorizations URLs from the CA
Handling authorization for mmrmedia.xs4all.nl
1 pending challenge(s)
Deploying challenge tokens...
Responding to challenge for mmrmedia.xs4all.nl authorization...
Cleaning challenge tokens...
Challenge validation has failed
ERROR: Challenge is invalid! (returned: invalid) (result: {
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:caa",
"detail": "CAA record for mmrmedia.xs4all.nl prevents issuance",
"status": 403
},
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/1780536498/cRF4fA",
"token": "CdBLgEwasFq2ETIVpmSB1jEy0fa9iMSZ35uRctpT8W0",
"validationRecord": [
{
"url": "http://mmrmedia.xs4all.nl/.well-known/acme-challenge/CdBLgEwasFq2ETIVpmSB1jEy0fa9iMSZ35uRctpT8W0",
"hostname": "mmrmedia.xs4all.nl",
"port": "80",
"addressesResolved": [
"80.100.158.243"
],
"addressUsed": "80.100.158.243"
}
],
"validated": "2022-02-26T19:26:25Z"
})

My web server is (include version):
Apache 2.4.52

The operating system my web server runs on is (include version):
Linux Slackware 14.2 kernel 4.4.276
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
dehydrated-0.6.5

The output of dig -t txt mmrmedia.xs4all.nl
mmrmedia.xs4all.nl. 3600 IN TXT "kpn-domain verification=f8f5431b486c44e489f37d56e89e8277"

What could be the problem here.

9peppe · February 26, 2022, 7:53pm

You need to add a CAA record to override the CAA records for your parent domain (which are kind of a mess)

dig caa xs4all.nl

; <<>> DiG 9.16.11 <<>> caa xs4all.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56523
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;xs4all.nl.                     IN      CAA

;; ANSWER SECTION:
xs4all.nl.              3600    IN      CAA     0 issuewild "sectigo.com"
xs4all.nl.              3600    IN      CAA     0 issuewild "letsencrypt.org"
xs4all.nl.              3600    IN      CAA     0 issue "comodoca.com"
xs4all.nl.              3600    IN      CAA     0 issue "sectigo.com"

;; Query time: 63 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Feb 26 20:50:11 CET 2022
;; MSG SIZE  rcvd: 171

mario · February 26, 2022, 8:00pm

Thanks for your quick answer.
Where should i do that xs4all.nl is my provider and i am on a subdomain.

9peppe · February 26, 2022, 8:01pm

Do you have any control over your DNS records?

Read here: Certificate Authority Authorization (CAA) - Let's Encrypt

Otherwise, ask them to modify their records like this:

xs4all.nl.              3600    IN      CAA     0 issue "letsencrypt.org"
xs4all.nl.              3600    IN      CAA     0 issue "comodoca.com"
xs4all.nl.              3600    IN      CAA     0 issue "sectigo.com"

(issue includes issuewild)

mario · February 26, 2022, 8:08pm

No i have no control over the DNS records.
I was trying to see if i could get it working .
But i am moving to an other provider next month, so i will try it there and i have some control over DNS

9peppe · February 26, 2022, 8:09pm

You can use any other dynamic dns provider, like duckdns or afraid.

mario · February 26, 2022, 8:36pm

Thanks for the tip i will look at that

system · March 28, 2022, 8:37pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.