Challenge validation has failed

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
mmrmedia.xs4all.nl

I ran this command:
/usr/bin/dehydrated -c

It produced this output:

INFO: Using main config file /etc/dehydrated/config

INFO: Running /usr/bin/dehydrated as xxxxx/wheel

INFO: Using main config file /etc/dehydrated/config

Processing mmrmedia.xs4all.nl

  • Signing domains...
  • Generating private key...
  • Generating signing request...
  • Requesting new certificate order from CA...
  • Received 1 authorizations URLs from the CA
  • Handling authorization for mmrmedia.xs4all.nl
  • 1 pending challenge(s)
  • Deploying challenge tokens...
  • Responding to challenge for mmrmedia.xs4all.nl authorization...
  • Cleaning challenge tokens...
  • Challenge validation has failed :frowning:
    ERROR: Challenge is invalid! (returned: invalid) (result: {
    "type": "http-01",
    "status": "invalid",
    "error": {
    "type": "urn:ietf:params:acme:error:caa",
    "detail": "CAA record for mmrmedia.xs4all.nl prevents issuance",
    "status": 403
    },
    "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/1780536498/cRF4fA",
    "token": "CdBLgEwasFq2ETIVpmSB1jEy0fa9iMSZ35uRctpT8W0",
    "validationRecord": [
    {
    "url": "http://mmrmedia.xs4all.nl/.well-known/acme-challenge/CdBLgEwasFq2ETIVpmSB1jEy0fa9iMSZ35uRctpT8W0",
    "hostname": "mmrmedia.xs4all.nl",
    "port": "80",
    "addressesResolved": [
    "80.100.158.243"
    ],
    "addressUsed": "80.100.158.243"
    }
    ],
    "validated": "2022-02-26T19:26:25Z"
    })

My web server is (include version):
Apache 2.4.52

The operating system my web server runs on is (include version):
Linux Slackware 14.2 kernel 4.4.276
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
dehydrated-0.6.5

The output of dig -t txt mmrmedia.xs4all.nl
mmrmedia.xs4all.nl. 3600 IN TXT "kpn-domain verification=f8f5431b486c44e489f37d56e89e8277"

What could be the problem here.

You need to add a CAA record to override the CAA records for your parent domain (which are kind of a mess)

dig caa xs4all.nl

; <<>> DiG 9.16.11 <<>> caa xs4all.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56523
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;xs4all.nl.                     IN      CAA

;; ANSWER SECTION:
xs4all.nl.              3600    IN      CAA     0 issuewild "sectigo.com"
xs4all.nl.              3600    IN      CAA     0 issuewild "letsencrypt.org"
xs4all.nl.              3600    IN      CAA     0 issue "comodoca.com"
xs4all.nl.              3600    IN      CAA     0 issue "sectigo.com"

;; Query time: 63 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Feb 26 20:50:11 CET 2022
;; MSG SIZE  rcvd: 171
1 Like

Thanks for your quick answer.
Where should i do that xs4all.nl is my provider and i am on a subdomain.

Do you have any control over your DNS records?

Read here: Certificate Authority Authorization (CAA) - Let's Encrypt

Otherwise, ask them to modify their records like this:

xs4all.nl.              3600    IN      CAA     0 issue "letsencrypt.org"
xs4all.nl.              3600    IN      CAA     0 issue "comodoca.com"
xs4all.nl.              3600    IN      CAA     0 issue "sectigo.com"

(issue includes issuewild)

2 Likes

No i have no control over the DNS records.
I was trying to see if i could get it working .
But i am moving to an other provider next month, so i will try it there and i have some control over DNS

You can use any other dynamic dns provider, like duckdns or afraid.

1 Like

Thanks for the tip i will look at that

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.