Change Domain Challenge Method in acme.sh

Hello!

I am having an issue where a few of my domains (we'll use calckey.club for example here), were originally challenged with http-01, and I want to migrate to dns-01. acme.sh is setting up DNS records correctly in AWS Route 53, but ACME/Let's Encrypt keeps enforcing the http-01 check, when the CAA literally says to do otherwise.

# acme.sh --issue --nginx --dns dns_aws -d calckey.club -d www.calckey.club --staging
[Sun Jan 21 02:47:49 UTC 2024] Using ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
[Sun Jan 21 02:47:49 UTC 2024] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
[Sun Jan 21 02:47:50 UTC 2024] Multi domain='DNS:calckey.club,DNS:www.calckey.club'
[Sun Jan 21 02:47:50 UTC 2024] Getting domain auth token for each domain
[Sun Jan 21 02:47:52 UTC 2024] Getting webroot for domain='calckey.club'
[Sun Jan 21 02:47:52 UTC 2024] Getting webroot for domain='www.calckey.club'
[Sun Jan 21 02:47:52 UTC 2024] Adding txt value: eKmt5-AkXosUnXciPbftACg7HQdufGrmpksLRJrbQEU for domain:  _acme-challenge.www.calckey.club
[Sun Jan 21 02:47:54 UTC 2024] Getting existing records for _acme-challenge.www.calckey.club
[Sun Jan 21 02:47:55 UTC 2024] TXT record updated successfully.
[Sun Jan 21 02:47:57 UTC 2024] The txt record is added: Success.
[Sun Jan 21 02:47:57 UTC 2024] Let's check each DNS record now. Sleep 20 seconds first.
[Sun Jan 21 02:48:18 UTC 2024] You can use '--dnssleep' to disable public dns checks.
[Sun Jan 21 02:48:18 UTC 2024] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck
[Sun Jan 21 02:48:18 UTC 2024] Checking www.calckey.club for _acme-challenge.www.calckey.club
[Sun Jan 21 02:48:18 UTC 2024] Domain www.calckey.club '_acme-challenge.www.calckey.club' success.
[Sun Jan 21 02:48:18 UTC 2024] All success, let's return
[Sun Jan 21 02:48:18 UTC 2024] Verifying: calckey.club
[Sun Jan 21 02:48:18 UTC 2024] Nginx mode for domain:calckey.club
[Sun Jan 21 02:48:18 UTC 2024] Found conf file: /etc/nginx/conf.d/calckey.nginx.conf
[Sun Jan 21 02:48:18 UTC 2024] Backup /etc/nginx/conf.d/calckey.nginx.conf to /root/.acme.sh/calckey.club_ecc/backup/calckey.club.nginx.conf
[Sun Jan 21 02:48:18 UTC 2024] Check the nginx conf before setting up.
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[Sun Jan 21 02:48:18 UTC 2024] OK, Set up nginx config file
[Sun Jan 21 02:48:18 UTC 2024] nginx conf is done, let's check it again.
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[Sun Jan 21 02:48:18 UTC 2024] Reload nginx
[Sun Jan 21 02:48:21 UTC 2024] Pending, The CA is processing your order, please just wait. (1/30)
[Sun Jan 21 02:48:24 UTC 2024] Invalid status, calckey.club:Verify error detail:173.254.236.53: Invalid response from https://calckey.club/.well-known/acme-challenge/V2oZXnvn3dMRhTR1dy-FWoBnZYwPnQ8o1c5M3LXxhh0: 404
[Sun Jan 21 02:48:24 UTC 2024] Restoring from /root/.acme.sh/calckey.club_ecc/backup/calckey.club.nginx.conf to /etc/nginx/conf.d/calckey.nginx.conf
[Sun Jan 21 02:48:24 UTC 2024] Reload nginx
[Sun Jan 21 02:48:24 UTC 2024] Removing DNS records.
[Sun Jan 21 02:48:24 UTC 2024] Removing txt: eKmt5-AkXosUnXciPbftACg7HQdufGrmpksLRJrbQEU for domain: _acme-challenge.www.calckey.club
[Sun Jan 21 02:48:26 UTC 2024] Getting existing records for _acme-challenge.www.calckey.club
[Sun Jan 21 02:48:26 UTC 2024] TXT record deleted successfully.
[Sun Jan 21 02:48:28 UTC 2024] Removed: Success
[Sun Jan 21 02:48:28 UTC 2024] Please check log file for more details: /root/.acme.sh/acme.sh.log
-> # dig calckey.club caa +short 
0 issue "letsencrypt.org;validationmethods=dns-01"

Thanks!

Is that the right format of that command? The --nginx option dictates an HTTP Challenge. Although I would think --dns should override that. But did you try just leaving off --nginx? I don't have an acme.sh system to test with at the moment. In any case, I don't see why you need --nginx.

Your CAA record prevents issuance unless a specific method is used. It does not dictate the kind of challenge requested by the ACME Client (acme.sh in this case). The ACME Client must be instructed to use a request that complies with any CAA restrictions.

3 Likes

That does make sense. I was able to get around the issue by removing --nginx and adding --force, on the number of domains. It's all good now!

Hopefully you only do that once. Otherwise you are likely to get Rate Limited by Let's Encrypt

2 Likes

I've been doing that once per domain, now that I figured out the correct parameters. It's deployed successfully across multiple containers now.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.