Detail -> Incorrect TXT record found acme4j

Help
#1

Hi All,

I am using accme4j client to get certificate from LetsEncrypt.
Instead of our domain name i have used "example".

But facing below issue continuously. Not sure what is missing here. same thing works with certbot command from shell.

detail -> Incorrect TXT record "kEp5zqaHXOsxSf-EPv2OTRYdJvF2eUPgVg46QgI490g" found at _acme-challenge.localuser.example.net
type -> urn:ietf:params:acme:error:unauthorized
url -> https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/195464444/NKgzYg
status invalid
type:dns-01

My domain is:localuser.example.net

My code snippet is copied below, I am facing while processing authorizations.

private void getCertificateFromCA(String dynamicDeviceName) {

    try {
        KeyPair keyPair = loadOrCreateUserKeyPair();
        Session session = new Session("acme://letsencrypt.org/staging");
        if(null != session && null != keyPair) {
            Account account = registerAndLoginAccount(session, keyPair);
            if(null != account) {
                Order order = account.newOrder()
                        .domains("localuser.example.net")
                        //.notAfter(Instant.now().plus(Duration.ofDays(20L)))
                        .create();

                for (Authorization authorization : order.getAuthorizations()) {
                    if (authorization.getStatus() != Status.VALID) {
                        processAuthorization(authorization);
                    }
                }

                InputStream inputStream = new FileInputStream(new File("/tmp/csr.csr"));
                byte[] csr = KeyPairUtil.getEncoded(inputStream);

                order.execute(csr);

                try {
                    int attempts = 10;
                    while (order.getStatus() != Status.VALID && attempts-- > 0) {
                        if (order.getStatus() == Status.INVALID) {
                            throw new AcmeException("Order failed... Giving up.");
                        }

                        Thread.sleep(3000L);
                        order.update();
                    }
                } catch (InterruptedException ex) {
                    logger.error("interrupted", ex);
                    Thread.currentThread().interrupt();
                }

                Certificate certificate = order.getCertificate();

                logger.info("Success! The certificate for domains {} has been generated!");
                logger.info("Certificate URL: {}", certificate.getLocation());

                try (FileWriter fw = new FileWriter(DOMAIN_CHAIN_FILE)) {
                    certificate.writeCertificate(fw);
                }
            }
        }
    } catch (Exception ex) {
        logger.error("Exception while processing certificate", ex);
    }
}

private void processAuthorization(Authorization authorization) throws AcmeException, InterruptedException {

    if (authorization.getStatus() == Status.VALID) {
        return;
    }

    Dns01Challenge challenge = authorization.findChallenge(Dns01Challenge.TYPE);
    String domain = authorization.getIdentifier().getDomain();
    if (challenge == null) {
        throw new AcmeException("No DNS challenge found");
    }

    if (challenge.getStatus() == Status.VALID) {
        return;
    }

    challenge.trigger();

    try {
        int attempts = 10;
        while (challenge.getStatus() != Status.VALID && attempts-- > 0) {
            if (challenge.getStatus() == Status.INVALID) {
                throw new AcmeException("Challenge failed... Giving up.");
            }

            Thread.sleep(3000L);
            challenge.update();
        }
    } catch (InterruptedException ex) {
        logger.error("interrupted", ex);
        Thread.currentThread().interrupt();
    }

}

challenge.getStatus() returns invalid state with unauthorized error. But we are manually adding DNS record in our AWS server. The same works for certbot command.

DNS record looks like below :
_acme-challenge.localuser.example.net TXT Simple -
"kEp5zqaHXOsxSf-EPv2OTRYdJvF2eUPgVg46QgI490g"

TTL is reduced to 1, 10 and kept 300 tested but no luck. Not sure what i am really missing. Can somebody help me here ASAP ?

Any help would be appreciated !! Thanks !!

#2

Also tested with production letsencrypt url but no luck

#3

Hi @divakara

your domain name is required.

1 Like
#4

Our domain name is versanow.net

#5

If you have that error, normally Letsencrypt finds an older value or the value isn't in the correct format. Or there is a value, but created with another key -> different value.

But there

is no older value visible.

Is this the original error message from the challenge? Or is this an acme4j - specific error message?

Or it's a propagation problem. Let your program wait and check, if the value is created.

1 Like
#6

The below error is throwing by acme4j client. Value and keys are proper in DNS server.
Everytime while debugging we take key and update it manually in DNS service and waits for soemtime and then we call challenge.triggger() method to proceed. Still we are facing the same issue.

I waited maximum 10 seconds till date . Do you want me to wait more time than this ?

DNS record looks like below :
_acme-challenge.localuser.example.net TXT Simple -
"kEp5zqaHXOsxSf-EPv2OTRYdJvF2eUPgVg46QgI490g"

#7

Thanks for your help and answers !!

2 Likes
#8

10 seconds?

Wait 10 minutes.

1 Like
#9

I tested for 10 mins also But still facing the same issue !!

#10

The nameservers that are authoritative for versanow.net are Amazon's AWS nameservers, but they don't believe that localuser.versanow.net exists at all.

Is it possible that your DNS records for versanow.net aren't set up the way that you expected, so that the nameserver you're updating isn't actually considered authoritative for localuser.versanow.net?

#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.