DNS-01 challenge failing

Help
1

Hi,

I try to use the dns-01 challenge. I’m having difficulties to understand the cause of this error.
I’m trying to have a certificate for virtunix.unige.ch.

I’ve pushed the TXT to the DNS, check that the TXT was on all DNSs, wait 60 sec more. But still, the problem persist

The last time, I’ve ran with the debug flag and i’ve got:

2017-12-05 15:57:02,844:INFO:certbot.auth_handler:Waiting for verification...


2017-12-05 15:57:02,844:DEBUG:acme.client:JWS payload:
{
  "keyAuthorization": "hPTqVJix7MAU3HRS9Qy_g9PusP_f7qUBhMJ60_iNvzM.xnm-p1dCCSYklGnE_rJdrVC058wQyneihyC8E9jttRI", 
  "type": "dns-01", 
  "resource": "challenge"
}


2017-12-05 15:57:02,847:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/challenge/Gm4sC8YgnzeZBzwVe0HnrmO7wErnMqB_SRmo_b5K8-Q/2649233441:
{
  "header": {
    "alg": "RS256", 
    "jwk": {
      "e": "AQAB", 
      "kty": "RSA", 
      "n": "vekXVrNGXSZX_o-F6myN4GU9KdrnllqmZX-7M-0wNrgVdNFBQxLjpwazJoBXYebOdDs9ZqPnHlIlZdYCU3Lf2Gpqg-YKV8buKKy2buGT_0tXIRqnVCChL585PX4kN7R2HvP4OwD2e2HjF8dI9bNm7k783EQWphkjF98GGc4A-i7KasjTmFwNekKjlU_QsUsteG4ostDCTHKXetgThKRYR912o0gCYBil4sbMTcDLWNjuxUgqbONgEZ-g0mvg85Mr8E83opzuS7uJSm5OLrWyPaa6WYMEqsjcHW9rAGWtVZivi3gnqNp6JHZOLJEmn77oVzAwSz65ustH3HgmCjE-rQ"
    }
  }, 
  "protected": "eyJub25jZSI6ICJLbUlQVXExSGt0TkNkWUsxclZ5emcwaThRS25oVG4xQ1FESnEwQi1pSklZIn0", 
  "payload": "ewogICJrZXlBdXRob3JpemF0aW9uIjogImhQVHFWSml4N01BVTNIUlM5UXlfZzlQdXNQX2Y3cVVCaE1KNjBfaU52ek0ueG5tLXAxZENDU1lrbEduRV9ySmRyVkMwNTh3UXluZWloeUM4RTlqdHRSSSIsIAogICJ0eXBlIjogImRucy0wMSIsIAogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiCn0", 
  "signature": "BKyQAWhnWyJHM2DIfn3cPwAB_Ron9C5auRHu28RelvTtj9opmoGYS4bo4S3tCpmbeuzzQr5DeWtbzCqXeopNzzIXQ9uTCbK9ImYjiAvlB5JVn2KtNyqJkNzLp9wBTj7kNaxBBbE-TQmpF7ZDWYx9R1IZILlLKDXyCuYZrwpJ3CBhcroV_JOh6iKb3vGnxLPhPK6DhlJ2P92btwBT85yhDDOL2O1iYFG4pCfaEMmP0z-2eTpxWW387yN2F5fZDEsl9C1y589DecBFZ7JUxXQkb7WVkKgoqPIcIYwIl8GcgOWwwCNBfyVzZrFktxjbsdFtFQTtPl6Q6znf09gUPf-OKg"
}


2017-12-05 15:57:03,241:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "POST /acme/challenge/Gm4sC8YgnzeZBzwVe0HnrmO7wErnMqB_SRmo_b5K8-Q/2649233441 HTTP/1.1" 400 149


2017-12-05 15:57:03,242:DEBUG:acme.client:Received response:
HTTP 400
Server: nginx
Content-Type: application/problem+json
Content-Length: 149
Boulder-Requester: 9861512
Replay-Nonce: tso7w8ctczsbD8eLsUjTyNR-2lGacnwToL1dbO6xkSQ
Expires: Tue, 05 Dec 2017 15:57:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 05 Dec 2017 15:57:03 GMT
Connection: close

{
  "type": "urn:acme:error:badNonce",
  "detail": "JWS has invalid anti-replay nonce KmIPUq1HktNCdYK1rVyzg0i8QKnhTn1CQDJq0B-iJIY",
  "status": 400
}


2017-12-05 15:57:03,242:DEBUG:acme.client:Storing nonce: tso7w8ctczsbD8eLsUjTyNR-2lGacnwToL1dbO6xkSQ


2017-12-05 15:57:03,242:DEBUG:acme.client:Retrying request after error:
urn:acme:error:badNonce :: The client sent an unacceptable anti-replay nonce :: JWS has invalid anti-replay nonce KmIPUq1HktNCdYK1rVyzg0i8QKnhTn1CQDJq0B-iJIY


2017-12-05 15:57:03,242:DEBUG:acme.client:JWS payload:
{
  "keyAuthorization": "hPTqVJix7MAU3HRS9Qy_g9PusP_f7qUBhMJ60_iNvzM.xnm-p1dCCSYklGnE_rJdrVC058wQyneihyC8E9jttRI", 
  "type": "dns-01", 
  "resource": "challenge"
}


2017-12-05 15:57:03,245:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/challenge/Gm4sC8YgnzeZBzwVe0HnrmO7wErnMqB_SRmo_b5K8-Q/2649233441:
{
  "header": {
    "alg": "RS256", 
    "jwk": {
      "e": "AQAB", 
      "kty": "RSA", 
      "n": "vekXVrNGXSZX_o-F6myN4GU9KdrnllqmZX-7M-0wNrgVdNFBQxLjpwazJoBXYebOdDs9ZqPnHlIlZdYCU3Lf2Gpqg-YKV8buKKy2buGT_0tXIRqnVCChL585PX4kN7R2HvP4OwD2e2HjF8dI9bNm7k783EQWphkjF98GGc4A-i7KasjTmFwNekKjlU_QsUsteG4ostDCTHKXetgThKRYR912o0gCYBil4sbMTcDLWNjuxUgqbONgEZ-g0mvg85Mr8E83opzuS7uJSm5OLrWyPaa6WYMEqsjcHW9rAGWtVZivi3gnqNp6JHZOLJEmn77oVzAwSz65ustH3HgmCjE-rQ"
    }
  }, 
  "protected": "eyJub25jZSI6ICJ0c283dzhjdGN6c2JEOGVMc1VqVHlOUi0ybEdhY253VG9MMWRiTzZ4a1NRIn0", 
  "payload": "ewogICJrZXlBdXRob3JpemF0aW9uIjogImhQVHFWSml4N01BVTNIUlM5UXlfZzlQdXNQX2Y3cVVCaE1KNjBfaU52ek0ueG5tLXAxZENDU1lrbEduRV9ySmRyVkMwNTh3UXluZWloeUM4RTlqdHRSSSIsIAogICJ0eXBlIjogImRucy0wMSIsIAogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiCn0", 
  "signature": "ht0Kw4JQ5ylXKahSH3eatLxWwNCFqa0IBAj9zBltXfr73eVRoSEV264708OYawju8PlHicRTPo4kWzYaxE7Em3pYspRpDR7LsKQ_O3SCu9cHXoYij79LqQ9CSX6g7RMHLw1M2UpfJEnE6wA9q9clhp_80BdLxjuqAUdmW3IYVOzqxBKMyh7d92ymR6X4Kbw5oyH2P5BVu80mcNIhUsKdyhNZraiezZUQk_wkACckwG7edaG9iHfvcfJi-g6SWJj1rqzNdv-nJo1su7sBJo13-v89tr5ek74e2WPXUJGS7z4Y-KAy_7BKkIMHAPHBwGCKHYqd9l-QMxzAkKkAhyp_bw"
}


2017-12-05 15:57:03,245:DEBUG:requests.packages.urllib3.connectionpool:Resetting dropped connection: acme-v01.api.letsencrypt.org


2017-12-05 15:57:03,246:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (2): acme-v01.api.letsencrypt.org


2017-12-05 15:57:03,643:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "POST /acme/challenge/Gm4sC8YgnzeZBzwVe0HnrmO7wErnMqB_SRmo_b5K8-Q/2649233441 HTTP/1.1" 202 335
2017-12-05 15:57:03,644:DEBUG:acme.client:Received response:
HTTP 202
Server: nginx
Content-Type: application/json
Content-Length: 335
Boulder-Requester: 9861512
Link: <https://acme-v01.api.letsencrypt.org/acme/authz/Gm4sC8YgnzeZBzwVe0HnrmO7wErnMqB_SRmo_b5K8-Q>;rel="up"
Location: https://acme-v01.api.letsencrypt.org/acme/challenge/Gm4sC8YgnzeZBzwVe0HnrmO7wErnMqB_SRmo_b5K8-Q/2649233441
Replay-Nonce: ibWjnC5Pm5uKIWbtjtwFmzPeIh38fb-cnMC0zBy6kVc
Expires: Tue, 05 Dec 2017 15:57:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 05 Dec 2017 15:57:03 GMT
Connection: keep-alive

{
  "type": "dns-01",
  "status": "pending",
  "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/Gm4sC8YgnzeZBzwVe0HnrmO7wErnMqB_SRmo_b5K8-Q/2649233441",
  "token": "hPTqVJix7MAU3HRS9Qy_g9PusP_f7qUBhMJ60_iNvzM",
  "keyAuthorization": "hPTqVJix7MAU3HRS9Qy_g9PusP_f7qUBhMJ60_iNvzM.xnm-p1dCCSYklGnE_rJdrVC058wQyneihyC8E9jttRI"
}


2017-12-05 15:57:03,645:DEBUG:acme.client:Storing nonce: ibWjnC5Pm5uKIWbtjtwFmzPeIh38fb-cnMC0zBy6kVc


2017-12-05 15:57:06,648:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/Gm4sC8YgnzeZBzwVe0HnrmO7wErnMqB_SRmo_b5K8-Q.
2017-12-05 15:57:06,857:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "GET /acme/authz/Gm4sC8YgnzeZBzwVe0HnrmO7wErnMqB_SRmo_b5K8-Q HTTP/1.1" 200 1301
2017-12-05 15:57:06,858:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1301
Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
Replay-Nonce: _sJ3KiEaLuq6KzX7GjlxH6cT5CSOfG3-8732qy2_Izo
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 05 Dec 2017 15:57:06 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 05 Dec 2017 15:57:06 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "virtunix.unige.ch"
  },
  "status": "invalid",
  "expires": "2017-12-12T15:50:30Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "invalid",
      "error": {
        "type": "urn:acme:error:connection",
        "detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.virtunix.unige.ch",
        "status": 400
      },
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/Gm4sC8YgnzeZBzwVe0HnrmO7wErnMqB_SRmo_b5K8-Q/2649233441",
      "token": "hPTqVJix7MAU3HRS9Qy_g9PusP_f7qUBhMJ60_iNvzM",
      "keyAuthorization": "hPTqVJix7MAU3HRS9Qy_g9PusP_f7qUBhMJ60_iNvzM.xnm-p1dCCSYklGnE_rJdrVC058wQyneihyC8E9jttRI"
    },
    {
      "type": "tls-sni-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/Gm4sC8YgnzeZBzwVe0HnrmO7wErnMqB_SRmo_b5K8-Q/2649233442",
      "token": "YPztLMjIyaS1dNkmL288Gcp1gyOaod-dkclnGLxp564"
    },
    {
      "type": "http-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/Gm4sC8YgnzeZBzwVe0HnrmO7wErnMqB_SRmo_b5K8-Q/2649233443",
      "token": "em7bPkujTRfDtm7k_e0hRL9p8M15yI4Z3yeEq8SwH-M"
    }
  ],
  "combinations": [
    [
      2
    ],
    [
      1
    ],
    [
      0
    ]
  ]
}


2017-12-05 15:57:06,859:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: virtunix.unige.ch
Type:   connection
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.virtunix.unige.ch

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.


2017-12-05 15:57:06,859:INFO:certbot.auth_handler:Cleaning up challenges


2017-12-05 15:57:06,997:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.10.2', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 849, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 626, in obtain_cert
    action, _ = _auth_from_available(le_client, config, domains, certname, lineage)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 107, in _auth_from_available
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 291, in obtain_and_enroll_certificate
    certr, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 262, in obtain_certificate
    self.config.allow_subset_of_names)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 77, in get_authorizations
    self._respond(resp, best_effort)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 134, in _respond
    self._poll_challenges(chall_update, best_effort)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 198, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. virtunix.unige.ch (dns-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.virtunix.unige.ch

My domain is:
unige.ch

I ran this command:
env https_proxy=“https://proxy.unige.ch:3128” certbot certonly
–preferred-challenges dns-01
–authenticator manual
–manual-auth-hook /usr/local/bin/chiffreca-hook-auth
–manual-cleanup-hook /usr/local/bin/chiffreca-hook-cleanup
–manual-public-ip-logging-ok
–debug
–domain=virtunix.unige.ch

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for virtunix.unige.ch
Waiting for verification...
Cleaning up challenges
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.10.2', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 849, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 626, in obtain_cert
    action, _ = _auth_from_available(le_client, config, domains, certname, lineage)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 107, in _auth_from_available
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 291, in obtain_and_enroll_certificate
    certr, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 262, in obtain_certificate
    self.config.allow_subset_of_names)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 77, in get_authorizations
    self._respond(resp, best_effort)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 134, in _respond
    self._poll_challenges(chall_update, best_effort)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 198, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. virtunix.unige.ch (dns-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.virtunix.unige.ch


IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: virtunix.unige.ch
   Type:   connection
   Detail: DNS problem: NXDOMAIN looking up TXT for
   _acme-challenge.virtunix.unige.ch

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

My web server is (include version):
no need as it runs dns-01

The operating system my web server runs on is (include version):
debian 9.1

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

2

Hi @briner,

It looks like you have four authoritative nameservers:

$> dig +short NS unige.ch
dns93.unige.ch.
uni2b.unige.ch.
scsnms.switch.ch.
sns2-tss2.unige.ch.

Two of them are serving an NXDOMAIN for _acme-challenge.virtunix.unige.ch:

$> for ns in $(dig +short NS unige.ch); do echo -n "NS $ns: "; dig @$ns TXT _acme-challenge.virtunix.unige.ch | grep "NXDOMAIN" || echo "Found TXT"; done
NS dns93.unige.ch.: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 57711
NS uni2b.unige.ch.: Found TXT
NS scsnms.switch.ch.: Found TXT
NS sns2-tss2.unige.ch.: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 25866

The Let's Encrypt validation authority chooses one of your authoritative DNS servers at random. If it lands on either sns2-tss2.unige.ch or 1dns93.unige.ch it will fail from the NXDOMAIN error returned.

Do you know why these two servers don't have the TXT record you provisioned? If possible your client should wait to POST the DNS-01 challenge until it knows all of your authoritative DNS servers are ready.

Hope that helps!

1 Like
3

Do you still have that TXT record? I don’t see it either:

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> @8.8.8.8 _acme-challenge.virtunix.unige.ch TXT
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 34054
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;_acme-challenge.virtunix.unige.ch. IN  TXT

;; AUTHORITY SECTION:
unige.ch.               1799    IN      SOA     uni2b.unige.ch. netmaster.unige.ch. 2017120529 3600 1800 604800 43200

;; Query time: 120 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Dec  5 11:42:31 2017
;; MSG SIZE  rcvd: 103
4

Hi @cpu and @jared.m,
I’ve tried the following snippet to see if all our DNS were returning the correct value

for ns in $(dig +short NS unige.ch|sort)do
    echo  "NS $ns: "
    dig @$ns  _acme-challenge.virtunix.unige.ch TXT +short
done

From within our network our DNS were responding fine, but this was not the case from outside. Our DNS master finally solved the problem. Now the python-cerbot is doing as expected.

Many thanks from Switzerland.

cED

1 Like
5

Great! Glad to hear it :tada: - Thank you for reporting back :slight_smile:

6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.