Dns-01 challenge via ansible acme module appears to be correct but is rejected with "Incorrect TXT record .. (and 1 more)"

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: cabal5.net

I ran this command using ansible ACME challenge, got this response:

---
account_uri: https://acme-v02.api.letsencrypt.org/acme/acct/557512666
    authorizations:
      '*.cabal5.net':
        challenges:
        - status: pending
          token: UA4KxVpQB4iVzucg0k_M4e9kX7CCP3ANSHFLYLgFtDc
          type: dns-01
          url: https://acme-v02.api.letsencrypt.org/acme/chall-v3/268768749716/AvPvMA
        expires: '2023-10-05T12:40:50Z'
        identifier:
          type: dns
          value: cabal5.net
        status: pending
        uri: https://acme-v02.api.letsencrypt.org/acme/authz-v3/268768749716
        wildcard: true
      cabal5.net:
        challenges:
        - status: pending
          token: 82lIAT-SxbOFbJXCfcDDdZ8c5EoTC_zyqRuKxAORMaI
          type: http-01
          url: https://acme-v02.api.letsencrypt.org/acme/chall-v3/268768749726/sn8sVQ
        - status: pending
          token: 82lIAT-SxbOFbJXCfcDDdZ8c5EoTC_zyqRuKxAORMaI
          type: dns-01
          url: https://acme-v02.api.letsencrypt.org/acme/chall-v3/268768749726/MnZpOg
        - status: pending
          token: 82lIAT-SxbOFbJXCfcDDdZ8c5EoTC_zyqRuKxAORMaI
          type: tls-alpn-01
          url: https://acme-v02.api.letsencrypt.org/acme/chall-v3/268768749726/pUHKuw
        expires: '2023-10-05T12:40:50Z'
        identifier:
          type: dns
          value: cabal5.net
        status: pending
        uri: https://acme-v02.api.letsencrypt.org/acme/authz-v3/268768749726
    cert_days: -1
    challenge_data:
      '*.cabal5.net':
        dns-01:
          record: _acme-challenge.cabal5.net
          resource: _acme-challenge
          resource_value: LOg5D5c70RK7pJo5ZM91tIbWJUzelcW4mrc9tdievJ0
      cabal5.net:
        dns-01:
          record: _acme-challenge.cabal5.net
          resource: _acme-challenge
          resource_value: 1C3xidg4E_YAsR4i3fT0-gafHucpv0JXc_Nytc6HzbA
        http-01:
          resource: .well-known/acme-challenge/82lIAT-SxbOFbJXCfcDDdZ8c5EoTC_zyqRuKxAORMaI
          resource_value: 82lIAT-SxbOFbJXCfcDDdZ8c5EoTC_zyqRuKxAORMaI.joXWuxGsAbbKA_9QisP5ThcoDJs0sqHnsfr1Td6tewg
        tls-alpn-01:
          resource: cabal5.net
          resource_original: dns:cabal5.net
          resource_value: 1C3xidg4E/YAsR4i3fT0+gafHucpv0JXc/Nytc6HzbA=
    challenge_data_dns:
      _acme-challenge.cabal5.net:
      - LOg5D5c70RK7pJo5ZM91tIbWJUzelcW4mrc9tdievJ0
      - 1C3xidg4E_YAsR4i3fT0-gafHucpv0JXc_Nytc6HzbA
    changed: true
    failed: false
    finalize_uri: https://acme-v02.api.letsencrypt.org/acme/finalize/557512666/211445202326
    order_uri: https://acme-v02.api.letsencrypt.org/acme/order/557512666/211445202326

I inserted these DNS TXT RR from the challenge:

    UA4KxVpQB4iVzucg0k_M4e9kX7CCP3ANSHFLYLgFtDc
    82lIAT-SxbOFbJXCfcDDdZ8c5EoTC_zyqRuKxAORMaI

flushed DNS cache and confirmed:

$ drill TXT _acme-challenge.cabal5.net
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 17362
;; flags: qr aa rd ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; _acme-challenge.cabal5.net.  IN      TXT

;; ANSWER SECTION:
_acme-challenge.cabal5.net.     300     IN      TXT     "82lIAT-SxbOFbJXCfcDDdZ8c5EoTC_zyqRuKxAORMaI"
_acme-challenge.cabal5.net.     300     IN      TXT     "UA4KxVpQB4iVzucg0k_M4e9kX7CCP3ANSHFLYLgFtDc"

The acme response:

fatal: [i09.cabal5.net]: FAILED! => changed=false
  msg: 'Failed to validate challenge for dns:*.cabal5.net: Status is not "valid". Challenge dns-01: Error urn:ietf:params:acme:error:unauthorized: "Incorrect TXT record "UA4KxVpQB4iVzucg0k_M4e9kX7CCP3ANSHFLYLgFtDc" (and 1 more) found at _acme-challenge.cabal5.net".'
  other:
    authorization:
      challenges:
      - error:
          detail: Incorrect TXT record "UA4KxVpQB4iVzucg0k_M4e9kX7CCP3ANSHFLYLgFtDc" (and 1 more) found at _acme-challenge.cabal5.net
          status: 403
          type: urn:ietf:params:acme:error:unauthorized
        status: invalid
        token: UA4KxVpQB4iVzucg0k_M4e9kX7CCP3ANSHFLYLgFtDc
        type: dns-01
        url: https://acme-v02.api.letsencrypt.org/acme/chall-v3/268768749716/AvPvMA
        validated: '2023-09-28T12:45:11Z'
      expires: '2023-10-05T12:40:50Z'
      identifier:
        type: dns
        value: cabal5.net
      status: invalid
      uri: https://acme-v02.api.letsencrypt.org/acme/authz-v3/268768749716
      wildcard: true
    identifier: dns:*.cabal5.net

Which clearly shows that the "incorrect" TXT record is precisely the record I was requested to insert.

My DNS server is (include version):

  • n/a dnsdist 1.8.1 for DNS-01 challenge

The operating system my web server runs on is (include version):

  • n/a FreeBSD 13.2-RELEASE

My hosting provider, if applicable, is: Equinix.

I can login to a root shell on my machine (yes or no, or I don't know):

  • yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

  • no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

$ ansible --version
ansible [core 2.15.2]
  config file = /usr/home/dch/src/ansible/ansible.cfg
  configured module search path = ['/home/dch/.ansible/plugins/modules', '/usr/local/share/py39-ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.9/site-packages/ansible
  ansible collection location = /home/dch/.ansible/collections:/usr/local/share/py39-ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.9.18 (main, Sep 12 2023, 01:16:40) [Clang 14.0.5 (https://github.com/llvm/llvm-project.git llvmorg-14.0.5-0-gc1238 (/usr/local/bin/python3.9)
  jinja version = 3.1.2
  libyaml = True

ansible role task - ansible acme task for automating TLS cert generation · GitHub

NB I used acme.sh to deploy working certs, and thus the current DNS TXT RR are different to what's posted above, but I would love to understand what ansible & LE disagree about here, for next time.

I'm not an ansible guru...
But it seems like you are updating the TXT record and then rerunning the script - which would get a new set of TXT records [each time it runs]:

3 Likes

[edited] I think I see what you're saying - perhaps I should be using the challenge_data[].dns-01.resource_value fields, and not the tokens
shown above? That would indeed give different TXT RR and its
not what I've been putting into DNS :blush:

challenge_data:
      '*.cabal5.net':
        dns-01:
          record: _acme-challenge.cabal5.net
          resource: _acme-challenge
          resource_value: LOg5D5c70RK7pJo5ZM91tIbWJUzelcW4mrc9tdievJ0
      cabal5.net:
        dns-01:
          record: _acme-challenge.cabal5.net
          resource: _acme-challenge
          resource_value: 1C3xidg4E_YAsR4i3fT0-gafHucpv0JXc_Nytc6HzbA

Looking at git history, there's been some automation done for the DNS
RR updates, that now uses the authorizations[].challenges.token, instead
of the challenge_data[].dns-01.resource_value this looks like what's
broken here!

I'll try this later tonight. thanks for the hint.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.