Dns-01 error 403 simple ACME client (wacs.exe)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: *.hidden.ideafarm.com

I ran this command: wacs.exe (simple-acme)

It produced this output:

1: Retry check
2: Ignore and continue
3: Abort

How would you like to proceed?: 1

[.hidden.ideafarm.com] [97.74.109.10] No TXT records found
[.hidden.ideafarm.com] [173.201.77.10] No TXT records found
[*.hidden.ideafarm.com] Preliminary validation failed on all nameservers

The correct record has not yet been found by the local resolver. That means
it's likely the validation attempt will fail, or your DNS provider needs a
little more time to publish and synchronize the changes.

1: Retry check
2: Ignore and continue
3: Abort

How would you like to proceed?: 2

[.hidden.ideafarm.com] Record FRvPngtiDN1V5B_0CkyQAtTvlHZI6IZ9-svIyjx_d3w successfully created
First chance error calling into ACME server, retrying with new nonce...
[.hidden.ideafarm.com] Authorization result: invalid
[*.hidden.ideafarm.com] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"Incorrect TXT record \u0022\\\\u0022FRvPngtiDN1V5B_0CkyQAtTvlHZI6IZ9-svIyjx_d3w\\\\u0022\u0022 found at _acme-challenge.hidden.ideafarm.com","status":403,"instance":null}

Domain: hidden.ideafarm.com
Record: _acme-challenge.hidden.ideafarm.com
Type: TXT
Content: "FRvPngtiDN1V5B_0CkyQAtTvlHZI6IZ9-svIyjx_d3w"

Please press after you've deleted the record

[.hidden.ideafarm.com] Record FRvPngtiDN1V5B_0CkyQAtTvlHZI6IZ9-svIyjx_d3w deleted
[.hidden.ideafarm.com] Deactivating pending authorization
First chance error calling into ACME server, retrying with new nonce...
No certificate generated

Create certificate failed, retry? (y/n*)

My web server is (include version): N/A (using dns-01 validation for wildcard domain)

The operating system my web server runs on is (include version): N/A

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

A simple cross platform ACME client (WACS)
Software version 2.3.4.2084 (release, pluggable, standalone, 64-bit)
Connecting to https://acme-v02.api.letsencrypt.org/...

Notes:

The nameserver for this domain is a Vultr Shared CPU that runs a custom DNS server program. I have custom software that saves an exact image of the response message that it sends for a query via Cloudflare's 1.1.1.1 DNS server for TXT _acme-challenge.hidden.ideafarm.com .

A GoDaddy nameserver serves DNS responses for domain IDEAFARM.COM, and refers queries for the hidden.ideafarm.com zone to the custom DNS server. For testing, the Godaddy nameserver has the definition of a TXT record for _acme-challenge_hidden.ideafarm.com .

The images served in response to the two TXT queries are identical, other than the differences expected due to the '.' character changed to '_'.

The error message is cryptic and unintelligable to me. Since the DNS response images are practically identical, I have no idea what the client doesn't like. I have successfully obtained a certificate for *.ideafarm.com, but need to get one for *.hidden.ideafarm.com and cannot do so. TIA

P.S. I have not deleted the TXT records discussed above, so anyone can query them both to verify that the response images are essentially identical. One image is sent by a GoDaddy DNS server. The other image is sent by a custom DNS server that is registered with GoDaddy as the nameserver for hidden.ideafarm.com .

Here's what I'm getting:

_acme-challenge.hidden.ideafarm.com. 600 IN TXT	"\"FRvPngtiDN1V5B_0CkyQAtTvlHZI6IZ9-svIyjx_d3w\""

Those extra quotes have to go.

That appears to work, although now I need to add a CAA record to the DNS for hidden.ideafarm.com . So, apparently, the value of the TXT record is NOT supposed to begin and end with a double quote mark. simple-acme needs to change what it displays to the contrary: "Note: Some DNS managers add quotes automatically. A single set is needed."

Yes. Mission accomplished; I've got my certificate. Thank you, @danb35. I did think that it was odd to require double quote delimiters within the RDATA field. But simple-acme's command processor stated so clearly that they are required. I hope that they see this and fix that.

The real solution is to avoid Manual DNS validation and instead investigate what automation you can use, then the quoting of the values (or not) becomes an implementation detail of the automation that you never have to think about again. With Manual DNS updates you are losing the benefits of renewal automation and it should only be used for proof of concept/testing.

If you create an issue at GitHub - simple-acme/simple-acme: A simple cross platform ACME client (for use with Let's Encrypt et al.) then there's a good chance that will be addressed.

The simple-acme command processor states that automatic renewal is not supported for wildcard domains. If they actually do support it, that's another statement that needs to be fixed. I have created Command processor displays incorrect advice, saying that the TXT RDATA value must contain " delimiters. · Issue #280 · simple-acme/simple-acme · GitHub as you suggested.

They mean "auto-renew not possible" if you choose the manual option (option 11) in this screenshot:

image1681×994 46.7 KB

You could for instance use ACME DNS to automatically answer DNS challenges for your subdomain. Or if your custom DNS server supports RFC2136 you could install a plugin or use a script to do that.

I agree the instruction note about quotes should probably be removed:

image1296×439 17.3 KB

Thank you again, @danb35 and @webprofusion . I now see how simple-acme works. This exercise has been an example of "When all else fails, RTFM." Now that I've RTFM, I am looking forward to playing more with this wonderful rewrite of certbot.

Yeah. That's the book that I finally cracked open! Didn't know that simple-ACME has been around that long!

It's a great little tool. Note that it and the many other acme clients available have no relation to certbot other than providing some similar functionality. Definitely not a rewrite!

"It's much easier to edit than to create." Your definition of "rewrite" is narrower than mine. The rarest and most valuable phase of software craftwork is to create (or awaken to) a vision for the product. Regarding product concept or vision, yes, it is a rewrite, a re-implimentation of essentially the same vision. AFAIK, simple-acme does exactly the same things that certbot did, only better. That's a "rewrite" as I understand the term.

Ha yeah, don't worry about it I'm just being pedantic and it's not important to this topic.

Well, it hasn't - strictly speaking

But, the principal behind it was the sole maintainer of win-acme for a long time.

Simple-acme is a fork of win-acme and a drop-in replacement for it. The "why" of that is at this "About" page: simple-acme

We happily recommend simple-acme especially as a replacement for win-acme. And, even for people migrating away from Certbot since the EFF dropped support for Windows over 1.5 years ago. Simple-acme, along with Certify the Web (gui), and Posh-ACME (powershell) are the 3 most commonly recommended ACME Clients for Windows on this forum.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.