Dns-01 urn:ietf:params:acme:error:unauthorized 403

rmacbdev · April 12, 2023, 1:22am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: dev-acme.revmed.com

I ran this command: sudo certbot renew --dry-run

It produced this output:
2023-04-12 00:18:12,712:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2023-04-12 00:18:13,014:DEBUG:certbot._internal.main:certbot version: 2.5.0
2023-04-12 00:18:13,014:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/2913/bin/certbot
2023-04-12 00:18:13,014:DEBUG:certbot._internal.main:Arguments: ['--dry-run', '-v', '--preconfigured-renewal']
2023-04-12 00:18:13,014:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2023-04-12 00:18:13,038:DEBUG:certbot._internal.log:Root logging level set at 20
2023-04-12 00:18:13,039:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/dev-acme.revmed.com.conf
2023-04-12 00:18:13,067:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x7faaaf8168e0> and installer <certbot._internal.cli.cli_utils._Default object at 0x7faaaf8168e0>
2023-04-12 00:18:13,067:DEBUG:certbot._internal.cli:Var dry_run=True (set by user).
2023-04-12 00:18:13,067:DEBUG:certbot._internal.cli:Var server={'staging', 'dry_run'} (set by user).
2023-04-12 00:18:13,067:DEBUG:certbot._internal.cli:Var dry_run=True (set by user).
2023-04-12 00:18:13,067:DEBUG:certbot._internal.cli:Var server={'staging', 'dry_run'} (set by user).
2023-04-12 00:18:13,067:DEBUG:certbot._internal.cli:Var account={'server'} (set by user).
2023-04-12 00:18:13,093:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80
2023-04-12 00:18:13,251:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503
2023-04-12 00:18:13,252:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/dev-acme.revmed.com/cert1.pem is signed by the certificate's issuer.
2023-04-12 00:18:13,253:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/dev-acme.revmed.com/cert1.pem is: OCSPCertStatus.GOOD
2023-04-12 00:18:13,256:DEBUG:certbot._internal.storage:Should renew, less than 30 days before certificate expiry 2023-04-28 09:14:19 UTC.
2023-04-12 00:18:13,257:INFO:certbot._internal.renewal:Certificate is due for renewal, auto-renewing...
2023-04-12 00:18:13,257:DEBUG:certbot._internal.plugins.selection:Requested authenticator manual and installer None
2023-04-12 00:18:13,260:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * manual
Description: Manual configuration or run your own shell scripts
Interfaces: Authenticator, Plugin
Entry point: manual = certbot._internal.plugins.manual:Authenticator
Initialized: <certbot._internal.plugins.manual.Authenticator object at 0x7faaaf81ac70>
Prep: True
2023-04-12 00:18:13,260:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.manual.Authenticator object at 0x7faaaf81ac70> and installer None
2023-04-12 00:18:13,260:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator manual, Installer None
2023-04-12 00:18:13,311:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-staging-v02.api.letsencrypt.org/acme/acct/85686773', new_authzr_uri=None, terms_of_service=None), a98cc3f62165e183bff0019a3e082701, Meta(creation_dt=datetime.datetime(2023, 1, 31, 18, 58, 56, tzinfo=), creation_host='dev-acme', register_to_eff=None))>
2023-04-12 00:18:13,312:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
2023-04-12 00:18:13,313:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org:443
2023-04-12 00:18:13,495:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 830
2023-04-12 00:18:13,496:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 12 Apr 2023 00:18:13 GMT
Content-Type: application/json
Content-Length: 830
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"cKalLDBlFpo": "Adding random entries to the directory",
"keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
"website": "Staging Environment - Let's Encrypt"
},
"newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
"renewalInfo": "https://acme-staging-v02.api.letsencrypt.org/get/draft-ietf-acme-ari-00/renewalInfo/",
"revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}
2023-04-12 00:18:13,498:DEBUG:certbot._internal.display.obj:Notifying user: Simulating renewal of an existing certificate for dev-acme.revmed.com
2023-04-12 00:18:14,102:DEBUG:acme.client:Requesting fresh nonce
2023-04-12 00:18:14,102:DEBUG:acme.client:Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce.
2023-04-12 00:18:14,128:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2023-04-12 00:18:14,129:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 12 Apr 2023 00:18:14 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 4994llGN3GckXPs2yv8zXYfAD3JRHta2-SJg6rxHxL9DaIw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

2023-04-12 00:18:14,129:DEBUG:acme.client:Storing nonce: 4994llGN3GckXPs2yv8zXYfAD3JRHta2-SJg6rxHxL9DaIw
2023-04-12 00:18:14,129:DEBUG:acme.client:JWS payload:
b'{\n "identifiers": [\n {\n "type": "dns",\n "value": "dev-acme.revmed.com"\n }\n ]\n}'
2023-04-12 00:18:14,133:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
2023-04-12 00:18:14,189:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 355
2023-04-12 00:18:14,189:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Wed, 12 Apr 2023 00:18:14 GMT
Content-Type: application/json
Content-Length: 355
Connection: keep-alive
Boulder-Requester: 85686773
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel="index"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/85686773/8223259574
Replay-Nonce: 8F05lEs7bavGhhLwZ-gh2A4MvE2qVx-mEyb5-4CXsuL8Wco
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"status": "pending",
"expires": "2023-04-19T00:18:14Z",
"identifiers": [
{
"type": "dns",
"value": "dev-acme.revmed.com"
}
],
"authorizations": [
"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/6086368534"
],
"finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/85686773/8223259574"
}
2023-04-12 00:18:14,190:DEBUG:acme.client:Storing nonce: 8F05lEs7bavGhhLwZ-gh2A4MvE2qVx-mEyb5-4CXsuL8Wco
2023-04-12 00:18:14,190:DEBUG:acme.client:JWS payload:
b''
2023-04-12 00:18:14,192:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/6086368534:
2023-04-12 00:18:14,222:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/6086368534 HTTP/1.1" 200 821
2023-04-12 00:18:14,223:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 12 Apr 2023 00:18:14 GMT
Content-Type: application/json
Content-Length: 821
Connection: keep-alive
Boulder-Requester: 85686773
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: A272C6unhIskwsgWk5OFP-tkfmDZ078Di54DUf8aTKqM9TI
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "dev-acme.revmed.com"
},
"status": "pending",
"expires": "2023-04-19T00:18:14Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6086368534/mismaw",
"token": "UmuAshryIpii3RxMKvEob8Ux19q6ihH-x108LeS26Oo"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6086368534/hef9Cg",
"token": "UmuAshryIpii3RxMKvEob8Ux19q6ihH-x108LeS26Oo"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6086368534/8mvYHQ",
"token": "UmuAshryIpii3RxMKvEob8Ux19q6ihH-x108LeS26Oo"
}
]
}
2023-04-12 00:18:14,223:DEBUG:acme.client:Storing nonce: A272C6unhIskwsgWk5OFP-tkfmDZ078Di54DUf8aTKqM9TI
2023-04-12 00:18:14,223:INFO:certbot._internal.auth_handler:Performing the following challenges:
2023-04-12 00:18:14,223:INFO:certbot._internal.auth_handler:dns-01 challenge for dev-acme.revmed.com
2023-04-12 00:18:14,224:INFO:certbot.compat.misc:Running manual-auth-hook command: /etc/letsencrypt/acme-dns-auth.py
2023-04-12 00:18:14,555:WARNING:certbot.display.ops:Hook '--manual-auth-hook' for dev-acme.revmed.com reported error code 1
2023-04-12 00:18:14,555:WARNING:certbot.display.ops:Hook '--manual-auth-hook' for dev-acme.revmed.com ran with error output:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 159, in _new_conn
conn = connection.create_connection(
File "/usr/lib/python3/dist-packages/urllib3/util/connection.py", line 84, in create_connection
raise err
File "/usr/lib/python3/dist-packages/urllib3/util/connection.py", line 74, in create_connection
sock.connect(sa)
ConnectionRefusedError: [Errno 111] Connection refused

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 665, in urlopen
httplib_response = self._make_request(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 376, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 996, in _validate_conn
conn.connect()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 314, in connect
conn = self._new_conn()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 171, in _new_conn
raise NewConnectionError(
urllib3.exceptions.NewConnectionError: <urllib3.connection.VerifiedHTTPSConnection object at 0x7ff427de5730>: Failed to establish a new connection: [Errno 111] Connection refused

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 439, in send
resp = conn.urlopen(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 719, in urlopen
retries = retries.increment(
File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 436, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='dev-acme.revmed.com', port=443): Max retries exceeded with url: /register (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7ff427de5730>: Failed to establish a new connection: [Errno 111] Connection refused'))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/etc/letsencrypt/acme-dns-auth.py", line 144, in
account = client.register_account(ALLOW_FROM)
File "/etc/letsencrypt/acme-dns-auth.py", line 46, in register_account
res = requests.post(self.acmedns_url+"/register")
File "/usr/lib/python3/dist-packages/requests/api.py", line 116, in post
return request('post', url, data=data, json=json, **kwargs)
File "/usr/lib/python3/dist-packages/requests/api.py", line 60, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 533, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 646, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 516, in send
raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='dev-acme.revmed.com', port=443): Max retries exceeded with url: /register (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7ff427de5730>: Failed to establish a new connection: [Errno 111] Connection refused'))
2023-04-12 00:18:14,557:DEBUG:acme.client:JWS payload:
b'{}'
2023-04-12 00:18:14,559:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6086368534/hef9Cg:
2023-04-12 00:18:14,590:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/6086368534/hef9Cg HTTP/1.1" 200 192
2023-04-12 00:18:14,591:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 12 Apr 2023 00:18:14 GMT
Content-Type: application/json
Content-Length: 192
Connection: keep-alive
Boulder-Requester: 85686773
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel="index", https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/6086368534;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6086368534/hef9Cg
Replay-Nonce: 4994R-1Awj6gg7TVxn1UEo6DV0y50ab4HGN9mphtQbZSBVw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"type": "dns-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6086368534/hef9Cg",
"token": "UmuAshryIpii3RxMKvEob8Ux19q6ihH-x108LeS26Oo"
}
2023-04-12 00:18:14,591:DEBUG:acme.client:Storing nonce: 4994R-1Awj6gg7TVxn1UEo6DV0y50ab4HGN9mphtQbZSBVw
2023-04-12 00:18:14,592:INFO:certbot._internal.auth_handler:Waiting for verification...
2023-04-12 00:18:15,593:DEBUG:acme.client:JWS payload:
b''
2023-04-12 00:18:15,595:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/6086368534:
2023-04-12 00:18:15,624:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/6086368534 HTTP/1.1" 200 664
2023-04-12 00:18:15,624:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 12 Apr 2023 00:18:15 GMT
Content-Type: application/json
Content-Length: 664
Connection: keep-alive
Boulder-Requester: 85686773
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: B37CLTf19W7IMa5-IeNoXDLhVNO7lvJZqJ9IzW60Ijc2X7s
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "dev-acme.revmed.com"
},
"status": "invalid",
"expires": "2023-04-19T00:18:14Z",
"challenges": [
{
"type": "dns-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Incorrect TXT record "0_wnRNnBZ_BILZ2jiSUXhIOuj4TMsmA2wb3faPQASW4" found at _acme-challenge.dev-acme.revmed.com",
"status": 403
},
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6086368534/hef9Cg",
"token": "UmuAshryIpii3RxMKvEob8Ux19q6ihH-x108LeS26Oo",
"validated": "2023-04-12T00:18:14Z"
}
]
}
2023-04-12 00:18:15,625:DEBUG:acme.client:Storing nonce: B37CLTf19W7IMa5-IeNoXDLhVNO7lvJZqJ9IzW60Ijc2X7s
2023-04-12 00:18:15,625:INFO:certbot._internal.auth_handler:Challenge failed for domain dev-acme.revmed.com
2023-04-12 00:18:15,625:INFO:certbot._internal.auth_handler:dns-01 challenge for dev-acme.revmed.com
2023-04-12 00:18:15,626:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: dev-acme.revmed.com
Type: unauthorized
Detail: Incorrect TXT record "0_wnRNnBZ_BILZ2jiSUXhIOuj4TMsmA2wb3faPQASW4" found at _acme-challenge.dev-acme.revmed.com

Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.

2023-04-12 00:18:15,626:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2023-04-12 00:18:15,627:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-04-12 00:18:15,627:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-04-12 00:18:15,627:ERROR:certbot._internal.renewal:Failed to renew certificate dev-acme.revmed.com with error: Some challenges have failed.
2023-04-12 00:18:15,630:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 533, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/main.py", line 1547, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/main.py", line 129, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 395, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2023-04-12 00:18:15,631:DEBUG:certbot._internal.display.obj:Notifying user:

2023-04-12 00:18:15,632:ERROR:certbot._internal.renewal:All simulated renewals failed. The following certificates could not be renewed:
2023-04-12 00:18:15,632:ERROR:certbot._internal.renewal: /etc/letsencrypt/live/dev-acme.revmed.com/fullchain.pem (failure)
2023-04-12 00:18:15,632:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-04-12 00:18:15,633:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/snap/certbot/2913/bin/certbot", line 8, in
sys.exit(main())
File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/main.py", line 1864, in main
return config.func(config, plugins)
File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/main.py", line 1636, in renew
renewal.handle_renewal_request(config)
File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 559, in handle_renewal_request
raise errors.Error(
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
2023-04-12 00:18:15,633:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s)

My web server is (include version): Apache Tomcat 10.0.27

The operating system my web server runs on is (include version): Ubuntu 20.04.5 LTS

My DNS hosting provider, if applicable, is: godaddy

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.5.0

Note: This is an internal server with a split-dns. My understanding is that the acme client calls out to Letsencrypt's servers that make the DNS record verification from their servers so this shouldn't be an issue, but I could be mistaken.

schoen · April 12, 2023, 1:29am

Hi @rmacbdev,

rmacbdev:

2023-04-12 00:18:14,224:INFO:certbot.compat.misc:Running manual-auth-hook command: /etc/letsencrypt/acme-dns-auth.py
2023-04-12 00:18:14,555:WARNING:certbot.display.ops:Hook '--manual-auth-hook' for dev-acme.revmed.com reported error code 1
2023-04-12 00:18:14,555:WARNING:certbot.display.ops:Hook '--manual-auth-hook' for dev-acme.revmed.com ran with error output:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 159, in _new_conn
conn = connection.create_connection(
File "/usr/lib/python3/dist-packages/urllib3/util/connection.py", line 84, in create_connection
raise err
File "/usr/lib/python3/dist-packages/urllib3/util/connection.py", line 74, in create_connection
sock.connect(sa)
ConnectionRefusedError: [Errno 111] Connection refused

This part looks like the underlying reason for the failure—you're trying to use a particular authenticator hook (acme-dns-auth.py) but it's failing with a connection refused error. Can you figure out why that is?

(Are you running your own copy of acme-dns or using someone else's hosted version?)

rmacbdev · April 12, 2023, 1:35am

Thanks for the quick response!

I can't remember where I got this python script from. I'm open to starting from scratch. I had a hard time figuring out the best way to go about setting up an automated way for certbot to autorenew via DNS challenge from a private server via apache/tomcat. What's the simplest way to get this up and running?

Here's the acme-dns-auth.py:

#!/usr/bin/env python
import json
import os
import requests
import sys

### EDIT THESE: Configuration values ###

# URL to acme-dns instance
ACMEDNS_URL = "https://dev-acme.revmed.com"
# Path for acme-dns credential storage
STORAGE_PATH = "/etc/letsencrypt/acmedns.json"
# Whitelist for address ranges to allow the updates from
# Example: ALLOW_FROM = ["192.168.10.0/24", "::1/128"]
ALLOW_FROM = []
# Force re-registration. Overwrites the already existing acme-dns accounts.
FORCE_REGISTER = False

###   DO NOT EDIT BELOW THIS POINT   ###
###         HERE BE DRAGONS          ###

DOMAIN = os.environ["CERTBOT_DOMAIN"]
if DOMAIN.startswith("*."):
    DOMAIN = DOMAIN[2:]
VALIDATION_DOMAIN = "_acme-challenge."+DOMAIN
VALIDATION_TOKEN = os.environ["CERTBOT_VALIDATION"]


class AcmeDnsClient(object):
    """
    Handles the communication with ACME-DNS API
    """

    def __init__(self, acmedns_url):
        self.acmedns_url = acmedns_url

    def register_account(self, allowfrom):
        """Registers a new ACME-DNS account"""

        if allowfrom:
            # Include whitelisted networks to the registration call
            reg_data = {"allowfrom": allowfrom}
            res = requests.post(self.acmedns_url+"/register",
                                data=json.dumps(reg_data))
        else:
            res = requests.post(self.acmedns_url+"/register")
        if res.status_code == 201:
            # The request was successful
            return res.json()
        else:
            # Encountered an error
            msg = ("Encountered an error while trying to register a new acme-dns "
                   "account. HTTP status {}, Response body: {}")
            print(msg.format(res.status_code, res.text))
            sys.exit(1)

    def update_txt_record(self, account, txt):
        """Updates the TXT challenge record to ACME-DNS subdomain."""
        update = {"subdomain": account['subdomain'], "txt": txt}
        headers = {"X-Api-User": account['username'],
                   "X-Api-Key": account['password'],
                   "Content-Type": "application/json"}
        res = requests.post(self.acmedns_url+"/update",
                            headers=headers,
                            data=json.dumps(update))
        if res.status_code == 200:
            # Successful update
            return
        else:
            msg = ("Encountered an error while trying to update TXT record in "
                   "acme-dns. \n"
                   "------- Request headers:\n{}\n"
                   "------- Request body:\n{}\n"
                   "------- Response HTTP status: {}\n"
                   "------- Response body: {}")
            s_headers = json.dumps(headers, indent=2, sort_keys=True)
            s_update = json.dumps(update, indent=2, sort_keys=True)
            s_body = json.dumps(res.json(), indent=2, sort_keys=True)
            print(msg.format(s_headers, s_update, res.status_code, s_body))
            sys.exit(1)

class Storage(object):
    def __init__(self, storagepath):
        self.storagepath = storagepath
        self._data = self.load()

    def load(self):
        """Reads the storage content from the disk to a dict structure"""
        data = dict()
        filedata = ""
        try:
            with open(self.storagepath, 'r') as fh:
                filedata = fh.read()
        except IOError as e:
            if os.path.isfile(self.storagepath):
                # Only error out if file exists, but cannot be read
                print("ERROR: Storage file exists but cannot be read")
                sys.exit(1)
        try:
            data = json.loads(filedata)
        except ValueError:
            if len(filedata) > 0:
                # Storage file is corrupted
                print("ERROR: Storage JSON is corrupted")
                sys.exit(1)
        return data

    def save(self):
        """Saves the storage content to disk"""
        serialized = json.dumps(self._data)
        try:
            with os.fdopen(os.open(self.storagepath,
                                   os.O_WRONLY | os.O_CREAT, 0o600), 'w') as fh:
                fh.truncate()
                fh.write(serialized)
        except IOError as e:
            print("ERROR: Could not write storage file.")
            sys.exit(1)

    def put(self, key, value):
        """Puts the configuration value to storage and sanitize it"""
        # If wildcard domain, remove the wildcard part as this will use the
        # same validation record name as the base domain
        if key.startswith("*."):
            key = key[2:]
        self._data[key] = value

    def fetch(self, key):
        """Gets configuration value from storage"""
        try:
            return self._data[key]
        except KeyError:
            return None

if __name__ == "__main__":
    # Init
    client = AcmeDnsClient(ACMEDNS_URL)
    storage = Storage(STORAGE_PATH)

    # Check if an account already exists in storage
    account = storage.fetch(DOMAIN)
    if FORCE_REGISTER or not account:
        # Create and save the new account
        account = client.register_account(ALLOW_FROM)
        storage.put(DOMAIN, account)
        storage.save()

        # Display the notification for the user to update the main zone
        msg = "Please add the following CNAME record to your main DNS zone:\n{}"
        cname = "{} CNAME {}.".format(VALIDATION_DOMAIN, account["fulldomain"])
        print(msg.format(cname))

    # Update the TXT record in acme-dns instance
    client.update_txt_record(account, VALIDATION_TOKEN)

schoen · April 12, 2023, 2:29am

It looks like you're using

together with

It also looks like you have at some point in the past installed your own local copy of acme-dns. Do you remember doing that? Is it still installed?

rmacbdev · April 12, 2023, 5:01am

Yes that looks familiar. I don't know if I installed a local copy of acme-dns. How do I check to see if it's still installed?

schoen · April 12, 2023, 5:14am

Hmmm, depends on how you installed it ... maybe try locate acme-dns ?

rmacbdev · April 12, 2023, 5:17am

I only see the one python script in /etc/letsencrypt/acme-dns-auth.py

schoen · April 12, 2023, 5:21am

So I'm guessing it's not installed, but also your _acme-challenge record currently seems to be a static TXT record rather than a CNAME pointing to an acme-dns service. Can you remember or describe a little bit about your setup and why you're using the DNS-01 challenge method?

This page describes the different ways of getting Let's Encrypt certificates, in case it refreshes your memory a little:

rmacbdev · April 12, 2023, 5:24am

Sure! Our use case is that we have a server that is not publicly resolvable or has a public IP, but it needs a cert for hosting a web service internally. Since it does not have a public IP, it cannot use the http challenge. It was my understanding that a DNS challenge would work for this case. I'm not familiar enough with the requirements for the DNS challenge. I apologize for the knowledge gap here.

schoen · April 12, 2023, 5:30am

That makes sense. The DNS challenge is relevant for that case.

Is it possible that acme-dns was installed on a different server that you also operate and that does have a public IP address?

rmacbdev · April 12, 2023, 5:32am

No that's not possible. This was my first test with using a DNS challenge. It was on this machine.

schoen · April 12, 2023, 5:41am

That's weird, because the acme-dns method normally requires an inbound connection from the Internet to your server (if you've installed acme-dns yourself).

rmacbdev · April 12, 2023, 5:42am

The machine does have access to the internet, but it just does not have its own public IP.

Osiris · April 12, 2023, 8:36am

All my servers don't have a public IP address due to the fact that they're behind a NAT router. But using NAT portmaps that's not an issue: port 80 and 443 are easily portmapped to the internal IP address.

Also, it seems your DNS provider is GoDaddy. You might want to consider using the third party DNS plugins certbot-dns-godaddy (although I'm not sure that one is packaged using snap, which you seem to be using) or the plugin certbot-dns-multi, which is developed by one of the main programmers of Certbot itself (but is a third party plugin) and is released on snap too.

rmacbdev · April 13, 2023, 12:41am

So I installed certbot-dns-multi and created the dns-multi.ini file.

I'm running this command:
sudo certbot certonly -a dns-multi --dns-multi-credentials=/etc/letsencrypt/dns-multi.ini -d "dev-acme.revmed.com" --dry-run

The dry run doesn't create a new TXT record for the dns challenge verification. I'm guessing that there's no installer plugin to create/remove the TXT files in GoDaddy. See below for log file.

2023-04-13 00:35:30,083:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 784
2023-04-13 00:35:30,396:DEBUG:certbot._internal.main:certbot version: 2.5.0
2023-04-13 00:35:30,396:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/2913/bin/certbot
2023-04-13 00:35:30,396:DEBUG:certbot._internal.main:Arguments: ['-a', 'dns-multi', '--dns-multi-credentials=/etc/letsencrypt/dns-multi.ini', '-d', 'dev-acme.revmed.com', '--dry-run', '-v', '--preconfigured-renewal']
2023-04-13 00:35:30,396:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#dns-multi,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2023-04-13 00:35:30,435:DEBUG:certbot._internal.log:Root logging level set at 20
2023-04-13 00:35:30,436:DEBUG:certbot._internal.plugins.selection:Requested authenticator dns-multi and installer None
2023-04-13 00:35:30,437:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * dns-multi
Description: Obtain certificate using any of lego's supported DNS providers
Interfaces: Authenticator, Plugin
Entry point: dns-multi = certbot_dns_multi._internal.dns_multi:Authenticator
Initialized: <certbot_dns_multi._internal.dns_multi.Authenticator object at 0x7fa358440e50>
Prep: True
2023-04-13 00:35:30,438:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_dns_multi._internal.dns_multi.Authenticator object at 0x7fa358440e50> and installer None
2023-04-13 00:35:30,438:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator dns-multi, Installer None
2023-04-13 00:35:30,506:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-staging-v02.api.letsencrypt.org/acme/acct/85686773', new_authzr_uri=None, terms_of_service=None), a98cc3f62165e183bff0019a3e082701, Meta(creation_dt=datetime.datetime(2023, 1, 31, 18, 58, 56, tzinfo=<UTC>), creation_host='dev-acme', register_to_eff=None))>
2023-04-13 00:35:30,506:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
2023-04-13 00:35:30,508:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org:443
2023-04-13 00:35:30,706:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 830
2023-04-13 00:35:30,706:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 13 Apr 2023 00:35:30 GMT
Content-Type: application/json
Content-Length: 830
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "AhPy5TKrKnA": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
    "website": "https://letsencrypt.org/docs/staging-environment/"
  },
  "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-staging-v02.api.letsencrypt.org/get/draft-ietf-acme-ari-00/renewalInfo/",
  "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}
2023-04-13 00:35:30,789:DEBUG:certbot._internal.plugins.selection:Requested authenticator dns-multi and installer <certbot._internal.cli.cli_utils._Default object at 0x7fa32547b700>
2023-04-13 00:35:34,812:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80
2023-04-13 00:35:35,135:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503
2023-04-13 00:35:35,136:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/dev-acme.revmed.com/cert1.pem is signed by the certificate's issuer.
2023-04-13 00:35:35,137:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/dev-acme.revmed.com/cert1.pem is: OCSPCertStatus.GOOD
2023-04-13 00:35:35,141:DEBUG:certbot._internal.storage:Should renew, less than 30 days before certificate expiry 2023-04-28 09:14:19 UTC.
2023-04-13 00:35:35,141:INFO:certbot._internal.renewal:Certificate is due for renewal, auto-renewing...
2023-04-13 00:35:35,142:DEBUG:certbot._internal.display.obj:Notifying user: Simulating renewal of an existing certificate for dev-acme.revmed.com
2023-04-13 00:35:35,324:DEBUG:acme.client:Requesting fresh nonce
2023-04-13 00:35:35,324:DEBUG:acme.client:Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce.
2023-04-13 00:35:35,360:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2023-04-13 00:35:35,360:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 13 Apr 2023 00:35:35 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: BEB9BgKqkmdpzCR4yvPwbxDeTEezTqIZXj5TqWBWR0pXJps
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2023-04-13 00:35:35,360:DEBUG:acme.client:Storing nonce: BEB9BgKqkmdpzCR4yvPwbxDeTEezTqIZXj5TqWBWR0pXJps
2023-04-13 00:35:35,360:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "dev-acme.revmed.com"\n    }\n  ]\n}'
2023-04-13 00:35:35,363:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC84NTY4Njc3MyIsICJub25jZSI6ICJCRUI5QmdLcWttZHB6Q1I0eXZQd2J4RGVURWV6VHFJWlhqNVRxV0JXUjBwWEpwcyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
  "signature": "qiqf3PMnFK9Bw25Lf_j--jY6ATXT9vQ7B8_OhkMvlQQpJBI6ZvxuidlYIGWpezO0qjfwtt3zHPXnjFu0v7XH4yrnf1fxGexybVRVaeEYQlifs_Z6g5jYjB0Q6xDk4kPyNRKEKtgNp6GZkNPm1cIGMsz3dcHi7Fkgy7xmZYJfxdS7q0NIMXQS44ybLycB0riYaUwpDN27itPnzHlPBHMaZwoobr2hLP9MEG0yA05KueFttt_jHDPMIfBFnrJEeYUPxuYIcV8Rxu82UfvfndnXgkiduuAOgTkvJhpShkMeM2e5UzRupuSCGeqfEtDQZeO6OaTnwahk1FksvBB4xNNfBA",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImRldi1hY21lLnJldm1lZC5jb20iCiAgICB9CiAgXQp9"
}
2023-04-13 00:35:35,423:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 355
2023-04-13 00:35:35,424:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Thu, 13 Apr 2023 00:35:35 GMT
Content-Type: application/json
Content-Length: 355
Connection: keep-alive
Boulder-Requester: 85686773
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/85686773/8239152604
Replay-Nonce: 8F05dkQasJgr7oQ2OwGx9OmwkLKHQfBgCQUNMMR4X_DkLOU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2023-04-20T00:35:35Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "dev-acme.revmed.com"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/6098387884"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/85686773/8239152604"
}
2023-04-13 00:35:35,424:DEBUG:acme.client:Storing nonce: 8F05dkQasJgr7oQ2OwGx9OmwkLKHQfBgCQUNMMR4X_DkLOU
2023-04-13 00:35:35,424:DEBUG:acme.client:JWS payload:
b''
2023-04-13 00:35:35,425:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/6098387884:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC84NTY4Njc3MyIsICJub25jZSI6ICI4RjA1ZGtRYXNKZ3I3b1EyT3dHeDlPbXdrTEtIUWZCZ0NRVU5NTVI0WF9Ea0xPVSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My82MDk4Mzg3ODg0In0",
  "signature": "U0FicegDMEO2sf3u5L69Qf1TXjHiqw8G_wLKy95TgGGwJQhTAcQSBb0Ads8nC9odsEXOHwRDEW5N3wUFwfmfgnATo4bLdHBtpH4Lzy9RbgqXlA746zh0Dt7cEvrK-TJuQA3aW0MD4kfQOPcH08nck-tFRSFKTlnv9nXyK1M54pEE79tsa2dflZ9QwwoXUeT6CCK0z4DwMg_-MmSkDmZPdAWXsJrtv1DnzgcfwQxl6q5xac_qgJx12Y7QFsuEYou0vx1t7_6lmjK_WgIPNG5gfDaP6rDRzCTeZPBPaaB5UfJ96Vfre7qJ-nhOZerEZYWsB29eH06OQsq_kQn3ygopOg",
  "payload": ""
}
2023-04-13 00:35:35,458:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/6098387884 HTTP/1.1" 200 821
2023-04-13 00:35:35,459:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 13 Apr 2023 00:35:35 GMT
Content-Type: application/json
Content-Length: 821
Connection: keep-alive
Boulder-Requester: 85686773
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: BEB9tgS3a3USYY2uSMNNpyTA1F60HiAQkB52Q3YrOhHTovI
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "dev-acme.revmed.com"
  },
  "status": "pending",
  "expires": "2023-04-20T00:35:35Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6098387884/vTeHhQ",
      "token": "mlkIyI7OUjy16qbZO64fZvRZMorkqgIdri8Kvy6Gy1I"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6098387884/kz1P5Q",
      "token": "mlkIyI7OUjy16qbZO64fZvRZMorkqgIdri8Kvy6Gy1I"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6098387884/TrVxGQ",
      "token": "mlkIyI7OUjy16qbZO64fZvRZMorkqgIdri8Kvy6Gy1I"
    }
  ]
}
2023-04-13 00:35:35,459:DEBUG:acme.client:Storing nonce: BEB9tgS3a3USYY2uSMNNpyTA1F60HiAQkB52Q3YrOhHTovI
2023-04-13 00:35:35,460:INFO:certbot._internal.auth_handler:Performing the following challenges:
2023-04-13 00:35:35,460:INFO:certbot._internal.auth_handler:dns-01 challenge for dev-acme.revmed.com
2023-04-13 00:35:35,461:DEBUG:certbot_dns_multi._internal.dns_multi:Configuring lego for provider godaddy with 2 options
2023-04-13 00:35:35,462:DEBUG:certbot_dns_multi._internal.dns_multi:Asking lego to create record Q_if8Cvgcoea1RrJ9m2n0gr3DF1Z_0kwx6B_mllIJEU for domain dev-acme.revmed.com
2023-04-13 00:35:36,806:DEBUG:certbot._internal.display.obj:Notifying user: Waiting 60 seconds for DNS changes to propagate
2023-04-13 00:36:36,836:DEBUG:acme.client:JWS payload:
b'{}'
2023-04-13 00:36:36,838:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6098387884/kz1P5Q:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC84NTY4Njc3MyIsICJub25jZSI6ICJCRUI5dGdTM2EzVVNZWTJ1U01OTnB5VEExRjYwSGlBUWtCNTJRM1lyT2hIVG92SSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My82MDk4Mzg3ODg0L2t6MVA1USJ9",
  "signature": "mMMLx8yms8GIL1NRCVl1LeIrzixE1UD8Mu24O0KB48kamy1k3cSdUlMVx1DP0_hqbL5Hwqll3SwTXIKqUq0wu9yqk2py5YrQfAk-00xM3HcxeoDQ29j7SySSC8CHrM-JFqzj1DKBPRlErkBBMV5TWKflHvfygzvLX-KkO62exEP5nKTjG7USVxhDMVtLBZYU8Q5CFxaGC2bl-pK2d3ZaHdjF6N-R1QSSxtK0qNLPDGww3tB-fJreWaJKxIW1j8pL0eR3a8zFZ_DaRZ0YNzA8KGQgU0QF-KL1_F5DMCk_15DoW6yqb2lPVpIqtIMwadRFk_vu85ILKa47VAFbQTt6YQ",
  "payload": "e30"
}
2023-04-13 00:36:36,935:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/6098387884/kz1P5Q HTTP/1.1" 200 192
2023-04-13 00:36:36,936:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 13 Apr 2023 00:36:36 GMT
Content-Type: application/json
Content-Length: 192
Connection: keep-alive
Boulder-Requester: 85686773
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/6098387884>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6098387884/kz1P5Q
Replay-Nonce: B37CO44N5rQhA0F1ovCmKi5iSFNVIECHn1mFnfIsfn5XppU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "dns-01",
  "status": "pending",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6098387884/kz1P5Q",
  "token": "mlkIyI7OUjy16qbZO64fZvRZMorkqgIdri8Kvy6Gy1I"
}
2023-04-13 00:36:36,936:DEBUG:acme.client:Storing nonce: B37CO44N5rQhA0F1ovCmKi5iSFNVIECHn1mFnfIsfn5XppU
2023-04-13 00:36:36,936:INFO:certbot._internal.auth_handler:Waiting for verification...
2023-04-13 00:36:37,938:DEBUG:acme.client:JWS payload:
b''
2023-04-13 00:36:37,939:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/6098387884:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC84NTY4Njc3MyIsICJub25jZSI6ICJCMzdDTzQ0TjVyUWhBMEYxb3ZDbUtpNWlTRk5WSUVDSG4xbUZuZklzZm41WHBwVSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My82MDk4Mzg3ODg0In0",
  "signature": "MSL2pzuXfzjKA3sS1CPee1_TEB7iou9xOjqPLvURdjtRs56qjmWrxPigUxCXgwrbHlZMnYgo13IT1RvLGk_72wlMNsrj-oyJRcoULzGE46-zX5pGe44DA_aHsFWCCWQeaLB8E30AuSPiyNbKLV8ygoP_Y332x9DdQAb9Agk0NYemhlhcJJDO-G8oAyVuWPjv-7TznDK_bCj0NurfNS88VbHX_rqETrA_XDipyAprIfl6PgUImQkv8kcUxTv2RCs9S2e8rN7v10hoXReb5Rl1Jcgo1qBU6eSrQ3pNvcc0TcEnl7lRHSHKjqZ3-zDRl-Qqijj4QQ0S3ym9Wxx1vmenTg",
  "payload": ""
}
2023-04-13 00:36:37,973:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/6098387884 HTTP/1.1" 200 664
2023-04-13 00:36:37,974:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 13 Apr 2023 00:36:37 GMT
Content-Type: application/json
Content-Length: 664
Connection: keep-alive
Boulder-Requester: 85686773
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: BEB9J75wKLFk3p7qeEqRdUQvDxPzNneBuq8VPhege5_IQQs
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "dev-acme.revmed.com"
  },
  "status": "invalid",
  "expires": "2023-04-20T00:35:35Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Incorrect TXT record \"nmB2eAybaRFKBYFeEgcAz1DWNriApX-uPAaQL2Qzn_w\" found at _acme-challenge.dev-acme.revmed.com",
        "status": 403
      },
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6098387884/kz1P5Q",
      "token": "mlkIyI7OUjy16qbZO64fZvRZMorkqgIdri8Kvy6Gy1I",
      "validated": "2023-04-13T00:36:36Z"
    }
  ]
}
2023-04-13 00:36:37,974:DEBUG:acme.client:Storing nonce: BEB9J75wKLFk3p7qeEqRdUQvDxPzNneBuq8VPhege5_IQQs
2023-04-13 00:36:37,974:INFO:certbot._internal.auth_handler:Challenge failed for domain dev-acme.revmed.com
2023-04-13 00:36:37,975:INFO:certbot._internal.auth_handler:dns-01 challenge for dev-acme.revmed.com
2023-04-13 00:36:37,975:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: dns-multi). The Certificate Authority reported these problems:
  Domain: dev-acme.revmed.com
  Type:   unauthorized
  Detail: Incorrect TXT record "nmB2eAybaRFKBYFeEgcAz1DWNriApX-uPAaQL2Qzn_w" found at _acme-challenge.dev-acme.revmed.com

Hint: The Certificate Authority failed to verify the DNS TXT records created by Lego. Ensure the above domains are hosted by Godaddy and check https://go-acme.github.io/lego/dns/godaddy for further details on configuring this provider. Try increasing --dns-multi-propagation-seconds from its current value of 60 as well.

2023-04-13 00:36:37,975:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2023-04-13 00:36:37,976:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-04-13 00:36:37,976:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-04-13 00:36:37,976:DEBUG:certbot_dns_multi._internal.dns_multi:Asking lego to clean up record Q_if8Cvgcoea1RrJ9m2n0gr3DF1Z_0kwx6B_mllIJEU for domain dev-acme.revmed.com
2023-04-13 00:36:38,892:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/snap/certbot/2913/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/main.py", line 1864, in main
    return config.func(config, plugins)
  File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/main.py", line 1597, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/main.py", line 129, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 395, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2023-04-13 00:36:38,894:ERROR:certbot._internal.log:Some challenges have failed.

MikeMcQ · April 13, 2023, 1:10am

I don't have any suggestions but now I've tagged the author of dns-multi @_az you will likely get a useful response

rmacbdev · April 13, 2023, 1:33am

I'm seeing that the lego is actually creating a dns txt entry, but the wait time of 60 seconds does not allow for propagation. I'm testing the --dns-multi-propagation-seconds=900 first.

Is it possible to configure the dns-multi to use 900 (or more) seconds on its automation for renewal?

_az · April 13, 2023, 4:28am

Yes. Certbot will remember what you used for --dns-multi-propagation-seconds in future renewals, without you having to use that flag every time.

It saves the option in the /etc/letsencrypt/renewal/*.conf files.

You can test & change the sleep duration by running this command:

certbot reconfigure --cert-name example.com --dns-multi-propagation-seconds 900

Hope that helps.

rmacbdev · April 13, 2023, 5:16pm

Thanks for your answer. I have confirmed that it does write it into the renewal conf file. I have a new problem now. Right now, I have a cert that I purchased with GoDaddy and using dns-multi, the renewal went through and grabbed the GoDaddy certificate.

What if I wanted to use Letsencrypt certs with the dns challenge but Lego still needs access to GoDaddy's API for making DNS changes? What would I need to change to make this happen?

MikeMcQ · April 13, 2023, 5:41pm

I think you are mis-reading something. Using Certbot will get a cert from Let's Encrypt (unless you specifically request it to use a different ACME compliant CA). The Let's Encrypt Server(s) will validate you control that domain using various methods. In your case it uses the lego DNS API for GoDaddy.

Apart from the DNS, Certbot has no ability to "grab" the GoDaddy cert.

What does this show?

sudo certbot certificates

Topic		Replies	Views
Certbot renew unauthorized 404 not found on .well-known/acme-challenges Help	10	3236	August 14, 2019
Certbot w/acme-dns manual w/dns auth Help	18	4650	August 3, 2019
Certbot run error with unauthorized Help	22	5429	February 18, 2022
Certbot renewal unauthorized error, acme-challenge invalid response Help	10	5104	January 17, 2020
Error urn:ietf:params:acme:error:dns Help	13	6620	January 21, 2022

Dns-01 urn:ietf:params:acme:error:unauthorized 403

Related topics