DNS Authorization failing with WIN-ACME

omc · June 15, 2020, 2:21pm

I'm running WIN-ACME (.exe) on a Windows 10 client. This year I was succesful to generate a wildcard certificate twice. That's why I know my procedure should work, basically...

In the ACME client I choose the option "[dns-01] Create verification records manually (auto-renew not possible)". I've full access to our DNS editor and I'm sure that my TXT record is correct.

But authorization is going to fail every time. Does anybody has an idea why and what I could try for troubleshooting?

Is it a problem when the A-Record for the Domain "pol.swiss" is pointing to another IPv4 address then the DNS is running?

My domain is:

pol.swiss

I ran this command:

manual DNS Record verification in WIN-ACME

It produced this output:

Preliminary validation succeeded
Answer should now be available at _acme-challenge.pol.swiss
Preliminary validation succeeded
Error authorizing PKISharp.WACS.DomainObjects.TargetPart
(AcmeProtocolException): JWS has an invalid anti-replay nonce: "******"

My web server is (include version):

no web server running *

The operating system my web server runs on is (include version):

the ACME Client is running on Windows 10 *

My hosting provider, if applicable, is:

Cyon.ch

I can login to a root shell on my machine (yes or no, or I don't know):

No

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

Yes, as far as I know it is CPanel in background

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

WIN-ACME 2.1.8.838
a simple Windows ACMEv2 Client (WACS)

' * I'm running WIN-ACME (.exe) on a Windows 10 Client to get PEM files to copy to all of our webservers. I don't want ro run the ACME Client directly on a webserver.

rg305 · June 15, 2020, 7:05pm

Did you delete the TXT record?
[I don't see one now]

omc · June 16, 2020, 3:53am

Yes I’ve deleted the record yesterday. I made a new one now.

rg305 · June 16, 2020, 4:00am

Looks good to me.

pol.swiss       nameserver = ns1.cyon.ch
pol.swiss       nameserver = ns2.cyon.ch

nslookup -q=txt _acme-challenge.pol.swiss ns1.cyon.ch
Server:  ns1.cyon.ch
Address:  194.126.200.5
_acme-challenge.pol.swiss       text =        "XYN1QiwOeqVE7TEyki0GzbAHqd7vxO0H9o0be4vNj2Y"

nslookup -q=txt _acme-challenge.pol.swiss ns2.cyon.ch
Server:  ns2.cyon.ch
Address:  91.206.24.2
_acme-challenge.pol.swiss       text =        "XYN1QiwOeqVE7TEyki0GzbAHqd7vxO0H9o0be4vNj2Y"

And to Let’s Debug too: https://letsdebug.net/pol.swiss/178286

omc · June 16, 2020, 2:29pm

thank you!

after trying it 100 times it worked… no idea why - but i’m safe for the next couple of weeks

rg305 · June 16, 2020, 7:51pm

That sounds like an inbound firewall rule dropping the DNS requests.
Possibly an IPS for too many requests per second or maybe even GeoLocation blocking.
Is there such a capable device/program protecting ns1.cyon.ch and ns2.cyon.ch ?

omc · June 17, 2020, 4:14am

that’s a hot lead. I will take this into account next time I need to renew the certificate, thx!

system · July 17, 2020, 4:14am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.