I am working on a ACME client and already got it working with the HTTP challange.
I am trying to make the DNS challange works as well but when I test with the staging server the error “Records for validation failed sanity check” pops out. The challange response comes with a validationRecord field in the json with the correct hostname but with the authorities field empty.
Looking through the boulder source code, it seems that the server was able to verify the TXT record in my domain correctly but failed when the sanity check verifies if the authorities field is not empty (objects.go:361).
Our current implementation will fail if our DNS resolver doesn’t return a authority section for the hostname we are querying. Certain remote DNS server configurations can cause this to happen due to their strangeness, I have opened a Boulder issue to determine what we should do in these situations, most likely it’d be safe to just ignore an empty returned authority.
I tried to figure out what should return as an authority (a SOA record or a NS record) but with no success. I’m using PowerDNS version 3.1 as DNS server.
I think that ignoring the empty returned authority will work well, since this validation fails after the success of the validation in the TXT record.
From looking at that issue - looks like the PR was merged into master - is there some way for us to know the timeframe/status of master -> actual-production-servers?
This thread is a year old and a request from DNSimple for a certificate failed. I had already noted that dig was returning Authority of 0 and raised that issue with them. Can anyone tell me the status of this problem? Thanks.