DNS Challenge with GoDaddy API Failed

afab · April 3, 2024, 10:13pm

Hi everyone!

I'm having issues with GoDaddy API DNS Challenge cert renewal. API key appears to be working by creating a TXT record but eventually fails. Here are the logs:

2024-04-03 12:02:10.542 -06:00 [INF] Certify/6.0.15.0 (Windows; Microsoft Windows NT 10.0.17763.0)
2024-04-03 12:02:10.543 -06:00 [INF] Beginning certificate request process: Default Web Site using ACME provider Anvil
2024-04-03 12:02:10.543 -06:00 [INF] The selected Certificate Authority is: Let's Encrypt
2024-04-03 12:02:10.543 -06:00 [INF] Requested identifiers to include on certificate: gateway.<domain.com> [dns]
2024-04-03 12:02:11.509 -06:00 [INF] Created ACME Order: https://acme-v02.api.letsencrypt.org/acme/order/removed.for.security.purposes.
2024-04-03 12:02:12.087 -06:00 [INF] Got http-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/334157041727/kwQduA
2024-04-03 12:02:12.249 -06:00 [INF] Got dns-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/removed.for.security.purposes.
2024-04-03 12:02:12.401 -06:00 [INF] Preparing automated challenge responses for: gateway.<domain.com> [dns]
2024-04-03 12:02:12.404 -06:00 [INF] DNS: Creating TXT Record '_acme-challenge.gateway.<domain.com>' with value 'fa8incSwYxT2tHzvIFuHIXU2sMBcAyBxiLm_zEnoLAM', [gateway.<domain.com>] in ZoneId '<domain.com>' using API provider 'GoDaddy DNS API'
2024-04-03 12:02:17.750 -06:00 [INF] DNS: GoDaddy DNS API :: DNS record added.
2024-04-03 12:03:18.011 -06:00 [INF] Resuming certificate request using CA: Let's Encrypt
2024-04-03 12:03:18.011 -06:00 [INF] Attempting challenge response validation for: gateway.<domain.com> [dns]
2024-04-03 12:03:18.011 -06:00 [INF] [Progress] Checking automated challenge response for: gateway.<domain.com> [dns]
2024-04-03 12:03:18.011 -06:00 [INF] Submitting challenge for validation: gateway.<domain.com> [dns]
2024-04-03 12:03:23.453 -06:00 [INF] Waiting for the CA to validate the dns-01 challenge response for: gateway.<domain.com> [https://acme-v02.api.letsencrypt.org/acme/chall-v3/removed.for.security.purposes.]
2024-04-03 12:03:28.616 -06:00 [INF] Waiting for the CA to validate the dns-01 challenge response for: gateway.<domain.com> [https://acme-v02.api.letsencrypt.org/acme/chall-v3/removed.for.security.purposes.]
2024-04-03 12:03:33.771 -06:00 [INF] Waiting for the CA to validate the dns-01 challenge response for: gateway.<domain.com> [https://acme-v02.api.letsencrypt.org/acme/chall-v3/removed.for.security.purposes.]
2024-04-03 12:03:38.926 -06:00 [INF] Waiting for the CA to validate the dns-01 challenge response for: gateway.<domain.com> [https://acme-v02.api.letsencrypt.org/acme/chall-v3/removed.for.security.purposes.]
2024-04-03 12:03:44.081 -06:00 [INF] Waiting for the CA to validate the dns-01 challenge response for: gateway.<domain.com> [https://acme-v02.api.letsencrypt.org/acme/chall-v3/removed.for.security.purposes.]
2024-04-03 12:03:49.268 -06:00 [INF] Waiting for the CA to validate the dns-01 challenge response for: gateway.<domain.com> [https://acme-v02.api.letsencrypt.org/acme/chall-v3/removed.for.security.purposes.]
2024-04-03 12:03:49.412 -06:00 [ERR] [Progress] Validation failed: gateway.<domain.com> [dns]
Response from Certificate Authority: DNS problem: server failure at resolver looking up TXT for _acme-challenge.gateway.<domain.com> [BadRequest :: urn:ietf:params:acme:error:dns]
2024-04-03 12:03:49.431 -06:00 [INF] DNS: Deleting TXT Record '_acme-challenge.gateway.<domain.com>' :'fa8incSwYxT2tHzvIFuHIXU2sMBcAyBxiLm_zEnoLAM', [gateway.<domain.com>] in ZoneId '<domain.com>' using API provider 'GoDaddy DNS API'
2024-04-03 12:03:53.990 -06:00 [ERR] Validation of the required challenges did not complete successfully. Validation failed: gateway.<domain.com> [dns]
Response from Certificate Authority: DNS problem: server failure at resolver looking up TXT for _acme-challenge.gateway.<domain.com> [BadRequest :: urn:ietf:params:acme:error:dns]

Any assistance is much appreciated.

webprofusion · April 4, 2024, 4:48am

You skipped all the forum questions but you are using Certify Certificate Manager to do this (which I develop) and the log file shows that your GoDaddy DNS was updated OK. What's failing is Let's Encrypts validation lookup of the TXT record. This could be a transient problem with Let's Encrypts resolver or it could be a problem with your nameserver configuration or zone configuration, but it's between Let's Encrypt and your DNS.

You should be able to check this by either looking at your GoDaddy DNS control panel during validation (the record should appear when you refresh), or using a DNS tool like dig. dig _acme-challenge.gateway.yourdomain.com -t TXT

To test this for you we'd need to know the real domain, alternatively you can try testing the record name with https://unboundtest.com/

If you are a licensed Certify The Web customer you can contact the support helpdesk (hi!) directly via support {at} certifytheweb.com with your unredacted log file.

afab · April 4, 2024, 2:36pm

Hi! Thanks for your response. I did change the urls and other stuff for security purposes. Going back to the record, yes, it did create the record and I was able to confirm it was there by refreshing the godaddy page. I will try the unboundtest.com as well to provide more details.

afab · April 5, 2024, 2:49pm

With the help of the unboundtest.com results, we've determined the root cause of this.

In GoDaddy, we set up "gateway.domain.com" to NS record that points to our DNS load balancer in our datacenter.

What appears to be happening is that when _acme-challenge.gateway.domain.com is added in GoDaddy, this isn't propagating and all queries are forwarded to our DNS load balancer (due to the NS set in gateway.domain.com). The load balancer was only designed to answer A and AAAA type of records.

Interesting on this issue is that, this used to work. We setup GoDaddys API with one confirmed autorenewal last March 23, 2024. Not sure what change but somehow it stopped working around late March, early April this year.