DNS challenges fail. Records are good. Strange email errors

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

... Try email addresses at jmdots.com, gmail.com, icloud.com.... I get the example.org error for any acme.sh commands, and caddy just keeps making challenge records over and over in namecheap.

My domain is: jmdots.com

I ran this command: acme.sh --register-account -m contact@jmdots.com --staging

It produced this output:

Fri May 24 10:31:24 PM EDT 2024] Using ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
[Fri May 24 10:31:24 PM EDT 2024] Registering account: https://acme-staging-v02.api.letsencrypt.org/directory
[Fri May 24 10:31:25 PM EDT 2024] Register account Error: {
"type": "urn:ietf:params:acme:error:invalidContact",
"detail": "Error creating new account :: invalid contact domain. Contact emails @example.com are forbidden",
"status": 400
}

My web server is (include version): caddy 2.7.6

{"level":"error","ts":1716604237.3231592,"logger":"tls.obtain","msg":"will retry","error":"[jmdots.com] Obtain: [jmdots.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/149462614/16741376124) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":4,"retrying_in":300,"elapsed":1281.371526415,"max_duration":2592000}

The operating system my web server runs on is (include version): ubuntu 22.04.4. LTS x86_64

My hosting provider, if applicable, is: Myself.. Namecheap does DNS

I can login to a root shell on my machine (yes or no, or I don't know): yep

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

(base) josh@monolith-1:~$ acme.sh --version

v3.0.8
(base) josh@monolith-1:~$

Hello @jmdots, welcome to the Let's Encrypt community.

There are a lot of DNS TXT Records for _acme-challenge.jmdots.com;
I would think that they would automatically get cleaned up.

Side note: Caddy has built-in ACME Client.

Query results for TXT _acme-challenge.jmdots.com

Response:
;; opcode: QUERY, status: NOERROR, id: 42888
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 512

;; QUESTION SECTION:
;_acme-challenge.jmdots.com.	IN	 TXT

;; ANSWER SECTION:
_acme-challenge.jmdots.com.	0	IN	TXT	"WIK_zr47GhiWC79KPcC2oZILjiy75y0WqZHKnQxM91A"
_acme-challenge.jmdots.com.	0	IN	TXT	"bq9cRl-dRpB_fF3tk1SBeHxCoXs_UfhBnNBVvRLTbv0"
_acme-challenge.jmdots.com.	0	IN	TXT	"lG__2ykhLXCGyPQ7WueDtczG78YQT5S5lvK21nsMHDQ"
_acme-challenge.jmdots.com.	0	IN	TXT	"zh1OBiIkpNzuTo70CL-VUiNKZSY5ILsR8mwtzmBxHOI"
_acme-challenge.jmdots.com.	0	IN	TXT	"9gHJF-v9Q-wSEy2YAZXclguznOXhMNmjJpcEsWrup-A"
_acme-challenge.jmdots.com.	0	IN	TXT	"BMZ9w6lNlazxbjeidChF-r-HksImy7DH7nCY-K1LpnM"
_acme-challenge.jmdots.com.	0	IN	TXT	"DAR4fXm0ZL-i7G0whW87zsLCTUUibT3JeLyoekZ7bGU"
_acme-challenge.jmdots.com.	0	IN	TXT	"Nozzi_PMUjjMsSVtSavaQ0UTHj75VSbTljJNKdgSqvs"
_acme-challenge.jmdots.com.	0	IN	TXT	"PDW_S8N36wZr8_w0HR1Cnf8pong046mOGK8DLfX4oM4"
_acme-challenge.jmdots.com.	0	IN	RRSIG	TXT 13 3 1800 20240606000000 20240516000000 54892 jmdots.com. dATiQ/HaLxrIz1CPvOejHivnWeFXg5mPWGJEoAQA77WTm6Nf2AgNaHT1eRO/iXyh7D7psrHBFI+vJDhuGUjLCg==

----- Unbound logs -----

I thought NameCheap had restrictions on who could use the API to update the DNS. Do you have ability to do that? Maybe that is why caddy keeps failing the DNS Challenge.

You could probably use the HTTP or even TLS-ALPN challenges but you need to fix your DNS settings first.

You have two IP addresses for your base domain. HTTP connects to the 98.x IP just timeout so that should probably be removed. HTTP requests using the 162.x IP do connect but then redirect to your www subdomain. And, you don't have any A record for your www name so you should set one.

jmdots.com.	0	IN	A	162.255.119.190
jmdots.com.	0	IN	A	98.29.208.206

The redirect is being done by the Namecheap URL Forward service. You need to disable that and set the A record to the public IP for your server. Contact namecheap for help with this.

curl -i http://jmdots.com
HTTP/1.1 302 Found
Location: http://www.jmdots.com/
X-Served-By: Namecheap URL Forward
Server: namecheap-nginx

I don't know why acme.sh would tell you the email address is wrong. I have never seen that. You may need to post on the github for acme.sh to resolve that.

But, since you are using caddy I would work to get that working. It will be much easier in the long run. Once you fix your DNS it should work well.

Thanks. I'll try what you recommend and post back with output. I was using acme.sh only for debugging. I should have mentioned that.

EDITS:

RE: Namecheap, not sure, but ....

{"level":"debug","ts":1716604580.7167835,"logger":"tls.issuance.acme.acme_client","msg":"challenge accepted","identifier":"jmdots.com","challenge_type":"dns-01"}

This happened after I gave up and slept.

DNS propagation maybe? Either way, I'm grateful. Thanks!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.