DNS server returning challenge all lowercase

Hi,

I'm trying to renew a Let's Encrypt certificate using the getssl client. It has always worked perfectly for years, but now it seems my hosting provider ("Arsys" at Spain) has changed the DNS servers somehow and the TXT records are always returned all in lowercase, so it causes the validation to fail.

What can I do to pass the validation to renew the certificate?

Using the debug option in getssl I get the following:

dig TXT _acme-challenge.gestion.fisiorespiracion.es @dns21.servidoresdns.net
check_result="jqzphzp9egsrsa0jafetqax8vv03f7a-rbpzj6pdkw8"
expecting "jqZPHzp9eGSRSA0JAfEtQAx8vV03F7a-RBpZJ6pDkw8"
dns21.servidoresdns.net gave ... "jqzphzp9egsrsa0jafetqax8vv03f7a-rbpzj6pdkw8"
checking DNS at dns21.servidoresdns.net for _acme-challenge.gestion.fisiorespiracion.es. Attempt 36/100 gave wrong result, waiting 30 secs before checking again

Thank you very much

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: fisiorespiracion.es

I ran this command: getssl gestion.fisiorespiracion.es -u -d

It produced this output: (shown above)

My web server is (include version): unknown, managed by hosting provider.

The operating system my web server runs on is (include version): unknown, managed by hosting provider.

My hosting provider, if applicable, is: Arsys

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): yes

The version of my client is: getssl 2.48

Have you spoken with your HSP about this problem?

Yes, I have already contacted them, but they have not yet guessed what I'm trying to tell them (so far I've got typical standard support replies). On their hosting control panel, I can input the challenge string and it saves it as mixed case, but the DNS server reply is always lowercase.

You don't need to use your hosting provider for DNS, you can move to something like Cloudflare or other larger DNS providers.

If you are manually entering this value check if the web user interface you are using is converting the value to lowercase automatically. It seems unlikely that the DNS server would be custom software and so it would be expected to behave properly, but their API and web UI will be custom to them and are more likely to do stuff that's wrong.

[ I would advise you reply to their support ticket and say "Please immediately escalate this to a technical specialist for DNS. DNS TXT records must support case sensitive values" ]

Hello again,

After contacting the tech support of the hosting provider, Arsys, it seems they have corrected the problem on the hosting control panel that caused any TXT type DNS entry to be saved as lowercase. It took four email messages and three support tickets, the first? one of them escalated to a second level support. But anyway, it seems they solved the problem and I could renew the Let's Encrypt certificate.

Thank you very much, @rg305 and @webprofusion, for your time and suggestions

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.