My domain is: testing-8.us-east-1.test.netflix.ne
(authzr: https://acme-staging-v02.api.letsencrypt.org/acme/authz/dJnmpiLw9WfFut1-hVUvN06d_wiWGyUZtQLlEJnTBa4 )
I ran this command: (I maintain Lemur’s acme client and recently made some changes that aren’t working as expected) - https://github.com/Netflix/lemur/blob/master/lemur/plugins/lemur_acme/plugin.py#L124
For reference, I am using Lemur which has a handy LetsEncrypt integration (for dns-01 authorization) https://github.com/Netflix/lemur/blob/master/lemur/plugins/lemur_acme/plugin.py#L124 . We’re also using ‘acme==0.33.1’
I am trying to figure out the optimal order of operations when using the acme python client to request a certificate using dns-01. I would previously poll and validate DNS myself before using acme client’s built in polling. In most cases, this method worked fine - There were just a few problems given our unique DNS environment (different internal/external DNS, slow or nonexistent syncing) that made me want to rely solely on ACME’s polling.
After setting DNS TXT record, I will run a simple_verify on my dns challenges. Once that returns True, I will attempt to call answer_challenge. However if I do this too quickly, my challenge ends up being ‘invalid’.
1). Is it correct that once a challenge is deemed ‘invalid’, that challenge is immutable? (We can’t “re-answer” the challenge again to make it valid?)
2). When am I supposed to poll (with acme_client.poll) for the DNS change? Before I call ‘answer_challenge’? It appears that if I add the DNS record and then call
answer_challenge without waiting, the challenge status is “invalid” with an error type of “urn:ietf:params:acme:error:unauthorized” and detail of “Incorrect TXT record “v=spf1 -all” found at _acme-challenge.”. However, if I poll for changes too early before calling ‘answer_challenge’, the challenge never gets updated. If I manually sleep for some bit of time, or if I verify DNS on my own prior to calling
answer_challenge, things usually work fine.
3). Is there anything you could recommend looking at Lemur’s ACME logic?
For reference, this is the code I’m playing with for polling:
attempts = 0 for authzr in authz_record.authz: while True: if attempts > 60: break attempts += 1 authzr, authzr_response = acme_client.poll(authzr) challenge = self.get_dns_challenge(authzr) if challenge.status.name == "valid": break time.sleep(1)