Domain Ownership Verification Failed

kailash_93 · August 16, 2019, 6:47pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: jtlandpartners.com

I ran this command: PRIV_KEY=./account.key; echo -n “eyJ1cmwiOiJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbGVuZ2UvNEFmVmNlVklwdWJJNmtqMm5tWnU3S0lWdmx6blRNOV9WMzNlbWpoMWlrOC8xOTYyNDc3MTkyMyIsImFsZyI6IlJTMjU2Iiwibm9uY2UiOiJGc3lPTzVPQ1NpTEtEQkpna1A3YnZmdHVyYXlhTVZPQnJfOUNGOVJIUFlZIiwia2lkIjoiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC82MzU5MDk1NiJ9.e30” | openssl dgst -sha256 -hex -sign $PRIV_KEY

It produced this output:
(stdin)= 0adfaae6b70158b60bf7a208a36aa155aba4847b1c92e033f21ddfbb89077a90809ab8cf17d80f809271606c3d070d7615cb5fc84d1d45450001da5406f6fd04d69e69029b7bdde951e0706a6c74276db2a18fb12bc00034feff4ca7a65859ac22d4731c85f808c2ded084fd349e59b9bf4fd7175138a08be9b2382e5328873e66b7df0866148a11ce89c78be11147e29991266506cf1bf27d2cd2eb3cd29b22b17e02d81390219b87171447c65dde22b1c5398ec759ce7382f0b4bcc0b818f93d8dbb8398efb7c56ef4aafd71d024b1692d15631ec7bc6f710507b055c4a0c37f4bebc165e503801eb5e7de81682c29c85aef273929c9462dd646fea588c392

This is the error message I received:
Error: Domain challenge failed. Please start back at Step 1. {“identifier”:{“type”:“dns”,“value”:“jtlandpartners.com”},“status”:“invalid”,“expires”:“2019-08-23T19:21:17Z”,“challenges”:[{“type”:“tls-alpn-01”,“status”:“invalid”,“url”:“https://acme-v02.api.letsencrypt.org/acme/challenge/jmmVtjGAzp1Jr7LfOF7ondIw5dSRWnLfWVFPg6iJrmo/19627147995",“token”:“D4Ka_ZsUjGzoiH6A4sohbJWDLSTGpOHQgkWWxgIs6GY”},{“type”:“dns-01”,“status”:“invalid”,“error”:{“type”:“urn:ietf:params:acme:error:dns”,“detail”:"DNS problem: NXDOMAIN looking up TXT for _acme-challenge.jtlandpartners.com”,“status”:400},“url”:“https://acme-v02.api.letsencrypt.org/acme/challenge/jmmVtjGAzp1Jr7LfOF7ondIw5dSRWnLfWVFPg6iJrmo/19627148004",“token”:“z07cYWSOh86-j5C5RR8qdzvQ7p8rEBE7jIFYWLYcWCQ”},{“type”:“http-01”,“status”:“invalid”,“url”:“https://acme-v02.api.letsencrypt.org/acme/challenge/jmmVtjGAzp1Jr7LfOF7ondIw5dSRWnLfWVFPg6iJrmo/19627148008”,“token”:"tSWk8Krkfwgv0L4cOdDI21-hMPoDid24ymZ02gSBNyc”}]}
My web server is (include version): Apache 2.4.39

The operating system my web server runs on is (include version): RedHat 4.4.7-23

My hosting provider, if applicable, is: GoDaddy

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Yes, CPanel 78.0.27

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): N/A

JuergenAuer · August 16, 2019, 7:40pm

Hi @kailash_93

there is only an older GoDaddy - certificate - https://check-your-website.server-daten.de/?q=jtlandpartners.com#ct-logs

Issuer	not before	not after	Domain names	LE-Duplicate	next LE
Go Daddy Secure Certificate Authority - G2	2019-04-09	2020-04-09	jtlandpartners.com, www.jtlandpartners.com - 2 entries

So it's your first Letsencrypt certificate.

Is there a cPanel solution?
What's your ACME-client you use?

Ah, there is the problem visible - https://check-your-website.server-daten.de/?q=jtlandpartners.com#txt

You have created a TXT entry with the domain name _acme-challenge.jtlandpartners.com.

But your menu adds your domain name, so you have the wrong domain name _acme-challenge.jtlandpartners.com.jtlandpartners.com with a duplicated domain.

So create a TXT entry with _acme-challenge and the new TXT value.

Compare it with my own domain:

kailash_93 · August 16, 2019, 8:20pm

Hello Mr. JuergenAuer,

Thank you so much for your helpful response, it was really helpful. It did work for me but now I’m stuck on the final stage: Finalize order and generate certificate

Following is the error message I’ve received but I don’t understand why because I obviously have 2 different keys private and public and public key is the one specified in the beginning of the form:
Error: Finalizing failed. Please start back at Step 1. { “type”: “urn:ietf:params:acme:error:malformed”, “detail”: “Error finalizing order :: certificate public key must be different than account key”, “status”: 400 }

Kindly help me resolve this issue, I truly appreciate your help.

Thanks,
Kailash Naik

mnordhoff · August 16, 2019, 8:23pm

You need four different keys: a private key and a public key for your Let’s Encrypt account, and a private key and a public key for your certificate.

Let’s Encrypt doesn’t allow you to use the same keypair for both purposes.

kailash_93 · August 16, 2019, 8:26pm

Ohh alright, and where do I provide this second pair of private/public key on the form? Because the only one I was asked was the public key for the Certificate at the beginning of the form.

Is it supposed to be mentioned in the echo part of the query?

mnordhoff · August 16, 2019, 8:29pm

What form? Are you using https://gethttpsforfree.com/?

If so, the public key requested in step 1 is for your account.

The CSR requested in step 2 includes, among other information, the public key that will be used for the certificate.

mnordhoff · August 16, 2019, 8:30pm

I don't know, sorry.

kailash_93 · August 16, 2019, 8:38pm

Ohh! And this public key for let’s encrypt is something I can simply generate myself using the openssl tool or have to get it from some place else?

Because, I just tried starting the whole process again and this time provided the public key in step1 from a completely different private key I generated and following is the error message I received:
Error: Account registration failed. Please start back at Step 1. { “type”: “urn:ietf:params:acme:error:malformed”, “detail”: “JWS verification error”, “status”: 400 }

I’m not sure which account is it referring to. I never got this error when I used the public key based on my Certificate’s private key.

Also, at the beginning of Step3 the form says I need to user my Account private key for all requests:
“Let’s Encrypt requires that you sign all of your requests to them with your account private key.”

So, I think I should be using the same private key for both CSR as well as the public key in Section 1. But, I keep getting stuck in the Final stage in that case.

kailash_93 · August 16, 2019, 9:54pm

So, I finally did manage to generate a certificate for my domain from: https://gethttpsforfree.com/

I followed the procedure you mentioned @mnordhoff and it worked!

I believe I may have error-ed at some point while copy pasting my own set of private/public keys I generated for the Let’s Encrypt account.

But, once again thank you so much @JuergenAuer and @mnordhoff; I truly appreciate your help.

system · September 15, 2019, 9:54pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Challenge failed for domain Help	20	340	June 19, 2024
Verify Ownership: Domain challenge failed... Timeout 400 Help	2	2115	October 15, 2017
Issue failure after successful _acme-challenge Help	8	726	June 25, 2022
Challenge 3 problem with manual Help	28	6281	November 19, 2017
Some challenges have failed Help	2	599	May 17, 2023

Domain Ownership Verification Failed

Related topics