Error 403 - Correct value not found for DNS challenge on delegated subdomain on Azure

Hi,
I am trying to automatically create certificate using LetsEncrypt DNS-01 challenge.
My setup is as follow (I currently uses the Staging API) :

  • We have our domain, let’s call it “example.net

  • We also have multiple subdomain managed by our own DNS.

  • One of the zone is delegated to an Azure DNS Zone (ie *.client.qa.web.example.net )

  • In this zone, I have multiple CNAME reccords for my actual websites ( ie website1.client.qa.web.example.net, website2.client.qa.example.net)

  • I can sucessfully create the _acme-challenge for my dns reccord
    name : _acme-challenge.website1.client.qa.web.example.net

  • When I “dig” the reccord, I have the following answer (I obviously changed actual DNS names to example.net)
    ; <<>> DiG 9.11.1-P1 <<>> -t txt _acme-challenge.website1.client.qa.web.example.net
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45481
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 4000
      ; COOKIE: 12477e09a21bcdfd (echoed)
      ;; QUESTION SECTION:
      ;_acme-challenge.website1.client.qa.web.example.net. IN TXT
    
      ;; ANSWER SECTION:
      _acme-challenge.website1.client.qa.web.example.net. 1 IN TXT "N14G9FPTbZQOwjrcj1NSAMz6PRhSVHfSZTJpsyEVXNU.MuhCFQQlvT31aAuU1sA3xH0itW1YU9QhjqnYhruDEkM"
    

However, when I complete the challenge, I have the following answer

 "error": {
    "type": "urn:acme:error:unauthorized",
    "detail": "Correct value not found for DNS challenge",
    "status": 403
  },

Any help would be appreciated since I don’t know what is wrong in my setup

make sure you don’t quotes within the TXT record.

Reccord is not quoted. I guess this is added by dig
Value from Azure portal is as follow :
image

can you show the complete command you run (change the domain part only)

dig -t TXT _acme-challenge.website1.client.qa.web.example.net

even by using Google’s Nameserver
dig -t TXT _acme-challenge.aker-cd.abg.qa.web.sldev.net @8.8.8.8

I still get the same result :

;; ANSWER SECTION:
_acme-challenge.aker-cd.abg.qa.web.sldev.net. 0 IN TXT "N14G9FPTbZQOwjrcj1NSAMz6PRhSVHfSZTJpsyEVXNU.MuhCFQQlvT31aAuU1sA3xH0itW1YU9QhjqnYhruDEkM"

You’re using a bespoke client? That’s not the correct value. DNS-01 is different from HTTP-01. It should look something like this:

_acme-challenge.2017-08-14.mattnordhoff.win. 0 IN TXT "SE3rgzyr8_u0Dut_6GxFEEP5kfh14oFMr4crOKr5GJw"

https://tools.ietf.org/html/draft-ietf-acme-acme-07#section-8.5 DNS Challenge
https://tools.ietf.org/html/draft-ietf-acme-acme-07#section-8.3 HTTP Challenge

I don’t understand ACME very well, and you should read the draft (or one of the older drafts) or other documentation, but i believe the DNS value should be base64(SHA256(key authorization)) rather than the key authorization directly.

1 Like

I am using Certes (https://github.com/fszlin/certes) for DNS authorization.
Your comment made think that maybe there was an issue with DNS and found that the doc is missing for this particular case ( https://github.com/fszlin/certes/issues/2)

I managed to make it work by adding the piece of code described. Thanks for pointing me in the right direction !

Hey. I’ve made a hook for the dehydrated client for DNS-01 verification in Azure:

We’re using it on around 20 servers without issues. Let me know if you need assistance. There’s a small glitch in the latest release which has already been fixed in HEAD but if you’re interested I’ll do an actual release with the fix included, just let me know.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.