ERROR: Challenge is invalid!

Mike1 · November 13, 2022, 6:31pm

Hello,

recently my certificate for the Syno-Diskstation expired and I've been trying to renew it ever since, but to no avail.

At first I thought I had a configuration error on the firewall. But it should actually fit, because so far the renewal had worked. (I have previously removed all expired certificates under "Webserverprotection/ CA")

For testing purposes, I deactivated all diversions (port 443+80) on the firewall (UTM-9.712-13) and tried the extension directly on the FW.
But I get an error here too.

In the FW-log I see the rejection but I can't find the error.

Test with Intermediate Certificates "R3" in CA:
2022:11:13-16:53:03 utm_01 letsencrypt[10287]: I Renew certificate: handling CSR REF_CaCsrKu for domain set [XXX.diskstation.eu]
2022:11:13-16:53:03 utm_01 letsencrypt[10287]: I Renew certificate: running command: /var/storage/chroot-reverseproxy/usr/dehydrated/bin/dehydrated -x -f /var/storage/chroot-reverseproxy/usr/dehydrated/conf/config -c --accept-terms --domain XXX.diskstation.eu
2022:11:13-16:54:01 utm_01 letsencrypt[10287]: I Renew certificate: command completed with exit code 256
2022:11:13-16:54:01 utm_01 letsencrypt[10287]: E Renew certificate: COMMAND_FAILED: ERROR: Challenge is invalid! (returned: invalid) (result: ["type"] "http-01"
2022:11:13-16:54:01 utm_01 letsencrypt[10287]: E Renew certificate: COMMAND_FAILED: ["status"] "invalid"
2022:11:13-16:54:01 utm_01 letsencrypt[10287]: E Renew certificate: COMMAND_FAILED: ["error","type"] "urn:ietf:params:acme:error:dns"
2022:11:13-16:54:01 utm_01 letsencrypt[10287]: E Renew certificate: COMMAND_FAILED: ["error","detail"] "DNS problem: query timed out looking up A for XXX.diskstation.eu; DNS problem: SERVFAIL looking up AAAA for XXX.diskstation.eu - the domain's nameservers may be malfunctioning"
2022:11:13-16:54:01 utm_01 letsencrypt[10287]: E Renew certificate: COMMAND_FAILED: ["error","status"] 400
2022:11:13-16:54:01 utm_01 letsencrypt[10287]: E Renew certificate: COMMAND_FAILED: ["error"] {"type":"urn:ietf:params:acme:error:dns","detail":"DNS problem: query timed out looking up A for XXX.diskstation.eu; DNS problem: SERVFAIL looking up AAAA for XXX.diskstation.eu - the domain's nameservers may be malfunctioning","status":400}
2022:11:13-16:54:01 utm_01 letsencrypt[10287]: E Renew certificate: COMMAND_FAILED: ["url"] "https://acme-v02.api.letsencrypt.org/acme/chall-v3/175751376527/QsDGvQ"
2022:11:13-16:54:01 utm_01 letsencrypt[10287]: E Renew certificate: COMMAND_FAILED: ["token"] "mdIE0zvAO3BakI3PBizgid-b58ZekgvVJ6KijUn6QLM"
2022:11:13-16:54:01 utm_01 letsencrypt[10287]: E Renew certificate: COMMAND_FAILED: ["validated"] "2022-11-13T15:53:27Z")
2022:11:13-16:54:01 utm_01 letsencrypt[10287]: I Renew certificate: sending notification WARN-603
2022:11:13-16:54:01 utm_01 letsencrypt[10287]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
2022:11:13-16:54:01 utm_01 letsencrypt[10287]: I Renew certificate: execution completed (CSRs renewed: 0, failed: 1)

Test with Intermediate Certificates "R3"+ ISRG Root X2 in CA:
2022:11:13-18:47:03 utm_01 letsencrypt[24917]: I Renew certificate: handling CSR REF_CaCsrKu for domain set [XXX.diskstation.eu]
2022:11:13-18:47:03 utm_01 letsencrypt[24917]: I Renew certificate: running command: /var/storage/chroot-reverseproxy/usr/dehydrated/bin/dehydrated -x -f /var/storage/chroot-reverseproxy/usr/dehydrated/conf/config -c --accept-terms --domain XXX.diskstation.eu
2022:11:13-18:48:01 utm_01 letsencrypt[26243]: E Renew certificate: aborting, failed to acquire an exclusive lock: Resource temporarily unavailable
2022:11:13-18:48:02 utm_01 letsencrypt[24917]: I Renew certificate: command completed with exit code 256
2022:11:13-18:48:02 utm_01 letsencrypt[24917]: E Renew certificate: COMMAND_FAILED: ERROR: Challenge is invalid! (returned: invalid) (result: ["type"] "http-01"
2022:11:13-18:48:02 utm_01 letsencrypt[24917]: E Renew certificate: COMMAND_FAILED: ["status"] "invalid"
2022:11:13-18:48:02 utm_01 letsencrypt[24917]: E Renew certificate: COMMAND_FAILED: ["error","type"] "urn:ietf:params:acme:error:dns"
2022:11:13-18:48:02 utm_01 letsencrypt[24917]: E Renew certificate: COMMAND_FAILED: ["error","detail"] "DNS problem: query timed out looking up CAA for XXX.diskstation.eu"
2022:11:13-18:48:02 utm_01 letsencrypt[24917]: E Renew certificate: COMMAND_FAILED: ["error","status"] 400
2022:11:13-18:48:02 utm_01 letsencrypt[24917]: E Renew certificate: COMMAND_FAILED: ["error"] {"type":"urn:ietf:params:acme:error:dns","detail":"DNS problem: query timed out looking up CAA for XXX.diskstation.eu","status":400}
2022:11:13-18:48:02 utm_01 letsencrypt[24917]: E Renew certificate: COMMAND_FAILED: ["url"] "https://acme-v02.api.letsencrypt.org/acme/chall-v3/175782401467/hnYpLw"
2022:11:13-18:48:02 utm_01 letsencrypt[24917]: E Renew certificate: COMMAND_FAILED: ["token"] "V2V3snEEs29jlPfp9Hbs8W3UhnErgL7YydTsqDEBxxI"
2022:11:13-18:48:02 utm_01 letsencrypt[24917]: E Renew certificate: COMMAND_FAILED: ["validationRecord",0,"url"] "http://XXX.diskstation.eu/.well-known/acme-challenge/V2V3snEEs29jlPfp9Hbs8W3UhnErgL7YydTsqDEBxxI"
2022:11:13-18:48:02 utm_01 letsencrypt[24917]: E Renew certificate: COMMAND_FAILED: ["validationRecord",0,"hostname"] "XXX.diskstation.eu"
2022:11:13-18:48:02 utm_01 letsencrypt[24917]: E Renew certificate: COMMAND_FAILED: ["validationRecord",0,"port"] "80"
2022:11:13-18:48:02 utm_01 letsencrypt[24917]: E Renew certificate: COMMAND_FAILED: ["validationRecord",0,"addressesResolved",0] "46.142.53.101"
2022:11:13-18:48:02 utm_01 letsencrypt[24917]: E Renew certificate: COMMAND_FAILED: ["validationRecord",0,"addressesResolved"] ["46.142.53.101"]
2022:11:13-18:48:02 utm_01 letsencrypt[24917]: E Renew certificate: COMMAND_FAILED: ["validationRecord",0,"addressUsed"] "46.142.53.101"
2022:11:13-18:48:02 utm_01 letsencrypt[24917]: E Renew certificate: COMMAND_FAILED: ["validationRecord",0] {"url":"http://XXX.diskstation.eu/.well-known/acme-challenge/V2V3snEEs29jlPfp9Hbs8W3UhnErgL7YydTsqDEBxxI","hostname":"XXX.diskstation.eu","port":"80","addressesResolved":["46.142.53.101"],"addressUsed":"46.142.53.101"}
2022:11:13-18:48:02 utm_01 letsencrypt[24917]: E Renew certificate: COMMAND_FAILED: ["validationRecord"] [{"url":"http://XXX.diskstation.eu/.well-known/acme-challenge/V2V3snEEs29jlPfp9Hbs8W3UhnErgL7YydTsqDEBxxI","hostname":"XXX.diskstation.eu","port":"80","addressesResolved":["46.142.53.101"],"addressUsed":"46.142.53.101"}]
2022:11:13-18:48:02 utm_01 letsencrypt[24917]: E Renew certificate: COMMAND_FAILED: ["validated"] "2022-11-13T17:47:28Z")
2022:11:13-18:48:02 utm_01 letsencrypt[24917]: I Renew certificate: sending notification WARN-603
2022:11:13-18:48:02 utm_01 letsencrypt[24917]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
2022:11:13-18:48:02 utm_01 letsencrypt[24917]: I Renew certificate: execution completed (CSRs renewed: 0, failed: 1)

Test with Intermediate Certificates "R3" + "ISRG Root X2" + "ISRG Root X1" in CA:
2022:11:13-18:56:03 utm_01 letsencrypt[27743]: I Renew certificate: handling CSR REF_CaCsrKu for domain set [XXX.diskstation.eu]
2022:11:13-18:56:03 utm_01 letsencrypt[27743]: I Renew certificate: running command: /var/storage/chroot-reverseproxy/usr/dehydrated/bin/dehydrated -x -f /var/storage/chroot-reverseproxy/usr/dehydrated/conf/config -c --accept-terms --domain XXX.diskstation.eu
2022:11:13-18:57:02 utm_01 letsencrypt[29038]: E Renew certificate: aborting, failed to acquire an exclusive lock: Resource temporarily unavailable
2022:11:13-18:57:02 utm_01 letsencrypt[27743]: I Renew certificate: command completed with exit code 256
2022:11:13-18:57:02 utm_01 letsencrypt[27743]: E Renew certificate: COMMAND_FAILED: ERROR: Challenge is invalid! (returned: invalid) (result: ["type"] "http-01"
2022:11:13-18:57:02 utm_01 letsencrypt[27743]: E Renew certificate: COMMAND_FAILED: ["status"] "invalid"
2022:11:13-18:57:02 utm_01 letsencrypt[27743]: E Renew certificate: COMMAND_FAILED: ["error","type"] "urn:ietf:params:acme:error:dns"
2022:11:13-18:57:02 utm_01 letsencrypt[27743]: E Renew certificate: COMMAND_FAILED: ["error","detail"] "DNS problem: query timed out looking up A for XXX.diskstation.eu; DNS problem: query timed out looking up AAAA for XXX.diskstation.eu"
2022:11:13-18:57:02 utm_01 letsencrypt[27743]: E Renew certificate: COMMAND_FAILED: ["error","status"] 400
2022:11:13-18:57:02 utm_01 letsencrypt[27743]: E Renew certificate: COMMAND_FAILED: ["error"] {"type":"urn:ietf:params:acme:error:dns","detail":"DNS problem: query timed out looking up A for XXX.diskstation.eu; DNS problem: query timed out looking up AAAA for XXX.diskstation.eu","status":400}
2022:11:13-18:57:02 utm_01 letsencrypt[27743]: E Renew certificate: COMMAND_FAILED: ["url"] "https://acme-v02.api.letsencrypt.org/acme/chall-v3/175784832277/3NWRdQ"
2022:11:13-18:57:02 utm_01 letsencrypt[27743]: E Renew certificate: COMMAND_FAILED: ["token"] "uG2rT2jIYfCDtMRYzZfUN6FZXRNq4ZjlEHekeP9o8Ls"
2022:11:13-18:57:02 utm_01 letsencrypt[27743]: E Renew certificate: COMMAND_FAILED: ["validated"] "2022-11-13T17:56:29Z")
2022:11:13-18:57:02 utm_01 letsencrypt[27743]: I Renew certificate: sending notification WARN-603
2022:11:13-18:57:02 utm_01 letsencrypt[27743]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
2022:11:13-18:57:02 utm_01 letsencrypt[27743]: I Renew certificate: execution completed (CSRs renewed: 0, failed: 1)

Does somebody has any idea?

Rip · November 14, 2022, 5:55pm

Hi @Mike1 ... Welcome to the forum.
Looks like there are some serious configuration issues standing between you and obtaining a new cert. Please look at the issues presented on "LetsDebug"

These will have to be resolved before moving forward.

Mike1 · November 16, 2022, 1:47am

Hello,

Thanks for your help.

I don't know how, but when I checked the firewall today, the certificate was changed on
<14. November> updated/repicked.

It stands to reason that the FW contains a bug regarding "manual renewal". I first ported the new certificate from the FW to the disk station.

Rip · November 16, 2022, 3:33am

OK fine. But this is what shows in certificate transparency reports.

Now I am certainly not the sharpest tool in this box, but as far as I can tell from redacted information is that the last cert was issued for syno...
2020-11-15 2020-11-15 2021-02-13 synouru.diskstation.eu synouru.diskstation.eu was a long, long time ago.

What are you trying to achieve here? If you are really trying to get certificates I would suggest being a bit more open and transparent with your needs.

LetsDebug says there are serious issues to be resolved.

So something is amiss here.

My analysis reveals nefarious information:

rip@T430:~$ nslookup diskstation.eu
;; connection timed out; no servers could be reached

rip@T430:~$ nslookup synouru.diskstation.eu
;; connection timed out; no servers could be reached

rip@T430:~$ ping synouru.diskstation.eu
ping: synouru.diskstation.eu: Temporary failure in name resolution

rip@T430:~$ nmap synouru.diskstation.eu
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-15 19:12 PST
Failed to resolve "synouru.diskstation.eu".
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 20.06 seconds

rip@T430:~$ nmap diskstation.eu
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-15 19:13 PST
Failed to resolve "diskstation.eu".
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 22.06 seconds

rip@T430:~$ whois synouru.diskstation.eu/
No whois server is known for this kind of object.
rip@T430:~$ whois diskstation.eu
%
% WHOIS diskstation.eu
Domain: diskstation.eu
Script: LATIN

Registrant:
        NOT DISCLOSED!
        Visit www.eurid.eu for webbased WHOIS.

On-site(s):
        NOT DISCLOSED!
        Visit www.eurid.eu for webbased WHOIS.

Registrar:
        Name: Key-Systems GmbH
        Website: www.key-systems.net

Name servers:
        ns2.crns.de
        h2-045.net.crns.de

Please visit www.eurid.eu for more info.

So it may be possible there are other issues involved here. Blocking by country... Obfuscating by intent... Firewall? DNS seems to be the root of the issue here.
If the world cant get to your site, why would you expect to achieve a successful certificate?
Are you the actual owner of this domain? Please respond.

rg305 · November 16, 2022, 6:05am

Just an FYI (to all that may come by):
DiskStation.eu is in the Public Suffix List (PSL).

// TwoDNS : https://www.twodns.de/
// Submitted by TwoDNS-Support <support@two-dns.de>
dd-dns.de
diskstation.eu
diskstation.org
dray-dns.de
draydns.de
dyn-vpn.de
dynvpn.de
mein-vigor.de
my-vigor.de
my-wan.de
syno-ds.de
synology-diskstation.de
synology-ds.de

Bruce5051 · November 16, 2022, 3:14pm

And a link to it is View the Public Suffix List

Mike1 · November 16, 2022, 10:50pm

Hi,

the correct entry in the DNS is "https://kummerkasten.diskstation.eu/".
With the imported certificate, the diskstation can also be reached again with a signature.

After importing the certificate from the FW, I also tried to generate a self-renewing certificate (from LE) in the disk station.
But despite the release (80; 443) in the FW, the diskstation reports:
"Invalid domain. Make sure this domain can be resolved to a public IP address."

The error also occurs when I deactivate <ISP, GeoIP,> in the FW.

Bruce5051 · November 16, 2022, 11:02pm

Definitely a DNS issue. Multi-country domain resolving with DNS service: Check host - online website monitoring

$ nslookup
> kummerkasten.diskstation.eu
Server:         127.0.0.53
Address:        127.0.0.53#53

** server can't find kummerkasten.diskstation.eu: SERVFAIL
>

Presently https://letsdebug.net/ HTTP-01 Challenge is showing
Let's Debug

Mike1 · November 17, 2022, 12:18am

What you can see right now is the filter from the

Result with inactive < GeoIP >:

Bruce5051 · November 17, 2022, 12:26am

I see this Check report was removed: Check host - online website monitoring

And this Let's Debug

Bruce5051 · November 17, 2022, 12:51am

@Mike1 you might have to go to support of TwoDNS; the DNS servers are (at least presently) very intermittent. Sorry!

Or @Rip's findings ERROR: Challenge is invalid! - #4 by Rip the WHOIS section.

Bruce5051 · November 17, 2022, 1:01am

Is diskstation.eu a Synology supplied TLD?
If so also try Synology's support and community forums.

Rip · November 17, 2022, 1:27am

Yeah... BUT:

I'm going to step back and "weed this out" as best I can. SO as to not push the

" Self Destruct" button @rg305

Mike1 · November 17, 2022, 3:02pm

... yes, that was my thought yesterday too. I contacted TwoDNS support.

system · December 17, 2022, 3:02pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certificates renewing issue, need help understanding the hint messages Help	3	279	July 12, 2024
Renew Certificate - Challenge failed Help	8	1952	December 27, 2019
Problem renewing certificates Help	14	4840	August 18, 2021
I wanted to renew my cert and got an error Help	8	487	April 27, 2023
Several problems Synology <--> LE Help	2	1297	March 25, 2017

ERROR: Challenge is invalid!

Related topics