Error during DNS-based certificate renewal (acme.sh)

Hello,

Just registered in this community, this is my first post. Your help will be much appreciated.

My domains are (for a single LE certificate: multi-domain, but not wildcard):

matin2-prod.ecs.gatech.edu
proxy.matin2-prod.ecs.gatech.edu
vncproxy.matin2-prod.ecs.gatech.edu

I ran this command:

acme.sh --issue --dns -d matin2-prod.ecs.gatech.edu -d proxy.matin2-prod.ecs.gatech.edu -d vncproxy.matin2-prod.ecs.gatech.edu --yes-I-know-dns-manual-mode-enough-go-ahead-please

It produced this output:

[Sat Jun  8 23:00:09 EDT 2019] Multi domain='DNS:matin2-prod.ecs.gatech.edu,DNS:proxy.matin2-prod.ecs.gatech.edu,DNS:vncproxy.matin2-prod.ecs.gatech.edu'
[Sat Jun  8 23:00:09 EDT 2019] Getting domain auth token for each domain
[Sat Jun  8 23:00:10 EDT 2019] Getting webroot for domain='matin2-prod.ecs.gatech.edu'
[Sat Jun  8 23:00:10 EDT 2019] Getting webroot for domain='proxy.matin2-prod.ecs.gatech.edu'
[Sat Jun  8 23:00:10 EDT 2019] Getting webroot for domain='vncproxy.matin2-prod.ecs.gatech.edu'
[Sat Jun  8 23:00:10 EDT 2019] Add the following TXT record:
[Sat Jun  8 23:00:10 EDT 2019] Domain: '_acme-challenge.proxy.matin2-prod.ecs.gatech.edu'
[Sat Jun  8 23:00:10 EDT 2019] TXT value: '_cepvK2pKz_WNmHOkPy77RAdIZsydZqW7I6Aiske840'
[Sat Jun  8 23:00:10 EDT 2019] Please be aware that you prepend _acme-challenge. before your domain
[Sat Jun  8 23:00:10 EDT 2019] so the resulting subdomain will be: _acme-challenge.proxy.matin2-prod.ecs.gatech.edu
[Sat Jun  8 23:00:11 EDT 2019] Add the following TXT record:
[Sat Jun  8 23:00:11 EDT 2019] Domain: '_acme-challenge.vncproxy.matin2-prod.ecs.gatech.edu'
[Sat Jun  8 23:00:11 EDT 2019] TXT value: 'oQHANwJ5fsDlatYD4r9vyAWbXV83aElE5OT0mRQEZcw'
[Sat Jun  8 23:00:11 EDT 2019] Please be aware that you prepend _acme-challenge. before your domain
[Sat Jun  8 23:00:11 EDT 2019] so the resulting subdomain will be: _acme-challenge.vncproxy.matin2-prod.ecs.gatech.edu
[Sat Jun  8 23:00:11 EDT 2019] Please add the TXT records to the domains, and re-run with --renew.
[Sat Jun  8 23:00:11 EDT 2019] Please check log file for more details: /root/.acme.sh/acme.sh.log
[root@matin2-prod cloud-user]#
[root@matin2-prod cloud-user]# acme.sh --issue --dns -d matin2-prod.ecs.gatech.edu -d proxy.matin2-prod.ecs.gatech.edu -d vncproxy.matin2-prod.ecs.gatech.edu --yes-I-know-dns-manual-mode-enough-go-ahead-please --renew
[Sat Jun  8 23:02:17 EDT 2019] Renew: 'matin2-prod.ecs.gatech.edu'
[Sat Jun  8 23:02:18 EDT 2019] Multi domain='DNS:matin2-prod.ecs.gatech.edu,DNS:proxy.matin2-prod.ecs.gatech.edu,DNS:vncproxy.matin2-prod.ecs.gatech.edu'
[Sat Jun  8 23:02:18 EDT 2019] Getting domain auth token for each domain
[Sat Jun  8 23:02:18 EDT 2019] matin2-prod.ecs.gatech.edu is already verified, skip dns-01.
[Sat Jun  8 23:02:18 EDT 2019] Verifying: proxy.matin2-prod.ecs.gatech.edu
[Sat Jun  8 23:02:20 EDT 2019] proxy.matin2-prod.ecs.gatech.edu:Verify error:Incorrect TXT record
[Sat Jun  8 23:02:20 EDT 2019] Please check log file for more details: /root/.acme.sh/acme.sh.log
[Sat Jun  8 23:02:21 EDT 2019] The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead.

Updated relevant DNS records (note that the main domain’s records has already been validated earlier). Then …

I ran this command (after running the same command without --debug):

acme.sh --issue --dns -d matin2-prod.ecs.gatech.edu -d proxy.matin2-prod.ecs.gatech.edu -d vncproxy.matin2-prod.ecs.gatech.edu --yes-I-know-dns-manual-mode-enough-go-ahead-please --renew --debug

It produced this output:

[Sat Jun  8 23:23:32 EDT 2019] Lets find script dir.
[Sat Jun  8 23:23:32 EDT 2019] _SCRIPT_='/root/.acme.sh/acme.sh'
[Sat Jun  8 23:23:32 EDT 2019] _script='/root/.acme.sh/acme.sh'
[Sat Jun  8 23:23:32 EDT 2019] _script_home='/root/.acme.sh'
[Sat Jun  8 23:23:32 EDT 2019] Using config home:/root/.acme.sh
https://github.com/Neilpang/acme.sh
v2.8.2
[Sat Jun  8 23:23:32 EDT 2019] Using config home:/root/.acme.sh
[Sat Jun  8 23:23:32 EDT 2019] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Sat Jun  8 23:23:32 EDT 2019] DOMAIN_PATH='/root/.acme.sh/matin2-prod.ecs.gatech.edu'
[Sat Jun  8 23:23:32 EDT 2019] Renew: 'matin2-prod.ecs.gatech.edu'
[Sat Jun  8 23:23:32 EDT 2019] Le_API
[Sat Jun  8 23:23:32 EDT 2019] _main_domain='matin2-prod.ecs.gatech.edu'
[Sat Jun  8 23:23:32 EDT 2019] _alt_domains='proxy.matin2-prod.ecs.gatech.edu,vncproxy.matin2-prod.ecs.gatech.edu'
[Sat Jun  8 23:23:32 EDT 2019] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
[Sat Jun  8 23:23:32 EDT 2019] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Sat Jun  8 23:23:32 EDT 2019] GET
[Sat Jun  8 23:23:32 EDT 2019] url='https://acme-v02.api.letsencrypt.org/directory'
[Sat Jun  8 23:23:32 EDT 2019] timeout=
[Sat Jun  8 23:23:32 EDT 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
[Sat Jun  8 23:23:32 EDT 2019] ret='0'
[Sat Jun  8 23:23:32 EDT 2019] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
[Sat Jun  8 23:23:32 EDT 2019] ACME_NEW_AUTHZ
[Sat Jun  8 23:23:32 EDT 2019] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Sat Jun  8 23:23:32 EDT 2019] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Sat Jun  8 23:23:32 EDT 2019] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
[Sat Jun  8 23:23:32 EDT 2019] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Sat Jun  8 23:23:32 EDT 2019] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Sat Jun  8 23:23:32 EDT 2019] ACME_VERSION='2'
[Sat Jun  8 23:23:32 EDT 2019] Le_NextRenewTime
[Sat Jun  8 23:23:32 EDT 2019] _on_before_issue
[Sat Jun  8 23:23:32 EDT 2019] _chk_main_domain='matin2-prod.ecs.gatech.edu'
[Sat Jun  8 23:23:32 EDT 2019] _chk_alt_domains='proxy.matin2-prod.ecs.gatech.edu,vncproxy.matin2-prod.ecs.gatech.edu'
[Sat Jun  8 23:23:32 EDT 2019] Le_LocalAddress
[Sat Jun  8 23:23:32 EDT 2019] d='matin2-prod.ecs.gatech.edu'
[Sat Jun  8 23:23:32 EDT 2019] Check for domain='matin2-prod.ecs.gatech.edu'
[Sat Jun  8 23:23:32 EDT 2019] _currentRoot='dns'
[Sat Jun  8 23:23:32 EDT 2019] d='proxy.matin2-prod.ecs.gatech.edu'
[Sat Jun  8 23:23:32 EDT 2019] Check for domain='proxy.matin2-prod.ecs.gatech.edu'
[Sat Jun  8 23:23:32 EDT 2019] _currentRoot='dns'
[Sat Jun  8 23:23:32 EDT 2019] d='vncproxy.matin2-prod.ecs.gatech.edu'
[Sat Jun  8 23:23:32 EDT 2019] Check for domain='vncproxy.matin2-prod.ecs.gatech.edu'
[Sat Jun  8 23:23:32 EDT 2019] _currentRoot='dns'
[Sat Jun  8 23:23:32 EDT 2019] d
[Sat Jun  8 23:23:32 EDT 2019] _saved_account_key_hash is not changed, skip register account.
[Sat Jun  8 23:23:32 EDT 2019] Read key length:
[Sat Jun  8 23:23:32 EDT 2019] _createcsr
[Sat Jun  8 23:23:32 EDT 2019] Multi domain='DNS:matin2-prod.ecs.gatech.edu,DNS:proxy.matin2-prod.ecs.gatech.edu,DNS:vncproxy.matin2-prod.ecs.gatech.edu'
[Sat Jun  8 23:23:32 EDT 2019] Getting domain auth token for each domain
[Sat Jun  8 23:23:32 EDT 2019] ok, let's start to verify
[Sat Jun  8 23:23:32 EDT 2019] matin2-prod.ecs.gatech.edu is already verified, skip dns-01.
[Sat Jun  8 23:23:32 EDT 2019] Verifying: proxy.matin2-prod.ecs.gatech.edu
[Sat Jun  8 23:23:32 EDT 2019] d='proxy.matin2-prod.ecs.gatech.edu'
[Sat Jun  8 23:23:32 EDT 2019] keyauthorization='SpZqG6HT_AAGVfGhiHN-Kvnv0cq0DK1k-H2Evp58bpQ.SSIWawZdCBXVhMpG4kGxz8ayMVhsTRfsT9hMAVORhZI'
[Sat Jun  8 23:23:32 EDT 2019] uri='https://acme-v02.api.letsencrypt.org/acme/challenge/O9IxNUHQbHXFotUD3Awrsa1zC8T0g6XxgDGdZdasm3k/16845024693'
[Sat Jun  8 23:23:32 EDT 2019] _currentRoot='dns'
[Sat Jun  8 23:23:32 EDT 2019] url='https://acme-v02.api.letsencrypt.org/acme/challenge/O9IxNUHQbHXFotUD3Awrsa1zC8T0g6XxgDGdZdasm3k/16845024693'
[Sat Jun  8 23:23:32 EDT 2019] payload='{}'
[Sat Jun  8 23:23:32 EDT 2019] RSA key
[Sat Jun  8 23:23:32 EDT 2019] HEAD
[Sat Jun  8 23:23:32 EDT 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Sat Jun  8 23:23:32 EDT 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
[Sat Jun  8 23:23:32 EDT 2019] _ret='0'
[Sat Jun  8 23:23:32 EDT 2019] POST
[Sat Jun  8 23:23:32 EDT 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/challenge/O9IxNUHQbHXFotUD3Awrsa1zC8T0g6XxgDGdZdasm3k/16845024693'
[Sat Jun  8 23:23:32 EDT 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
[Sat Jun  8 23:23:32 EDT 2019] _ret='0'
[Sat Jun  8 23:23:33 EDT 2019] code='400'
[Sat Jun  8 23:23:33 EDT 2019] proxy.matin2-prod.ecs.gatech.edu:Challenge error: {
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Unable to update challenge :: authorization must be pending",
  "status": 400
}
[Sat Jun  8 23:23:33 EDT 2019] Skip for removelevel:
[Sat Jun  8 23:23:33 EDT 2019] pid
[Sat Jun  8 23:23:33 EDT 2019] No need to restore nginx, skip.
[Sat Jun  8 23:23:33 EDT 2019] _clearupdns
[Sat Jun  8 23:23:33 EDT 2019] dns_entries
[Sat Jun  8 23:23:33 EDT 2019] skip dns.
[Sat Jun  8 23:23:33 EDT 2019] _on_issue_err
[Sat Jun  8 23:23:33 EDT 2019] Please check log file for more details: /root/.acme.sh/acme.sh.log
[Sat Jun  8 23:23:33 EDT 2019] url='https://acme-v02.api.letsencrypt.org/acme/challenge/PwfsfRKkv3_HmNvVZvNkHZWJsM4xWXaoizPgW_V_H9E/16758639237'
[Sat Jun  8 23:23:33 EDT 2019] payload='{}'
[Sat Jun  8 23:23:33 EDT 2019] POST
[Sat Jun  8 23:23:33 EDT 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/challenge/PwfsfRKkv3_HmNvVZvNkHZWJsM4xWXaoizPgW_V_H9E/16758639237'
[Sat Jun  8 23:23:33 EDT 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
[Sat Jun  8 23:23:33 EDT 2019] _ret='0'
[Sat Jun  8 23:23:33 EDT 2019] code='200'
[Sat Jun  8 23:23:33 EDT 2019] url='https://acme-v02.api.letsencrypt.org/acme/challenge/O9IxNUHQbHXFotUD3Awrsa1zC8T0g6XxgDGdZdasm3k/16845024693'
[Sat Jun  8 23:23:33 EDT 2019] payload='{}'
[Sat Jun  8 23:23:33 EDT 2019] POST
[Sat Jun  8 23:23:33 EDT 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/challenge/O9IxNUHQbHXFotUD3Awrsa1zC8T0g6XxgDGdZdasm3k/16845024693'
[Sat Jun  8 23:23:33 EDT 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
[Sat Jun  8 23:23:33 EDT 2019] _ret='0'
[Sat Jun  8 23:23:33 EDT 2019] code='400'
[Sat Jun  8 23:23:33 EDT 2019] url='https://acme-v02.api.letsencrypt.org/acme/challenge/-eQmYumq_BmfmnTI4dvxHXLT8An7sIos1J7JAEa7k9Y/16845024753'
[Sat Jun  8 23:23:33 EDT 2019] payload='{}'
[Sat Jun  8 23:23:33 EDT 2019] POST
[Sat Jun  8 23:23:33 EDT 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/challenge/-eQmYumq_BmfmnTI4dvxHXLT8An7sIos1J7JAEa7k9Y/16845024753'
[Sat Jun  8 23:23:33 EDT 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
[Sat Jun  8 23:23:33 EDT 2019] _ret='0'
[Sat Jun  8 23:23:33 EDT 2019] code='400'
[Sat Jun  8 23:23:33 EDT 2019] The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead.

My web server is (include version):

Apache 2, but it's irrelevant here due to using DNS-based challenge.

The operating system my web server runs on is (include version): RHEL 6.10

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): acme.sh v2.8.2

NOTE: I cannot use HTTP-based challenge/validation due to port 80 being locked down.

Hi @alexb1

that’s curious. Checking that url

https://acme-v02.api.letsencrypt.org/acme/challenge/O9IxNUHQbHXFotUD3Awrsa1zC8T0g6XxgDGdZdasm3k/16845024693

manual there is another error:

type	"urn:ietf:params:acme:error:unauthorized"
detail	"Incorrect TXT record \"psdxr-F6eulWoTuriQtMmrlLcvHTDgIV_TWXYk9zdGw\" found at _acme-challenge.proxy.matin2-prod.ecs.gatech.edu"
status	403

So the reported error message is wrong.

Checking all values url= via browser

[Sat Jun  8 23:23:33 EDT 2019] Please check log file for more details: /root/.acme.sh/acme.sh.log
[Sat Jun  8 23:23:33 EDT 2019] url='https://acme-v02.api.letsencrypt.org/acme/challenge/PwfsfRKkv3_HmNvVZvNkHZWJsM4xWXaoizPgW_V_H9E/16758639237'
[Sat Jun  8 23:23:33 EDT 2019] payload='{}'
[Sat Jun  8 23:23:33 EDT 2019] POST
[Sat Jun  8 23:23:33 EDT 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/challenge/PwfsfRKkv3_HmNvVZvNkHZWJsM4xWXaoizPgW_V_H9E/16758639237'
[Sat Jun  8 23:23:33 EDT 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
[Sat Jun  8 23:23:33 EDT 2019] _ret='0'
[Sat Jun  8 23:23:33 EDT 2019] code='200'
[Sat Jun  8 23:23:33 EDT 2019] url='https://acme-v02.api.letsencrypt.org/acme/challenge/O9IxNUHQbHXFotUD3Awrsa1zC8T0g6XxgDGdZdasm3k/16845024693'
[Sat Jun  8 23:23:33 EDT 2019] payload='{}'
[Sat Jun  8 23:23:33 EDT 2019] POST
[Sat Jun  8 23:23:33 EDT 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/challenge/O9IxNUHQbHXFotUD3Awrsa1zC8T0g6XxgDGdZdasm3k/16845024693'
[Sat Jun  8 23:23:33 EDT 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
[Sat Jun  8 23:23:33 EDT 2019] _ret='0'
[Sat Jun  8 23:23:33 EDT 2019] code='400'
[Sat Jun  8 23:23:33 EDT 2019] url='https://acme-v02.api.letsencrypt.org/acme/challenge/-eQmYumq_BmfmnTI4dvxHXLT8An7sIos1J7JAEa7k9Y/16845024753'
[Sat Jun  8 23:23:33 EDT 2019] payload='{}'
[Sat Jun  8 23:23:33 EDT 2019] POST
[Sat Jun  8 23:23:33 EDT 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/challenge/-eQmYumq_BmfmnTI4dvxHXLT8An7sIos1J7JAEa7k9Y/16845024753'
[Sat Jun  8 23:23:33 EDT 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
[Sat Jun  8 23:23:33 EDT 2019] _ret='0'
[Sat Jun  8 23:23:33 EDT 2019] code='400'

matin2-prod.ecs.gatech.edu is correct, proxy.matin2-prod.ecs.gatech.edu and vncproxy.matin2-prod.ecs.gatech.edu are wrong.

Checking one domain via https://check-your-website.server-daten.de/?q=proxy.matin2-prod.ecs.gatech.edu#txt you have created the correct entry:

9. TXT - Entries

Domainname TXT Entry Status ∑ Queries ∑ Timeout
matin2-prod.ecs.gatech.edu ok 1 0
proxy.matin2-prod.ecs.gatech.edu ok 1 0
_acme-challenge.proxy.matin2-prod.ecs.gatech.edu psdxr-F6eulWoTuriQtMmrlLcvHTDgIV_TWXYk9zdGw looks good 1 0
_acme-challenge.proxy.matin2-prod.ecs.gatech.edu.matin2-prod.ecs.gatech.edu Name Error - The domain name does not exist 1 0
_acme-challenge.proxy.matin2-prod.ecs.gatech.edu.proxy.matin2-prod.ecs.gatech.edu Name Error - The domain name does not exist 1 0

Not one of the typical wrong entries.

Are you sure you didn’t permute the TXT entries?

The checked domain has an open port 80.

Domainname Http-Status redirect Sec. G
http://proxy.matin2-prod.ecs.gatech.edu/
143.215.76.205 403 0.263 M
Forbidden
https://proxy.matin2-prod.ecs.gatech.edu/
143.215.76.205 -8 1.110 W
ConnectionClosed - The underlying connection was closed: The connection was closed unexpectedly.
http://proxy.matin2-prod.ecs.gatech.edu/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
143.215.76.205 404 0.257 A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server. Apache/2.2.15 (Red Hat) Server at proxy.matin2-prod.ecs.gatech.edu Port 80

Perhaps check your other domains, maybe a configuration change.

PS: If you use acme.sh: That client supports tls-alpn-01 (replaced tls-sni-01 validation) via port 443. Perhaps that’s another solution you can use.

2 Likes

@JuergenAuer Thank you very much for detailed and prompt help.

Re: port 80 - I meant that it is closed on the main domain/host (matin2-prod). At least, it should be (I will check).

Re: different errors – I’m not sure why you have received different error. I’ve just checked our DNS system and confirm that TXT record _acme-challenge.proxy.matin2-prod.ecs.gatech.edu has value _cepvK2pKz_WNmHOkPy77RAdIZsydZqW7I6Aiske840 not the one appearing in your output (psdxr-F6eulWoTuriQtMmrlLcvHTDgIV_TWXYk9zdGw). Perhaps, this discrepancy is the root cause of the issue (in this case, what would be the fix?). My guess is that the value in your output is a value from my previous attempts (TXT record updates) that is somehow cached by LE infrastructure. Of course, I might be wrong on this.

Re: " matin2-prod.ecs.gatech.edu is correct, proxy.matin2-prod.ecs.gatech.edu and vncproxy.matin2-prod.ecs.gatech.edu are wrong" – What do you mean by “wrong” here? All these are valid FQDNs …

I followed your advice and tried using the ALPN mode, but it has failed as follows:

acme.sh --issue -d matin2-prod.ecs.gatech.edu -d proxy.matin2-prod.ecs.gatech.edu -d vncproxy.matin2-prod.ecs.gatech.edu --alpn
[Sun Jun  9 05:32:56 EDT 2019] Standalone alpn mode.
[Sun Jun  9 05:32:56 EDT 2019] Standalone alpn mode.
[Sun Jun  9 05:32:57 EDT 2019] Standalone alpn mode.
[Sun Jun  9 05:32:57 EDT 2019] Multi domain='DNS:matin2-prod.ecs.gatech.edu,DNS:proxy.matin2-prod.ecs.gatech.edu,DNS:vncproxy.matin2-prod.ecs.gatech.edu'
[Sun Jun  9 05:32:57 EDT 2019] Getting domain auth token for each domain
[Sun Jun  9 05:32:58 EDT 2019] Getting webroot for domain='matin2-prod.ecs.gatech.edu'
[Sun Jun  9 05:32:58 EDT 2019] Getting webroot for domain='proxy.matin2-prod.ecs.gatech.edu'
[Sun Jun  9 05:32:58 EDT 2019] Getting webroot for domain='vncproxy.matin2-prod.ecs.gatech.edu'
[Sun Jun  9 05:32:58 EDT 2019] matin2-prod.ecs.gatech.edu is already verified, skip tls-alpn-01.
[Sun Jun  9 05:32:58 EDT 2019] Verifying: proxy.matin2-prod.ecs.gatech.edu
[Sun Jun  9 05:32:58 EDT 2019] Starting tls server.
[Sun Jun  9 05:33:02 EDT 2019] proxy.matin2-prod.ecs.gatech.edu:Verify error:Connection refused
/root/.acme.sh/acme.sh: line 2173: kill: (203076) - No such process
[Sun Jun  9 05:33:02 EDT 2019] Please check log file for more details: /root/.acme.sh/acme.sh.log

I’m not sure why the connection is refused (I temporarily stopped some processes that have previously used port 443, so, in theory, it should be open) …

Please advise.

P.S. Forgot to mention: subsequent attempts to renew generate an “authorization pending” error, so, perhaps, the problem could be resolved by clearing previously issued authorization(s) [if the effect is immediate]. If so, would you recommend to use acmecancel tool (https://github.com/voutasaurus/acmecancel) or some other approach(es)? Thank you!

1 Like

Let’s Encrypt’s DNS resolvers cache records for up to 60 seconds.

It would be prudent to decrease the TTLs over your _acme-challenge TXT records, but if you’re not changing things at that fast a pace, it’s not currently a problem.

2 Likes

Yep, looks like this is the problem.

Rechecked via the good old nslookup:

D:\temp>nslookup -type=TXT _acme-challenge.proxy.matin2-prod.ecs.gatech.edu. 8.8.8.8

_acme-challenge.proxy.matin2-prod.ecs.gatech.edu text =

    "psdxr-F6eulWoTuriQtMmrlLcvHTDgIV_TWXYk9zdGw"

brahma5.dns.gatech.edu is your name server.

No, the result has nothing to do with Letsencrypt. It’s a standard DNS query from the online tool. But checking that offline -> the same result.

One result has the http result 200, so it’s valid. The other two have the wrong TXT entry.

That’s the thing I don’t understand. There is an “autorization pending” error, but every challenge has another status.

1 Like

@mnordhoff Thank you for your advice. I’m definitely not changing things that fast, so, as you said, it should not be a problem. Having said that, our DNS system has Override TTL option in the edit TXT record dialog, but it seems to be irrelevant to the current issue at hand.

@JuergenAuer I appreciate further clarifications. I don’t understand how the discrepancy of TXT record between our organization’s DNS system and a public nameserver (e.g., 8.8.8.8) could exist (I assume that DNS updates are propagated relatively fast, like minutes or hours).

The only potential reason for such discrepancy that I can think of would be failure of our DNS system to propagate my changes to the outside world (could it be that it requires having administrator rights withing our DNS system?) …

BTW, do you have any advice on cancelling pending authorizations, if it makes sense?

1 Like

Good news, people! Just in case, I decided to test a normal HTTP-based validation and, to my surprise, it has worked perfectly (I have just used acme.sh client with my three domains and the --standalone flag). I’m still a bit worried about potential issues during a renewal process (I don’t see a --dry-run option for acme.sh; does LE infrastructure support such mode in general, regardless of ACME client), but, at least, I’m OK for now. I’m grateful for your help.

2 Likes

Happy to read that http-01 validation works. That’s always the easiest solution.

I don’t know the details of your setup. But if you have an internal nameserver that sends the data to brahma5, that’s bad.

I’ve never created pending authorizations, so I don’t know something about such tools.

2 Likes

@JuergenAuer Thank you, again, for clarifications and prompt help. Much appreciated!

2 Likes

4 posts were split to a new topic: Acme.sh error: authorization must be pending

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.