I have created an API-user at Loopia to use with Letsencrypt and Certifytheweb. When I run the test in Certifytheweb I get no error and it seems like the API user and password is working.
I guess I've missed to create a TXT record for the ACME challenge, but I don't know what record I should add? Whats the input to use?
Here is my error code from the log;
2023-11-20 17:14:28.829 +01:00 [INF] Got dns-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/285751192856/NzPRvQ
2023-11-20 17:14:28.980 +01:00 [INF] Preparing automated challenge responses for: rd.mydomain.se [dns]
2023-11-20 17:14:28.982 +01:00 [INF] DNS: Creating TXT Record '_acme-challenge.rd.mydomain.se' with value 'xNI8v_A10vqALCne3qeZV7-G-_Uozx9cg10JGaS9NCQ', [rd.mydomain.se] using API provider 'Powershell/PoshACME DNS'
2023-11-20 17:14:30.851 +01:00 [INF] DNS: Powershell/PoshACME DNS :: Powershell Task Completed.
2023-11-20 17:16:01.271 +01:00 [INF] Resuming certificate request using CA: Let's Encrypt
2023-11-20 17:16:01.271 +01:00 [INF] Attempting challenge response validation for: rd.mydomain.se [dns]
2023-11-20 17:16:01.271 +01:00 [INF] [Progress] Checking automated challenge response for: rd.mydomain.se [dns]
2023-11-20 17:16:01.271 +01:00 [INF] Submitting challenge for validation: rd.mydomain.se [dns]
2023-11-20 17:16:06.885 +01:00 [ERR] [Progress] Validation failed: rd.mydomain.se [dns]
Response from Certificate Authority: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.rd.mydomain.se - check that a DNS record exists for this domain [BadRequest :: urn:ietf:params:acme:error:dns]
2023-11-20 17:16:07.668 +01:00 [INF] DNS: Deleting TXT Record '_acme-challenge.rd.mydomain.se' :'xNI8v_A10vqALCne3qeZV7-G-_Uozx9cg10JGaS9NCQ', [rd.mydomain.se] using API provider 'Powershell/PoshACME DNS'
2023-11-20 17:16:08.927 +01:00 [ERR] Validation of the required challenges did not complete successfully. Validation failed: rd.mydomain.se [dns]
Response from Certificate Authority: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.rd.mydomain.se - check that a DNS record exists for this domain [BadRequest :: urn:ietf:params:acme:error:dns]
2023-11-20 17:16:09.623 +01:00 [INF] Performing Post-Request (Deployment) Tasks..
2023-11-20 17:16:09.624 +01:00 [INF] Task [Deploy cert for RDS] :: Task is enabled but will not run because primary request unsuccessful.
2023-11-20 17:16:09.624 +01:00 [ERR] Deploy cert for RDS :: Task is enabled but will not run because primary request unsuccessful.
I guess like "xNI8v_A10vqALCne3qeZV7-G-_Uozx9cg10JGaS9NCQ" is the input in such record but it's generated when I run the request for a new certification? Or am I wrong and how do I get to know what input to use if I create such TXT record manually? I thought Certifytheweb was able to create it but may be stupid
and it's also automatically removed once the challenge has failed:
I'm not familiar with CertifyTheWeb, but you should investigate why the TXT RR isn't present when the challenge is validated. This could be due to:
Errors in adding the TXT RR. But I assume (though I'm not sure) CertifyTheWeb would provide an error when the "Powershell/PoshACME DNS" script couldn't add the TXT RR.
Too little time between adding the TXT RR and the challenge validation. Please check the CertifyTheWeb documentation if you can add a delay between adding the TXT RR and the validation of the challenge.
What also could be helpful is some way to pause CertifyTheWeb between adding the TXT RR and the validation of the challenge. Does CertifyTheWeb have such a thing? Can you check the documentation?
Also, the "Powershell/PoshACME DNS" provider is kinda generic to me. How is that configured in CertifyTheWeb? Does your DNS provider (Space2u.com it seems) even have an API to add and remove the TXT RR?
@webprofusion If I search for "Powershell/PoshACME DNS" using Google (or "PoshACME DNS certifytheweb") I don't get much results. Is that API provider documented anywhere? I can see it mentioned on DNS Validation (dns-01) | Certify The Web Docs, but it simply refers to the Github page of Posh-ACME. I assume one can also configure it somehow from within CertifyTheWeb?
Hi, the most common reason for this sort of thing is that there wasn't enough time for your DNS nameservers to copy the change to all of the authoritative nameservers. By default we allow 90 seconds but you can extend that to 120 seconds for instance, by setting Propagation Delay Seconds. During that time you should be able to login to your DNS control panel and see the _acme-challenge record populated, it will then disappear when the app cleans up the challenge responses.
@Osiris thanks for reminding me, we don't currently log which specific Posh-ACME provider option was selected (obviously the user already knows, but people trying to provide help by reading the log don't), so we'll get that fixed.
I've tried to adjust the propagation delay seconds to 120 seconds but the outcome is the same. Here's the log and I don't get it. Is it possible to manually add such record to validate?
Log (both request + test):
Request:
2023-11-21 07:03:33.811 +01:00 [INF] ---- Beginning Request [rd.mydomain.se] ----
2023-11-21 07:03:33.811 +01:00 [INF] Renewal Reason: Renewal attempt is due, item has failed 18 times and renewal will be periodically attempted.
2023-11-21 07:03:33.811 +01:00 [INF] Certify/6.0.12.0 (Windows; Microsoft Windows NT 10.0.20348.0)
2023-11-21 07:03:33.812 +01:00 [INF] Beginning certificate request process: rd.mydomain.se using ACME provider Anvil
2023-11-21 07:03:33.812 +01:00 [INF] The selected Certificate Authority is: Let's Encrypt
2023-11-21 07:03:33.812 +01:00 [INF] Requested identifiers to include on certificate: rd.mydomain.se [dns]
2023-11-21 07:03:39.703 +01:00 [INF] Created ACME Order: https://acme-v02.api.letsencrypt.org/acme/order/1418938236/223715182236
2023-11-21 07:03:40.312 +01:00 [INF] Got http-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/285951444506/rsvqdg
2023-11-21 07:03:40.457 +01:00 [INF] Got dns-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/285951444506/sKbcdQ
2023-11-21 07:03:40.613 +01:00 [INF] Preparing automated challenge responses for: rd.mydomain.se [dns]
2023-11-21 07:03:40.615 +01:00 [INF] DNS: Creating TXT Record '_acme-challenge.rd.mydomain.se' with value 'jPz-7S5WSM7Dl2xo3vRmWJqPTy8I3tDv_7nFUFI59TQ', [rd.mydomain.se] using API provider 'Powershell/PoshACME DNS'
2023-11-21 07:03:42.199 +01:00 [INF] DNS: Powershell/PoshACME DNS :: Powershell Task Completed.
2023-11-21 07:05:12.593 +01:00 [INF] Resuming certificate request using CA: Let's Encrypt
2023-11-21 07:05:12.593 +01:00 [INF] Attempting challenge response validation for: rd.mydomain.se [dns]
2023-11-21 07:05:12.593 +01:00 [INF] [Progress] Checking automated challenge response for: rd.mydomain.se [dns]
2023-11-21 07:05:12.593 +01:00 [INF] Submitting challenge for validation: rd.mydomain.se [dns]
2023-11-21 07:05:18.186 +01:00 [ERR] [Progress] Validation failed: rd.mydomain.se [dns]
Response from Certificate Authority: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.rd.mydomain.se - check that a DNS record exists for this domain [BadRequest :: urn:ietf:params:acme:error:dns]
2023-11-21 07:05:18.979 +01:00 [INF] DNS: Deleting TXT Record '_acme-challenge.rd.mydomain.se' :'jPz-7S5WSM7Dl2xo3vRmWJqPTy8I3tDv_7nFUFI59TQ', [rd.mydomain.se] using API provider 'Powershell/PoshACME DNS'
2023-11-21 07:05:22.284 +01:00 [ERR] Validation of the required challenges did not complete successfully. Validation failed: rd.mydomain.se [dns]
Response from Certificate Authority: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.rd.mydomain.se - check that a DNS record exists for this domain [BadRequest :: urn:ietf:params:acme:error:dns]
2023-11-21 07:05:22.949 +01:00 [INF] Performing Post-Request (Deployment) Tasks..
2023-11-21 07:05:22.950 +01:00 [INF] Task [Deploy cert for RDS] :: Task is enabled but will not run because primary request unsuccessful.
2023-11-21 07:05:22.950 +01:00 [ERR] Deploy cert for RDS :: Task is enabled but will not run because primary request unsuccessful.
2023-11-21 07:08:01.349 +01:00 [INF] ---- Beginning Request [rd.mydomain.se] ----
2023-11-21 07:08:01.350 +01:00 [INF] Certify/6.0.12.0 (Windows; Microsoft Windows NT 10.0.20348.0)
2023-11-21 07:08:01.350 +01:00 [INF] Beginning certificate request process: rd.mydomain.se using ACME provider Anvil
2023-11-21 07:08:01.350 +01:00 [INF] The selected Certificate Authority is: Let's Encrypt
2023-11-21 07:08:01.350 +01:00 [INF] Requested identifiers to include on certificate: rd.mydomain.se [dns]
2023-11-21 07:08:02.026 +01:00 [INF] Created ACME Order: https://acme-v02.api.letsencrypt.org/acme/order/1418938236/223715962756
2023-11-21 07:08:02.650 +01:00 [INF] Got http-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/285952585406/LbvEuQ
2023-11-21 07:08:02.805 +01:00 [INF] Got dns-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/285952585406/hOWGAA
2023-11-21 07:08:02.957 +01:00 [INF] Preparing automated challenge responses for: rd.mydomain.se [dns]
2023-11-21 07:08:02.966 +01:00 [INF] DNS: Creating TXT Record '_acme-challenge.rd.mydomain.se' with value 'VHms4fAu9b7wTaPD-52dehraZzu5ryAzPrTo4TrS--w', [rd.mydomain.se] using API provider 'Powershell/PoshACME DNS'
2023-11-21 07:08:04.537 +01:00 [INF] DNS: Powershell/PoshACME DNS :: Powershell Task Completed.
2023-11-21 07:10:05.045 +01:00 [INF] Resuming certificate request using CA: Let's Encrypt
2023-11-21 07:10:05.045 +01:00 [INF] Attempting challenge response validation for: rd.mydomain.se [dns]
2023-11-21 07:10:05.045 +01:00 [INF] [Progress] Checking automated challenge response for: rd.mydomain.se [dns]
2023-11-21 07:10:05.045 +01:00 [INF] Submitting challenge for validation: rd.mydomain.se [dns]
2023-11-21 07:10:14.901 +01:00 [ERR] [Progress] Validation failed: rd.mydomain.se [dns]
Response from Certificate Authority: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.rd.mydomain.se - check that a DNS record exists for this domain [BadRequest :: urn:ietf:params:acme:error:dns]
2023-11-21 07:10:15.598 +01:00 [INF] DNS: Deleting TXT Record '_acme-challenge.rd.mydomain.se' :'VHms4fAu9b7wTaPD-52dehraZzu5ryAzPrTo4TrS--w', [rd.mydomain.se] using API provider 'Powershell/PoshACME DNS'
2023-11-21 07:10:19.654 +01:00 [ERR] Validation of the required challenges did not complete successfully. Validation failed: rd.mydomain.se [dns]
Response from Certificate Authority: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.rd.mydomain.se - check that a DNS record exists for this domain [BadRequest :: urn:ietf:params:acme:error:dns]
2023-11-21 07:10:22.464 +01:00 [INF] Performing Post-Request (Deployment) Tasks..
2023-11-21 07:10:22.464 +01:00 [INF] Task [Deploy cert for RDS] :: Task is enabled but will not run because primary request unsuccessful.
2023-11-21 07:10:22.465 +01:00 [ERR] Deploy cert for RDS :: Task is enabled but will not run because primary request unsuccessful.
Test: 2023-11-21 07:31:37.081 +01:00 [INF] [Progress] All Tests Completed OK
Yes you can try it manually by changing the DNS provider under Authorization to Manual DNS, then request your certificate and you will be prompted to create an _acme_challenge TXT record, then wait a couple of minutes and resume the request using Request Certificate again.
Regarding my comment about about checking your DNS control panel while the app is waiting for the propagation delay (so that TXT record hasn't been cleaned up yet), I assume you have access to check that. Or use something like Dig (DNS lookup)
You can also check that your TXT record is resolving OK in a similar manner to how Let's Encrypt checks it, using https://unboundtest.com/ - if you set a long propagation delay like 240 seconds, then after a minute (while it's still waiting for the propagation delay and it hasn't deleted the TXT records yet) check the results using unboundtest.
It's best to confirm that the TXT record is definitely visible and has the expected value, there is other in depth Loopia API debugging that's possible. You could also manually try Home - Posh-ACME and use the Loopia plugin for that.
Note also that we have our own support community over at https://community.certifytheweb.com/ for Certify The Web specific issues with our community edition, and registered customers can open support tickets directly with support {at} certifytheweb.com which can sometime let us dig into more detail.
