But checking your domain manual there is a refused answer.
D:\>nslookup -type=TXT zigtest6.digiinovation.net. ns-1308.awsdns-35.org.
*** zigtest6.digiinovation.net. wurde von UnKnown nicht gefunden: Query refused.
Must check later, why check-your-website doesn't show that refused answer.
acme4j does not set up the DNS server itself. It is the responsibility of the invoker to set up everything that is required for fulfilling the challenge. In this case, the invoker must set the TXT record. It's just because there is no standard way to set DNS records, it may be anything from invoking a command line tool to writing into a database.
acme4j also does not perform any pre-checks. As soon as challenge.trigger() is invoked, the request is immediately sent to the ACME server, and the challenge is being verified.
It might be a timing issue. I don't know how the DNS TXT record is set here, but maybe it is an asynchronous process that was fast enough by a lucky chance, but isn't now. I'd just try a Thread.sleep(1000) before invoking challenge.trigger(), to find out if it's timing related.
If it doesn't help, I'd set a breakpoint before challenge.trigger(), and manually check if the TXT record is present and valid.
Thanks @shred and everyone that trying to help here.
I have already tried the sleep and the debug… just to clarify, everything worked well before the issue in the staging env…
Therefor, I don’t think its timing issue. I suspect that it might be connected to some limit…
Do you know when the limits reset?
If it’s any help: I have just tried to get a certificate from staging via DNS challenge. It was successful. So at least, it should work with the latest acme4j.
Is the error actually coming from acme4j or the staging server? Do you have a stack trace?
Edit: I could reproduce this error message when I tried a DNS challenge without setting the TXT record. It really seems that the staging server is unable to retrieve your TXT record, for whatever reason…
If the problem were related to reaching a rate limit there would be an explicit and clear error problem returned that would indicate that. I don't think rate limiting is likely to be the case here.
There haven't been any changes in the staging environment's DNS resolution that I expect would have caused a change in behaviour.
trying to order a certificate with the following domain “*.ZigTest6.digiinnovation.net”.
Are you ordering a certificate with just that domain, or also the base domain without the wildcard, ZigTest6.digiinnovation.net?
Next thing I tried is to get a certificate for zigtest6.digiinnovation.net via DNS challenge. It is supposed to fail because I would use a different digest, but I wondered if I would also get the “DNS problem” error.
However, the error was Incorrect TXT record "xph_bNK_bloZpIVjxL5NSU-0vGa8kkv8iW42iRsOCwk" found at _acme-challenge.zigtest6.digiinnovation.net, as expected.
It really seems that there is no TXT record at the time the staging server tries to verify the challenge.
I tried again, but now with a bigger sleep time of 10 seconds and it worked
So, you were right. Sorry for the hassle…
And many thanks for your help! @shred@cpu@mnordhoff@JuergenAuer
