Hello,
For at least customer it happens that the domains they create are validated successfully by our application; however when it comes to the LE validation, sometimes it is not validated by Let's Encrypt.
Here is the timeline for the problem for domain nyebuickgmc.com
:
- at
2021-02-18T16:30:29,971
domain is still not validated on our side. - at
2021-02-18T16:53:41,797
domain was validated on our side using 2 name servers:dns102.register.com.
,dns101.register.com.
- we initiate validation call to LE
time: 2021-02-18T16:53:41,842
uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/10899687020/rheA5A
inputData: '"{\"type\":\"dns-01\",\"keyAuthorization\":\"U2gSjnYjpFB5ToAVDhjNCJ8_14GhDXGib4AKc7pU9nw.NLDLvhNs-PphLmua-tmwqzgbPpUlW-GEBkyoUKiF_Yw\",\"resource\":\"challenge\"}"'
payload: eyJub25jZSI6IjAxMDRnSC1jLWczZmZNTk1iaVFiOExHMFVYVGhWdlk5SWtYRmdjWU9RaWdkWFhvIiwiYWxnIjoiUlMyNTYiLCJ1cmwiOiJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My8xMDg5OTY4NzAyMC9yaGVBNUEiLCJraWQiOiJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRz
ZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzEzMSJ9.eyJ0eXBlIjoiZG5zLTAxIiwia2V5QXV0aG9yaXphdGlvbiI6IlUyZ1NqbllqcEZCNVRvQVZEaGpOQ0o4XzE0R2hEWEdpYjRBS2M3cFU5bncuTkxETHZoTnMtUHBoTG11YS10bXdxemdiUHBVbFctR0VCa3lvVUtpRl9ZdyIsInJlc291cmNlIjoiY2hhbGxlbmdlIn0.BK3vV5q2SfV9s6Jm
cKaW9_jfv5-cBCNPZPDMpka3GbPrzZOLM4oQRCaGQkGdoUzN3nPmzSFVR51J_E4ovgtmjJlw3cQr_wUUFQ63zWkmh4xb8lRycW7i2_1CIkLIReibWFIedj9t2lQOo-_kHZZstVdF_1eS1JExHdrIe9wPHwaQ7DBydkgJVAdnuB13LlgTzkHiYcOPHQrFaAmDqf4BAbyIHbj_NXbOabC8Gcobsrt5GyXbQJigBE-b3Gf6yzbBHWIvjqLHOyExZ
Iv5XgrZ25L8J5y7zFFuUgDKWGQKkFBaBHO73208Hjl2b4I-8_mEh9O1J8su67IwRvNgaSzxvg
body: '{"payload":"eyJ0eXBlIjoiZG5zLTAxIiwia2V5QXV0aG9yaXphdGlvbiI6IlUyZ1NqbllqcEZCNVRvQVZEaGpOQ0o4XzE0R2hEWEdpYjRBS2M3cFU5bncuTkxETHZoTnMtUHBoTG11YS10bXdxemdiUHBVbFctR0VCa3lvVUtpRl9ZdyIsInJlc291cmNlIjoiY2hhbGxlbmdlIn0","protected":"eyJub25jZSI6IjAxMDRn
SC1jLWczZmZNTk1iaVFiOExHMFVYVGhWdlk5SWtYRmdjWU9RaWdkWFhvIiwiYWxnIjoiUlMyNTYiLCJ1cmwiOiJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My8xMDg5OTY4NzAyMC9yaGVBNUEiLCJraWQiOiJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0L
zEzMSJ9","signature":"BK3vV5q2SfV9s6JmcKaW9_jfv5-cBCNPZPDMpka3GbPrzZOLM4oQRCaGQkGdoUzN3nPmzSFVR51J_E4ovgtmjJlw3cQr_wUUFQ63zWkmh4xb8lRycW7i2_1CIkLIReibWFIedj9t2lQOo-_kHZZstVdF_1eS1JExHdrIe9wPHwaQ7DBydkgJVAdnuB13LlgTzkHiYcOPHQrFaAmDqf4BAbyIHbj_NXbOabC8Gco
bsrt5GyXbQJigBE-b3Gf6yzbBHWIvjqLHOyExZIv5XgrZ25L8J5y7zFFuUgDKWGQKkFBaBHO73208Hjl2b4I-8_mEh9O1J8su67IwRvNgaSzxvg"}'
responseCode: '200'
headers: HttpHeaders({date=[Thu, 18 Feb 2021 16:53:41 GMT], server=[nginx], content-length=[185],
x-frame-options=[DENY], link=[<https://acme-v02.api.letsencrypt.org/directory>;rel="index",
<https://acme-v02.api.letsencrypt.org/acme/authz-v3/10899687020>;rel="up"], content-type=[application/json],
connection=[keep-alive], location=[https://acme-v02.api.letsencrypt.org/acme/chall-v3/10899687020/rheA5A],
boulder-requester=[131], cache-control=[public, max-age=0, no-cache], strict-transport-security=[max-age=604800],
replay-nonce=[0104neLSz28v3S90SkPFHmGwtMnZy2rOz_JOtPsGX-2kVRM]})
response: '{"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/10899687020/rheA5A","token":"U2gSjnYjpFB5ToAVDhjNCJ8_14GhDXGib4AKc7pU9nw"}'
data: None
- LE returns that domain validation is in the pending state, we wait 5 seconds to get the updated status
time: 2021-02-18T16:53:46,968
uri: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10899687020
responseCode: '200'
headers: HttpHeaders({date=[Thu, 18 Feb 2021 16:53:46 GMT], server=[nginx], content-length=[551],
x-frame-options=[DENY], link=[<https://acme-v02.api.letsencrypt.org/directory>;rel="index"],
content-type=[application/json], connection=[keep-alive], cache-control=[public,
max-age=0, no-cache], strict-transport-security=[max-age=604800]})
response: '{"identifier":{"type":"dns","value":"nyebuickgmc.com"},"status":"invalid","expires":"2021-02-22T21:19:24Z","challenges":[{"type":"dns-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"No
TXT record found at _acme-challenge.nyebuickgmc.com","status":403},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/10899687020/rheA5A","token":"U2gSjnYjpFB5ToAVDhjNCJ8_14GhDXGib4AKc7pU9nw"}]}'
data: None
- This time we get status
invalid
.
Now my question is to help explaining why such situation could happen that after successful validation on our side, LE cannot confirm this domain? Which servers were used for the validation and what were the responses?
We are looking for suggestion how to avoid similar situations in the future.
Thanks,
Michal