How to retreive the challenge for dns validation?

HI,

We are using the DNS validations for the domains.
Once we are placing the order we are getting the values for the TXT record.
So it will take some time for a user to set the txt record for the domain.
So once the txt record is confirmed we need to instruct the let’s encrypt to validate the challenge.
So I need to rereive the challenge from the URI or from the token. I am using c# Certs.Acme library for this.

        var keytDetails = KeyFactory.FromPem(pemKey);

        var accountPemKey = keytDetails.ToPem();

        var acme = new AcmeContext(WellKnownServers.LetsEncryptV2, keytDetails);

        var url = @"https://acme-v02.api.letsencrypt.org/acme/challenge/CwW5hxSMP0DblPZT0A9hJO-JV3Dwfg3eFu4R4x5FfYE/18301162072";

        var uri = new Uri(url);
      
        var authorizationDetails = acme.Authorization(uri);

        var challenges = await authorizationDetails.Challenges();

I am not getting any challenge with this code. Please provide me any interface or method that will help me to retrieve the challenge for the domain.

Anyone can please check it for me. I need to make it working asap.

You might have better luck posting an issue directly in the Certes project.

Most of the expertise on this forum is for Let’s Encrypt provided software like certbot. Certes is a third-party library.

2 Likes

There’s literally an example of DNS-01 TXT record calculation on the project home page: https://github.com/fszlin/certes#order

@_az that code is fine and I made it working. But problem is that I have to delay the validation process. Meaning I have to show the TXT record to user on front end and suppose if the user takes 2 days to put on their DNS server.
That means I have to retrieve the challenge from the token, URI or what ever the details i have for the request. So that I can check the validation status if they done and I get the valid status there then I will generate the csr and get the certificate.

It’s no problem if you need to delay responding to the challenge for two days.

Let’s Encrypt will keep the challenge waiting for you (for upto 7 days IIRC), you just need to remember to use the same challenge URL when the user tells you that they have deployed the TXT record.

1 Like

@_az That’s great. Now I need a way in C#.Net how I can retrieve the existing challenge from URI. I tried the below code to get the challenge so that I can initiate the validate process. Also I posted the same issue on https://github.com/fszlin/certes/issues/193 .

I have saved all the details like challenge url, token keyauthz in db.

Is there is any api to which I can hit to initiate the validation process. As with the below code I am not able to get the existing challenge.

var pemKey = “”;

        var keytDetails = KeyFactory.FromPem(pemKey);

        var accountPemKey = keytDetails.ToPem();

        var acme = new AcmeContext(WellKnownServers.LetsEncryptV2, keytDetails);

        var url = @"https://acme-v02.api.letsencrypt.org/acme/challenge/eswXZ2EfrXlpg5UDyooHs7qm_z3i1dWPZ19uWwSJGNk/18335479490";

        var uri = new Uri(url);

        var authoDet = acme.Authorization(uri);

        var challenges = await authoDet.Challenges();

@_az @jsha Can you please a take a look at this as I have to finish this task asap.

Yes: https://github.com/fszlin/certes#validate

You might not receive much more of a response on this forum when the library you are using has laid out the process and documentation as clearly as certes has. We can’t do that work for you in that regard, sorry.

If you want to understand this process more the ACME RFC lays it out in a much more detailed manner: https://tools.ietf.org/html/rfc8555#section-7.5.1

2 Likes

@eggsampler I understand the https://github.com/fszlin/certes#validate But the problem is that I am not able to retrieve the challenge object form the url. I can only call the below validate method once I have the challenge.

await challenge.Validate();

let me know if there is any rest api for validate method from let’s encrypt otherwise I think only the developers from certes can help here. I have a ticket with them but still waiting for their response.

@jagjit, Based on how frequently you’re tagging forum members to follow-up on your outstanding questions it seems like you have some tight time constraints on your hands. I would strongly suggest you consider using an out-of-the-box ready ACME client (Certbot, Lego, acme.sh, etc) instead of a general purpose library if this is the case. You can likely achieve your goal much faster. As a side-note, frequently @-mentioning folks to reply to your messages can be construed as impatient or overly demanding in a forum staffed primarily by volunteers. Please try to do as much leg-work as you can (carefully reading documentation, etc) and allow reasonable time (a day or more) to elapse before you assume your thread has been abandoned :slight_smile:

Thanks!

1 Like

As previously mentioned the only API is the one described in RFC 8555: https://tools.ietf.org/html/rfc8555

Sure my friend much appreciated for your time and understanding. Actually we have a system where we have make it working already with http validation but due to aws changed their policy to not allowing to add CNAMES in cloud front without SSL we have a pressure to make it working with new approach like dns asap.
But I respect all of your suggestions here and now we will spend more time on this to build it in a new way and will explore more from our end. Let’s try to check each document carefully if still we are in problem then will get back to you.

Again really thank full to the entire team from let’s encrypt.

2 Likes

By the way, I really do recommend that you get in touch with Amazon Support. I think they are very interested to hear that their policy changes are causing problems for their customers and will be eager to work with you on finding a good solution.

1 Like

We have one question related with DNS validation approach. On SSL renewal Do we always get a new TXT record meaning every time we are renewing a domain and we have to visit our dns sever and put the TXT record there?

Hi @Jagjit

every new order has new challenges with new token. So the keyAuthorization changes -> so a new TXT entry is required.

Only thing: Valid challenges are cached - 30 days. But if you renew a certificate after 60 days, you have to add / change the dns TXT entry.

Read

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.