We are using the DNS validations for the domains.
Once we are placing the order we are getting the values for the TXT record.
So it will take some time for a user to set the txt record for the domain.
So once the txt record is confirmed we need to instruct the let’s encrypt to validate the challenge.
So I need to rereive the challenge from the URI or from the token. I am using c# Certs.Acme library for this.
var keytDetails = KeyFactory.FromPem(pemKey);
var accountPemKey = keytDetails.ToPem();
var acme = new AcmeContext(WellKnownServers.LetsEncryptV2, keytDetails);
var url = @"https://acme-v02.api.letsencrypt.org/acme/challenge/CwW5hxSMP0DblPZT0A9hJO-JV3Dwfg3eFu4R4x5FfYE/18301162072";
var uri = new Uri(url);
var authorizationDetails = acme.Authorization(uri);
var challenges = await authorizationDetails.Challenges();
I am not getting any challenge with this code. Please provide me any interface or method that will help me to retrieve the challenge for the domain.
@_az that code is fine and I made it working. But problem is that I have to delay the validation process. Meaning I have to show the TXT record to user on front end and suppose if the user takes 2 days to put on their DNS server.
That means I have to retrieve the challenge from the token, URI or what ever the details i have for the request. So that I can check the validation status if they done and I get the valid status there then I will generate the csr and get the certificate.
It’s no problem if you need to delay responding to the challenge for two days.
Let’s Encrypt will keep the challenge waiting for you (for upto 7 days IIRC), you just need to remember to use the same challenge URL when the user tells you that they have deployed the TXT record.
@_az That’s great. Now I need a way in C#.Net how I can retrieve the existing challenge from URI. I tried the below code to get the challenge so that I can initiate the validate process. Also I posted the same issue on https://github.com/fszlin/certes/issues/193 .
I have saved all the details like challenge url, token keyauthz in db.
Is there is any api to which I can hit to initiate the validation process. As with the below code I am not able to get the existing challenge.
var pemKey = “”;
var keytDetails = KeyFactory.FromPem(pemKey);
var accountPemKey = keytDetails.ToPem();
var acme = new AcmeContext(WellKnownServers.LetsEncryptV2, keytDetails);
var url = @"https://acme-v02.api.letsencrypt.org/acme/challenge/eswXZ2EfrXlpg5UDyooHs7qm_z3i1dWPZ19uWwSJGNk/18335479490";
var uri = new Uri(url);
var authoDet = acme.Authorization(uri);
var challenges = await authoDet.Challenges();
You might not receive much more of a response on this forum when the library you are using has laid out the process and documentation as clearly as certes has. We can't do that work for you in that regard, sorry.
@eggsampler I understand the https://github.com/fszlin/certes#validate But the problem is that I am not able to retrieve the challenge object form the url. I can only call the below validate method once I have the challenge.
await challenge.Validate();
let me know if there is any rest api for validate method from let’s encrypt otherwise I think only the developers from certes can help here. I have a ticket with them but still waiting for their response.
@jagjit, Based on how frequently you're tagging forum members to follow-up on your outstanding questions it seems like you have some tight time constraints on your hands. I would strongly suggest you consider using an out-of-the-box ready ACME client (Certbot, Lego, acme.sh, etc) instead of a general purpose library if this is the case. You can likely achieve your goal much faster. As a side-note, frequently @-mentioning folks to reply to your messages can be construed as impatient or overly demanding in a forum staffed primarily by volunteers. Please try to do as much leg-work as you can (carefully reading documentation, etc) and allow reasonable time (a day or more) to elapse before you assume your thread has been abandoned
Sure my friend much appreciated for your time and understanding. Actually we have a system where we have make it working already with http validation but due to aws changed their policy to not allowing to add CNAMES in cloud front without SSL we have a pressure to make it working with new approach like dns asap.
But I respect all of your suggestions here and now we will spend more time on this to build it in a new way and will explore more from our end. Let’s try to check each document carefully if still we are in problem then will get back to you.
Again really thank full to the entire team from let’s encrypt.
By the way, I really do recommend that you get in touch with Amazon Support. I think they are very interested to hear that their policy changes are causing problems for their customers and will be eager to work with you on finding a good solution.
We have one question related with DNS validation approach. On SSL renewal Do we always get a new TXT record meaning every time we are renewing a domain and we have to visit our dns sever and put the TXT record there?