Having a problem issuing a certificate via the http-01 challenge with a central validation server. We host about 50 sites across a number of load balanced servers. We don’t have direct control over most of our clients’ domains so we have them use a validation subdomain with an A record which then responds to the challenge.
Everything has been working great for some time now, but I have one client that I’ve been trying to issue a cert for for the last two days that doesn’t seem to be working, and it looks like it’s because the verification servers on LE’s end don’t seem to be picking up the DNS updates.
So, if I run:
dig domain-validation.CLIENT-DOMAIN.com -A
;; ANSWER SECTION: domain-validation.CLIENT-DOMAIN.com. 60 IN A XX.XX.XX.XX
Where XX.XX.XX.XX is the correct IP address and was set a few days ago.
I run the command
sudo certbot certonly --manual \ --manual-auth-hook /etc/letsencrypt/hooks/oK2el1w3t99aLal1KRwnr81gi \ --preferred-challenges http --manual-public-ip-logging-ok \ -w /srv/www/XXX -d www.CLIENT-DOMAN.com \ -d CLIENT-DOMAN.com -n
And I get:
Failed authorization procedure. www.CLIENT-DOMAIN.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain-validation.CLIENT-DOMAIN.com/fE76oevmsIqhoum2a--U-KNXw-X3X8rAxeK6eiKFz1o [2607:f1c0:1000:60a7:2b3b:79ac:2607:700e]: "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n <style type=\"text/css\">\n html, body, #partne", CLIENT-DOMAIN.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain-validation.CLIENT-DOMAIN.com/-9r5c3Gf0tIy901_ngEDlzpZRjGYPeG_jahzGif5WfE [2607:f1c0:1000:60a7:2b3b:79ac:2607:700e]: "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n <style type=\"text/css\">\n html, body, #partne"
So, here’s the weird thing: That IPv6 address is not the address for my server, nor is that the right HTML that would be seen from any of my machines. I traced that IPv6 address to a non-functional domain.
I can successfully load
http://domain-validation.CLIENT-DOMAIN.com/-9r5c3Gf0tIy901_ngEDlzpZRjGYPeG_jahzGif5WfE on my local machine, my test machines, my C2 machine, all my remote servers.
I’m at a loss here. At first I thought it was because the DNS hadn’t propagated yet, but it seems like over 36 hours is plenty of time. Anyone have any ideas?