I can see TOKEN, but validation failed (I'm using dehydrated, dns-01)

Hello Let's Encrypt Community! :smiley:

The first time I ran it (November last year) it was successful, but when I ran it today to renew my certificate I got an error.I wish I could find a clue to the solution. Thank you.

My domain is: (This is the contents of the file domains.txt. )
certio.co.jp, *.certio.co.jp

I ran this command: (I am root user.)
./dehydrated --cron --challenge dns-01 --hook ./hook.sh

It produced this output:
`# INFO: Using main config file /opt/dehydrated/config
Processing certio.co.jp with alternative names: *.certio.co.jp

  • Checking domain name(s) of existing cert... unchanged.
  • Checking expire date of existing cert...
  • Valid till Feb 24 08:09:52 2021 GMT (Less than 30 days). Renewing!
  • Signing domains...
  • Generating private key...
  • Generating signing request...
  • Requesting new certificate order from CA...
  • Received 2 authorizations URLs from the CA
  • Handling authorization for certio.co.jp
  • Found valid authorization for certio.co.jp
  • Handling authorization for certio.co.jp
  • 1 pending challenge(s)
  • Deploying challenge tokens...
  • Responding to challenge for certio.co.jp authorization...
  • Cleaning challenge tokens...
  • Challenge validation has failed :frowning:
    ERROR: Challenge is invalid! (returned: invalid) (result: ["type"] "dns-01"
    ["status"] "invalid"
    ["error","type"] "urn:ietf:params:acme:error:dns"
    ["error","detail"] "During secondary validation: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.certio.co.jp - check that a DNS record exists for this domain"
    ["error","status"] 400
    ["error"] {"type":"urn:ietf:params:acme:error:dns","detail":"During secondary validation: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.certio.co.jp - check that a DNS record exists for this domain","status":400}
    ["url"] "https://acme-v02.api.letsencrypt.org/acme/chall-v3/10964587222/aSnn-g"
    ["token"] "CMZBpR9ZzsghDXJBQ_17w4bnIHedJnAEUhsdHcExJlw"
    ["validationRecord",0,"hostname"] "certio.co.jp"
    ["validationRecord",0] {"hostname":"certio.co.jp"}
    ["validationRecord"] [{"hostname":"certio.co.jp"}])
    `

My web server is (include version):
I'm using dns-01 so I don't think it matters.

My hosting provider, if applicable, is:
myself

The operating system my web server runs on is (include version):
# ./dehydrated --version
# INFO: Using main config file /opt/dehydrated/config
Dehydrated by Lukas Schauer
https://dehydrated.io

Dehydrated version: 0.7.1
GIT-Revision: 589e9f30b383751a927d745e83c0c53bf42a195c

OS: CentOS release 5.4 (Final)
Used software:
 bash: 3.2.25(1)-release
 curl: 7.58.0
 awk: GNU Awk 3.1.5
 sed: GNU sed 4.1.5
 mktemp: mktemp version 1.5
 grep: grep (GNU grep) 2.5.1
 diff: diff (GNU diffutils) 2.8.1
 openssl: OpenSSL 1.0.2n  7 Dec 2017

I can login to a root shell on my machine (yes or no, or I don't know):
yes.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
I am using dehydrated.


I ran the following command every 2 seconds.
I can see TOKEN: "ASBA6Z2VAFMmy7dvtVElTlKbY6CS0-c8JeeTfpMsDLQ"
In hook.sh at this timing, deploy_challenge () was the following parameter.
DOMAIN: certio.co.jp
TOKEN_FILENAME: CMZBpR9ZzsghDXJBQ_17w4bnIHedJnAEUhsdHcExJlw
TOKEN_VALUE: ASBA6Z2VAFMmy7dvtVElTlKbY6CS0-c8JeeTfpMsDLQ

command:
# dig -t TXT _acme-challenge.certio.co.jp @dns.certio.co.jp
results:
; <<>> DiG 9.10.6 <<>> -t TXT _acme-challenge.certio.co.jp @dns.certio.co.jp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56863
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;_acme-challenge.certio.co.jp.	IN	TXT

;; ANSWER SECTION:
_acme-challenge.certio.co.jp. 300 IN	TXT	"ASBA6Z2VAFMmy7dvtVElTlKbY6CS0-c8JeeTfpMsDLQ"

;; AUTHORITY SECTION:
certio.co.jp.		259200	IN	NS	dns.certio.co.jp.

;; ADDITIONAL SECTION:
dns.certio.co.jp.	259200	IN	A	218.219.158.105

;; Query time: 82 msec
;; SERVER: 218.219.158.105#53(218.219.158.105)
;; WHEN: Thu Feb 18 17:50:33 JST 2021
;; MSG SIZE  rcvd: 136

Thanks in advance,

makai

2 Likes

You have a second nameserver registered for your domain:

certio.co.jp.           86400   IN      NS      ns.edit.ne.jp.
  1. Is this other nameserver's zonefile also being updated with the TXT record?
  2. If so, are you sleeping a sufficient duration of time to allow for any replication lag?
3 Likes

Hi @_az ,
Thanks for your comment. :smiley:

I didn't have enough consideration from that point of view.
Let's check our environment.

3 Likes

The problem is solved! :smiley:
Thanks to Let's Encrypt Community.

The following is the resolved procedure.

  1. add TOKEN_VALUE as TXT record.
  2. DNS NOTIFY to Secandary nameserver.
    I used this script.
    GitHub - hirose31/send-dns-notify: send DNS NOTIFY message
  3. sleep 10
  4. Confirm that TOKEN is included with the following command
    host -r -t txt DOMAIN SecandaryNS | grep --TOKEN_VALUE

The important thing was "2."
:beers:

5 Likes