Incorrect TXT record error even after the token matches

My domain is: _acme-challenge.staging10.sixsense.ai

I modified code in GitHub - diafygi/acme-tiny: A tiny script to issue and renew TLS certs from Let's Encrypt to suit my purpose. I can add that also here if required.

You can view this Challenge URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/156736752777/SaJavw.

The response is

  "type": "dns-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "Incorrect TXT record \"n_hJr-MdFaQenA6va0-NSVXDBdy-WKXJR9M3H9QtZd0\" found at _acme-challenge.staging10.sixsense.ai",
    "status": 403
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/156736752777/SaJavw",
  "token": "n_hJr-MdFaQenA6va0-NSVXDBdy-WKXJR9M3H9QtZd0",
  "validated": "2022-09-23T17:53:26Z"
}

Here, I can see that the token and the txt response matches. So, Why is it giving unauthorized? Am I missing something?

Hi @saichander17, and welcome to the LE community forum :slight_smile:

The record found (and there now) appears to be incorrect:

Note: Each time the ACME process "runs" it creates a new TXT record.

4 Likes

Hi @rg305 , Thanks for responding quickly, But from the response, you can see that token value and the value in the error message is the same. I'm sorry if I'm missing something very obvious here! Would like to get help in understanding

1 Like

There must be something in the logs that hasn't been shown.
Can you show more/all of it?

3 Likes

Technically they are not exactly the same:

\"n_hJr-MdFaQenA6va0-NSVXDBdy-WKXJR9M3H9QtZd0\"
"n_hJr-MdFaQenA6va0-NSVXDBdy-WKXJR9M3H9QtZd0"

[as seen/displayed by the error message]
[but that could be a wild goose chase - let's see the full logs]

2 Likes

Yes, I have also observed the backslash, but it's same for other domains as well for me where I used certbot to manually generate challenges and updated my Route53. That works quite well in general. Right now, I'm using the above mentioned script which is internally using letsencrypt APIs is what I understood.

Shall I provide you with responses from all the APIs I'm calling? I don't have any logs as of now as I'm not using certbot

Anything is better than nothing.
[something must explain what is going on]

3 Likes

@rg305 , Please find the logs I could generate below.
If you need help in understanding any line from the logs, I can give an explanation around that easily. Thanks again for helping!

Parsing account key...
Parsing CSR...
Found domains: *.staging10.sixsense.ai
Getting directory...
Directory found!
Registering account...
Already registered! Account ID: https://acme-v02.api.letsencrypt.org/acme/acct/745111097
Creating new order...
{'status': 'pending', 'expires': '2022-09-30T18:42:44Z', 'identifiers': [{'type': 'dns', 'value': '*.staging10.sixsense.ai'}], 'authorizations': ['https://acme-v02.api.letsencrypt.org/acme/authz-v3/156754013947'], 'finalize': 'https://acme-v02.api.letsencrypt.org/acme/finalize/745111097/128216855027'}
Order created!
Authorization:
{'identifier': {'type': 'dns', 'value': 'staging10.sixsense.ai'}, 'status': 'pending', 'expires': '2022-09-30T18:42:44Z', 'challenges': [{'type': 'dns-01', 'status': 'pending', 'url': 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/156754013947/-ug4ww', 'token': 'cHyEpLY5a3W5TN7RwJSa3QrbifwoY6HClws3qlqWFSQ'}], 'wildcard': True}
----
Verifying staging10.sixsense.ai...
Challenge: {'type': 'dns-01', 'status': 'pending', 'url': 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/156754013947/-ug4ww', 'token': 'cHyEpLY5a3W5TN7RwJSa3QrbifwoY6HClws3qlqWFSQ'}...
Token: cHyEpLY5a3W5TN7RwJSa3QrbifwoY6HClws3qlqWFSQ...
Updating Route53!
({'type': 'dns-01', 'status': 'pending', 'url': 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/156754013947/-ug4ww', 'token': 'cHyEpLY5a3W5TN7RwJSa3QrbifwoY6HClws3qlqWFSQ'}, 200, <http.client.HTTPMessage object at 0x10d2b23d0>)
Traceback (most recent call last):
  File "main.py", line 287, in <module>
    main()
  File "main.py", line 282, in main
    signed_crt = get_crt(account_key_path, csr_path, contact='mailto:sai@sixsense.ai')
  File "main.py", line 219, in get_crt
    raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization))
ValueError: Challenge did not pass for staging10.sixsense.ai: {'identifier': {'type': 'dns', 'value': 'staging10.sixsense.ai'}, 'status': 'invalid', 'expires': '2022-09-30T18:42:44Z', 'challenges': [{'type': 'dns-01', 'status': 'invalid', 'error': {'type': 'urn:ietf:params:acme:error:unauthorized', 'detail': 'Incorrect TXT record "cHyEpLY5a3W5TN7RwJSa3QrbifwoY6HClws3qlqWFSQ" found at _acme-challenge.staging10.sixsense.ai', 'status': 403}, 'url': 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/156754013947/-ug4ww', 'token': 'cHyEpLY5a3W5TN7RwJSa3QrbifwoY6HClws3qlqWFSQ', 'validated': '2022-09-23T18:47:59Z'}], 'wildcard': True}

Response from dig -t txt _acme-challenge.staging10.sixsense.ai:

; <<>> DiG 9.10.6 <<>> -t txt _acme-challenge.staging10.sixsense.ai
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49496
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;_acme-challenge.staging10.sixsense.ai. IN TXT

;; ANSWER SECTION:
_acme-challenge.staging10.sixsense.ai. 300 IN TXT "cHyEpLY5a3W5TN7RwJSa3QrbifwoY6HClws3qlqWFSQ"

;; Query time: 13 msec
;; SERVER: 192.168.50.1#53(192.168.50.1)
;; WHEN: Sat Sep 24 02:44:36 +08 2022
;; MSG SIZE  rcvd: 122

You should probably look at this thread. Same problem as yours. If I understand correctly, you are not using the token correctly

4 Likes

Thanks @MikeMcQ , Let me check and get back here.

3 Likes

Thank you so much @MikeMcQ . It worked. My bad in assuming that the token should be same as the TXT response. Based on the API response, I assumed that. Thanks for quick help.

4 Likes