Invalid authorization

We have a system that maintains LetsEncrypt certificates for our users, which we’ve been running for 1.5 years.

One particular domain, www.a11y.cloud, is failing to renew it’s certificate, while others on the platform are succeeding.
We’re getting status=invalid on a http-01 challenge, but we’re not sure why - the code for this domain is identical to other domains we host on our platform.

We’re also hitting rate limits because of this failure: "Error creating new authz :: Too many invalid authorizations recently."
We send the request every 5 minutes, and hit rate limits after 5 attempt per hour.

We’d be curious to see what your system is seeing.

Thanks,
Peter

My domain is:
www.a11y.cloud

The error message returned by Let’s Encrypt should help explain what’s going on. (When it isn’t the failed validation rate limit one.)

In any case, the domain has a DNSSEC error, which prevents Let’s Encrypt from working.

It has a DS record at the registry, but the domain’s nameservers are not using DNSSEC. Therefore, validating resolvers cannot resolve it.

Either DNSSEC needs to be enabled properly, or the DS record needs to be removed at the registrar.

http://dnsviz.net/d/a11y.cloud/WWlQ4w/dnssec/
http://dnsviz.net/d/www.a11y.cloud/WWlQ3w/dnssec/

It’s using Namecheap and Namecheap BasicDNS, right? This shouldn’t have happened. The DNS and DNSSEC settings are both under Namecheap’s control. You can try turning DNSSEC off in their control panel, and maybe turning it on again, but you may have to contact support.

Thanks, that is super helpful (coworker of @thepwagner here). Apparently our ACME library doesn’t expose the error but I see where it is in the protocol.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.