Invalid certificate challenge (NXDOMAIN looking up TXT for _acme-challenge, 400)

In case it matters, my end goal is a cert for a autodiscover (and maybe OWA) on Exchange 2010. I have split DNS on the server (but all DNS mentioned forthwith is on the public authoritative NS for my domain, thomas-mail.com, and not in the local zone file on the SBS2011 box.) I have a DDNS entry on namecheap for remote.thomas-mail (and can do others for webmail and autodiscover, just wanted to figure this out, first.)

My domain is:

thomas-mail.com (I’m doing a test to get a cert for remote.thomas-mail.com)

My NS is namecheap

Commands below are using ACMESharp, on Powershell. (shouldn’t matter but this is all on SBS2011 (win 2008 rs2 sp1, with wmf3.0 for powershell 3. Everything is fine on the server and powershell side.)

(1) I ran this command:

New-ACMERegistration -Contacts mailto:mrbaggins(at, only the symbol)hotmail.com -AcceptTos

(1) It produced this output:

Contacts : {mailto:mrbaggins(at, only the symbol)hotmail.com}
PublicKey : { e = AQAB, kty = RSA, n = A very long alpha numeric string, which I’m guessing you don’t need… let me know if thats not the case}
RecoveryKey :
RegistrationUri : https://acme-v01.api.letsencrypt.org/acme/reg/29320383
Links : {https://acme-v01.api.letsencrypt.org/acme/new-authz;rel=“next”,
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf;rel=“terms-of-service”}
TosLinkUri : https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
TosAgreementUri : https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
AuthorizationsUri :
CertificatesUri :

(2) I typed

New-ACMEIdentifier -dns remote.thomas-mail.com -alias remote.t-m

(2) Result:

IdentifierPart : ACMESharp.Messages.IdentifierPart
IdentifierType : dns
Identifier : remote.thomas-mail.com
Uri : https://acme-v01.api.letsencrypt.org/acme/authz/dN4So9am2VSS22iRIDP4oRlRKvrrxCUWwlr1vjFav4c
Status : pending
Expires : 2/18/2018 10:27:43 PM
Challenges : {, }
Combinations : {0, 1}

(3) My command: Complete-ACMEChallenge remote.t-m -ChallengeType dns-01 -Handler manual

(3) Result:
IdentifierPart : ACMESharp.Messages.IdentifierPart
IdentifierType : dns
Identifier : remote.thomas-mail.com
Uri : https://acme-v01.api.letsencrypt.org/acme/authz/dN4So9am2VSS22iRIDP4oRlRKvrrxCUWwlr1vjFav4c
Status : pending
Expires : 2/18/2018 10:27:43 PM
Challenges : {, manual}
Combinations : {0, 1}

(4) At this point I took a look at the above captioned webpage, to check what dns change I needed to make (and now understand that that was probably wrong! see below.) I made a change (in namecheap Advanced Management) in DNS (what I assume to be the correct .TXT record host of) [type] TXT Record [host] _acme-challenge.remote.thomas-mail.com [value] the (I guess challenge) token found in that URL, rather than the different value explicitly stated as the required TXT value found with (Update-ACMEIdentifier remote.t-m -ChallengeType dns-01).challenges, which I got to later.

(4) No response, here, because it was a change on a web interface at namecheap

(5) My command: Submit-ACMEChallenge remote.t-m -ChallengeType dns-01

(5) Response:

IdentifierPart : ACMESharp.Messages.IdentifierPart
IdentifierType : dns
Identifier : remote.thomas-mail.com
Uri : https://acme-v01.api.letsencrypt.org/acme/authz/dN4So9am2VSS22iRIDP4oRlRKvrrxCUWwlr1vjFav4c
Status : pending
Expires : 2/18/2018 10:27:43 PM
Challenges : {, manual}
Combinations : {0, 1}

(6) My Command : (Update-ACMEIdentifier remote.t-m -ChallengeType dns-01).challenges

(6) Response:

ChallengePart : ACMESharp.Messages.ChallengePart
Challenge :
Type : http-01
Uri : https://acme-v01.api.letsencrypt.org/acme/challenge/dN4So9am2VSS22iRIDP4oRlRKvrrxCUWwlr1vjFav4
c/3424800284
Token : MTM6hyZ-gZkdLoUEgauRPAN_YtYNZT-ohV9wT9272Rc
Status : pending
OldChallengeAnswer : [, ]
ChallengeAnswerMessage :
HandlerName :
HandlerHandleDate :
HandlerHandleMessage :
HandlerCleanUpDate :
HandlerCleanUpMessage :
SubmitDate :
SubmitResponse :

ChallengePart : ACMESharp.Messages.ChallengePart
Challenge : ACMESharp.ACME.DnsChallenge
Type : dns-01
Uri : https://acme-v01.api.letsencrypt.org/acme/challenge/dN4So9am2VSS22iRIDP4oRlRKvrrxCUWwlr1vjFav4
c/3424800285
Token : xs6wLtX9t6ovF2YFHzJhpHajy2QnTshCJpNtfG4mXPk
Status : invalid
OldChallengeAnswer : [, ]
ChallengeAnswerMessage :
HandlerName : manual
HandlerHandleDate : 2/11/2018 2:29:07 PM
HandlerHandleMessage : == Manual Challenge Handler - DNS ==
* Handle Time: [2/11/2018 2:29:07 PM]
* Challenge Token: [xs6wLtX9t6ovF2YFHzJhpHajy2QnTshCJpNtfG4mXPk]

                     To complete this Challenge please create a new Resource
                     Record (RR) with the following characteristics:
                       * RR Type:  [TXT]
                       * RR Name:  [_acme-challenge.remote.thomas-mail.com]
                       * RR Value: [NqyMDOTcH6G2blX0vexRpeKcumAlkMq__LNRoLvgjZw]
                     ------------------------------------

HandlerCleanUpDate :
HandlerCleanUpMessage :
SubmitDate : 2/11/2018 2:42:10 PM
SubmitResponse : {StatusCode, Headers, Links, RawContent…}

(7) Realized here that I’d probably put in the TXT record wrong. I changed the DNS config for the value to

NqyMDOTcH6G2blX0vexRpeKcumAlkMq__LNRoLvgjZw

(8) Waited a bit, tried to -force the complete again. Essentially the same output as previous complete. -force the submit thinking maybe that was necessary. No dice with that. Kept checking (Update-ACMEIdentifier remote.t-m -ChallengeType dns-01).challenges

And a couple of days later, after DNS propagation must have worked through, still invalid. Not 100% what my next step is, or even where I’m going wrong example-- in my DNS config, in something I haven’t done to refresh/resubmit this that I should be doing, or if I screwed up in a new and exciting way that I didn’t forsee.

I don’t want to hit any of the caps on submits or whatever, so I figured I should ask rather than blindly trying stuff.

My web server is (include version):
IIS7 for Exchange 2010 OWA / Autodiscover – although, shouldn’t matter since haven’t gotten there.

The operating system my web server runs on is (include version):
Windows 2008 Server RS2 (SP1)

My hosting provider, if applicable, is:
namecheap.com for NS only

I can login to a root shell on my machine (yes or no, or I don’t know):
admin on powershell counts, right?

Thanks so much for wading thru this wall of text.

Cordially,

Justin

Take a screenshot of your DNS entries in Namecheap.

It appears that no records exist for remote.thomas-mail.com, let alone for _acme-challenge.remote.thomas-mail.com.

There is a DNS record, but it doesn’t have the right name:

_acme-challenge.remote.thomas-mail.com.thomas-mail.com. 1800 IN TXT "NqyMDOTcH6G2blX0vexRpeKcumAlkMq__LNRoLvgjZw"

Next time, try setting the record name to “_acme-challenge.remote” or possibly “_acme-challenge.remote.thomas-mail.com.”.

Invalid authorizations can’t be retried. You need to make a new authorization, with new challenges, set the DNS record to the new value, and then try to validate it again.

You should usually use the staging environment for testing, but if you’re only giving it a couple tries, it doesn’t matter.

Many thanks, I figured it was something simple like that. I have a DKIM for zoho-mail, which was working perfectly, which now I realize must be resolving to zoho._domainkey.thomas-mail.com (even though only the zoho._domainkey is in the txt host field.). I didn't think to clip the .domain off of the TXT record host name. Duh!

So, that makes complete sense, thanks. I've made the change. I'll wait 30 mins for the timeout on the old record, then give it another shot.

Out of interest, what is the correct way to revalidate using ACMESharp?

The

(Update-ACMEIdentifier remote.t-m -ChallengeType dns-01).challenges

or something else?

Thanks again,

Cordially,

Justin

@mrbaggins validations actually last for a while so you may just be able to request anther cert against the same identifiers when the time comes. If the request fails because the validations have expired you then have to repeat the process pretty much the same as you already did because you need to get new validations for your identifiers.

For info the next version (v4) of my UI tool https://certifytheweb.com will include some DNS API integrations as well as extended support for Exchange (service activation with the new certificate etc). Just deciding which APIs to include at this point.

If the request fails because the validations have expired you then have to repeat the process pretty much validations actually last for a while so you may just be able to request anther cert against the same identifiers when the time comes. If the request fails because the validations have expired you then have to repeat the process pretty much the same as you already did because you need to get new validations for your identifiers.

I did a second SAN alias (more importantly, the autodiscover one) and it went through flawlessly, which is great.) On the original request I was looking through the URI's for the original cert challenge I did and noticed

"type": "urn:acme:error:malformed",
"detail": "No such challenge",

Its no big deal, because I'll let that alias expire and do it again next go around.

For info the next version (v4) of my UI tool https://certifytheweb.com will include some DNS API integrations as well as extended support for Exchange (service activation with the new certificate etc). Just deciding which APIs to include at this point.

That would be absolutely fabulous. This open web certification is great (and a really important goal for safer more trusted internet,) and the support surrounding it is absolutely incredible. Seriously, I (well... companies I worked/consulted with) have paid a hell of a lot for a hell of a lot worse service. I'll keep an eye on the certifytheweb tool with great interest. You guys (collectively) are doing incredible work.

Justin.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.