I am attempting to issue a certificate (using LetsEncrypt’s staging endpoint) for litafi.com by completing a dns-01 challenge but running into 2 issues that I would appreciate help understanding/resolving.
First Issue
From reading docs of acme-client, I suspect that the initial payload, when an order for a certificate is made, should have a order.challenge.status
== pending
.
Yet, each time a request for a certificate order is made, the return value of the dns order.challenge.status
== valid
as the payload below demonstrates:
body:
encoding: UTF-8
string: |-
{
"identifier": {
"type": "dns",
"value": "litafi.com"
},
"status": "valid",
"expires": "2019-01-25T02:46:00Z",
"challenges": [
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/someAlphaNumericValueThatIDoNotKnowIfMeantToBeKeptSecret.BearWithMeIAmStillLearning",
"token": "someAlphaNumericValueThatIDoNotKnowIfMeantToBeKeptSecret.BearWithMeIAmStillLearning"
},
{
"type": "dns-01",
"status": "valid",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/someAlphaNumericValueThatIDoNotKnowIfMeantToBeKeptSecret.BearWithMeIAmStillLearning",
"token": "someAlphaNumericValueThatIDoNotKnowIfMeantToBeKeptSecret.BearWithMeIAmStillLearning",
"validationRecord": [
{
"hostname": "litafi.com"
}
]
},
{
"type": "tls-sni-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/someAlphaNumericValueThatIDoNotKnowIfMeantToBeKeptSecret.BearWithMeIAmStillLearning",
"token": "someAlphaNumericValueThatIDoNotKnowIfMeantToBeKeptSecret.BearWithMeIAmStillLearning"
},
{
"type": "http-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/someAlphaNumericValueThatIDoNotKnowIfMeantToBeKeptSecret.BearWithMeIAmStillLearning",
"token": "someAlphaNumericValueThatIDoNotKnowIfMeantToBeKeptSecret.BearWithMeIAmStillLearning"
}
]
}
- This
valid
status always results in aJWS has an invalid anti-replay nonce: "YcrgSgEmUhl2pUc0vbDwu1OlOmMQ3Q2pwMSSfLbc014"
when I attempt to verify the challenge. I have revoked all the certs that I generated while testing but this issue still persists.
Second Issue
While attempting to resolve the problem, I used Google’s CT Log and Comodo’s CT log to see the historical report.
- CT shows that the leaf certificate was issued on 24/11/2018 and revoked on 25/11/2018. Does this mean that the certificate is no longer valid? Might this be the cause of the first issue?