Need help renewing certificates

Robcurl · May 23, 2024, 11:00am

My predecessor set up a system in Ansible which generates a secure key, and signing key and then creates an ACME challenge. This is then validated with Let's Encrpt to generate a wildcard certificate. Unfortunately it has stopped working and I dont know how to fix it. I just need a wildcard certificate to load onto our servers.
I see that there is Certbot but dont know how to get it working.
Please help!!!
My domain is:

I ran this command: ansible-playbook -i production/pr oduction_hosts --forks 25 sslcertificates.yml --ask-vault-pass -e 'ansible_pytho n_interpreter=/usr/bin/python3'

It produced this output: TASK [validate acme challenge] *******************************************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Failed to validate challenge for dns:.beckgreener.com: Status is "invalid". Challenge dns-01: Err or urn:ietf:params:acme:error:unauthorized: "Incorrect TXT record "xxxxxxxxxxxxxxx" found at _acme-challenge.beckgreener.com". ", "other": {"authorization": {"challenges": [{"error": {"detail": "Incorrect TXT record "xxxxxxxxxxxxxxx" found at _acme-challenge.beckgreener.com", "status": 403, "type": "urn:ietf:params:acme:error:unauthorized"}, "status": "invalid", "token": "xxxxxxxxxxxxxxxxxx", "type": "dns-01", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/354383466262/bFxFDQ", "validated": "2024-05-23T11:07:22Z"}], "expires": " 2024-05-30T11:07:12Z", "identifier": {"type": "dns", "value": "beckgreener.com"}, "status": "invalid", "uri": "https://acme-v02.api.letsencrypt.org/acme/authz -v3/354383466262", "wildcard": true}, "identifier": "dns:.beckgreener.com"}}

My web server is (include version): this is not on Web server

The operating system my web server runs on is (include version): Not on Web Server

My hosting provider, if applicable, is: Domain DNS is managed on Cloudflare

I can login to a root shell on my machine (yes or no, or I don't know): dont know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Cloudflare

Osiris · May 23, 2024, 12:09pm

When you opened this thread in the Help section, you should have been provided with a questionnaire. Maybe you didn't get it somehow (which is weird), or you've decided to delete it. In any case, all the answers to this questionnaire are required:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Bruce5051 · May 23, 2024, 6:11pm

The online tool https://unboundtest.com/ shows a response of
_acme-challenge.beckgreener.com. 0 IN TXT "Wn2p3x8MLKthDDFBoW_jJfWdARXYB-RpY0znEO9ibio"
does that match any of these?

https://unboundtest.com/m/TXT/_acme-challenge.beckgreener.com/ML6LGL5Y

Query results for TXT _acme-challenge.beckgreener.com

Response:
;; opcode: QUERY, status: NOERROR, id: 26961
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 512

;; QUESTION SECTION:
;_acme-challenge.beckgreener.com.	IN	 TXT

;; ANSWER SECTION:
_acme-challenge.beckgreener.com.	0	IN	TXT	"Wn2p3x8MLKthDDFBoW_jJfWdARXYB-RpY0znEO9ibio"

----- Unbound logs -----

Edit:
And using nslookup on both Authoritative Name Servers for _acme-challenge.beckgreener.com text

From cruz.ns.cloudflare.com.

$ nslookup -q=txt _acme-challenge.beckgreener.com cruz.ns.cloudflare.com.
Server:         cruz.ns.cloudflare.com.
Address:        173.245.58.88#53

_acme-challenge.beckgreener.com text = "Wn2p3x8MLKthDDFBoW_jJfWdARXYB-RpY0znEO9ibio"

From dilbert.ns.cloudflare.com.

$ nslookup -q=txt _acme-challenge.beckgreener.com dilbert.ns.cloudflare.com.
Server:         dilbert.ns.cloudflare.com.
Address:        173.245.59.155#53

_acme-challenge.beckgreener.com text = "Wn2p3x8MLKthDDFBoW_jJfWdARXYB-RpY0znEO9ibio"

All presently match.

system · June 22, 2024, 6:12pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certbot Renewal Clarification Help	7	761	April 3, 2019
Peculiar issue with renewals Help	26	3817	November 8, 2018
Private Key Mismatch (Solved) Help	5	1579	May 26, 2018
Error issuing/renewingcertificates Help	16	1496	February 11, 2021
Ansible controlled Let's Encrypt Challenge Stuck at 'Pending', No Certificates Generated Help	11	1385	October 28, 2023

Need help renewing certificates

Related topics