Not able to validate my let's encrypt dns Challenge stay in pending

Help
1

Hi team,

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
egide.net
I ran this command:

Ansible task:
    - name: Create a challenge using a account key file.
      community.crypto.acme_certificate:
        account_key_src: /path/to/my/key.pem
        account_email: noreply@egide.net
        src: /path/to/my/csr.csr
        cert: /path/tomy/crt.crt
        challenge: dns-01
        acme_directory: https://acme-v02.api.letsencrypt.org/directory
        # Renew if the certificate is at least 30 days old
        remaining_days: 60
        acme_version: 2
        terms_agreed: yes
      register: hallenge
      tags:
        - cert
        - renew_cert
It produced this output:
    "challenge": {
        "account_uri": "https://acme-v02.api.letsencrypt.org/acme/acct/1262644196",
        "authorizations": {
            "ea.egide.net": {
                "challenges": [
                    {
                        "status": "pending",
                        "token": "7eCW7deehxHX2EPXZ3iC4bNhZfpKs0nbM5q4QrviG9o",
                        "type": "http-01",
                        "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/255818944746/vonPZg"
                    },
                    {
                        "status": "pending",
                        "token": "7eCW7deehxHX2EPXZ3iC4bNhZfpKs0nbM5q4QrviG9o",
                        "type": "dns-01",
                        "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/255818944746/DhyuyQ"
                    },
                    {
                        "status": "pending",
                        "token": "7eCW7deehxHX2EPXZ3iC4bNhZfpKs0nbM5q4QrviG9o",
                        "type": "tls-alpn-01",
                        "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/255818944746/NJkUbA"
                    }
                ],
                "expires": "2023-08-24T15:07:54Z",
                "identifier": {
                    "type": "dns",
                    "value": "ea.egide.net"
                },
                "status": "pending",
                "uri": "https://acme-v02.api.letsencrypt.org/acme/authz-v3/255818944746"
            }
        },
        "cert_days": -1,
        "challenge_data": {
            "ea.egide.net": {
                "dns-01": {
                    "record": "_acme-challenge.ea.egide.net",
                    "resource": "_acme-challenge",
                    "resource_value": "D1GSBOkDQlHaZCKmtjc9fu9itTwoOYuskhsftAvyRdw"
                },
                "http-01": {
                    "resource": ".well-known/acme-challenge/7eCW7deehxHX2EPXZ3iC4bNhZfpKs0nbM5q4QrviG9o",
                    "resource_value": "7eCW7deehxHX2EPXZ3iC4bNhZfpKs0nbM5q4QrviG9o.pbyfFCvdWxI2OxLkbECg1ep7jOoYh--n04DXxj6Wyzg"
                },
                "tls-alpn-01": {
                    "resource": "ea.egide.net",
                    "resource_original": "dns:ea.egide.net",
                    "resource_value": "D1GSBOkDQlHaZCKmtjc9fu9itTwoOYuskhsftAvyRdw="
                }
            }
        },
        "challenge_data_dns": {
            "_acme-challenge.ea.egide.net": [
                "D1GSBOkDQlHaZCKmtjc9fu9itTwoOYuskhsftAvyRdw"
            ]
        },
        "changed": true,
        "failed": false,
        "finalize_uri": "https://acme-v02.api.letsencrypt.org/acme/finalize/1262644196/202211438626",
        "order_uri": "https://acme-v02.api.letsencrypt.org/acme/order/1262644196/202211438626"
    }
}

And when I do a dig I got the correct TXT:

o.pouilly ~ $ dig @8.8.8.8 -t TXT _acme-challenge.ea.egide.net
; <<>> DiG 9.10.6 <<>> @8.8.8.8 -t TXT _acme-challenge.ea.egide.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27409
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.ea.egide.net. IN TXT
;; ANSWER SECTION:
_acme-challenge.ea.egide.net. 21600 IN TXT "D1GSBOkDQlHaZCKmtjc9fu9itTwoOYuskhsftAvyRdw"
;; Query time: 50 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Aug 19 17:31:03 CEST 2023
;; MSG SIZE rcvd: 113

I don't understand why the challenge stay In pending ?

Regards,

2

I have no clue how to do that with Ansible, but something that I noticed was:

Unless I don't understand the Ansible variable remaining_days, this is not what Let's Encrypt recommends: it recommends to renew with 30 days remaining (thus: 60 days into the validity of the certificate, NOT with 60 days left).

1 Like
3

Thanks I'll change that. But does not change my problem of pending certificate :confused:

1 Like
4

My guess is that the ansible code hasn't finalized the order.

2 Likes
5

But It looks that it did no ?
When you look at this bit :
"cert_days": -1,
"challenge_data": {
"ea.egide.net": {
"dns-01": {
"record": "_acme-challenge.ea.egide.net",
"resource": "_acme-challenge",
"resource_value": "D1GSBOkDQlHaZCKmtjc9fu9itTwoOYuskhsftAvyRdw"
},

Is not the TXT record that I should put ?

6

Does the ansible code update the TXT record in DNS?

3 Likes
7

Nop, I made it myself is that the problem ?
But it's weird because when I replay my ansible playbook is still asking me the same TXT record. So I must not be that.

8

LE asks for that same record because that order [from the same account for the same set of names] is still unfinished/pending.

2 Likes
9

But the record is in my dns :confused:

10

Maybe one of these explains what you see

TXT value encoding

Post-as-get and to initiate

3 Likes
11

If the record is already in your authoritative DNS zone, then you need to take the next step.

2 Likes
12

What is the next step ?

13

Somehow make Ansible trigger the validation of the challenge on the ACME server.

1 Like
14

OK I did it. And I got this message now :

fatal: [localhost]: FAILED! => {"changed": false, "msg": "Failed to validate challenge for dns:ea.egide.net: Status is not \"valid\". Challenge dns-01: Error urn:ietf:params:acme:error:unauthorized: \"Incorrect TXT record \"D1GSBOkDQlHaZCKmtjc9fu9itTwoOYuskhsftAvyRdw\" found at _acme-challenge.ea.egide.net\".", "other": {"authorization": {"challenges": [{"error": {"detail": "Incorrect TXT record \"D1GSBOkDQlHaZCKmtjc9fu9itTwoOYuskhsftAvyRdw\" found at _acme-challenge.ea.egide.net", "status": 403, "type": "urn:ietf:params:acme:error:unauthorized"}, "status": "invalid", "token": "jK82Ik3ugJMN-_D1-mB5xPD6ZVPXBy8baVI4x6VN2AY", "type": "dns-01", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/256511242966/Qs8jyg", "validated": "2023-08-19T22:39:57Z"}], "expires": "2023-08-26T22:39:51Z", "identifier": {"type": "dns", "value": "ea.egide.net"}, "status": "invalid", "uri": "https://acme-v02.api.letsencrypt.org/acme/authz-v3/256511242966"}, "identifier": "dns:ea.egide.net"}}

But it looks like I font my TXT but it say it's not correct weird no ?

15

OK I think I got it. Now it gave me an other challenge I'll try that next week. Thanks for your help.

1 Like
16

I guess all that lead me to one question. If I failed a challenge. Like it seems that I ask an http-01 challenge. I realize it was a mistake. So the challenge failed. Id the challenge failed is my session done and I need to change the TXT each time it failed ?

17

Each new request will have a new TXT value

4 Likes
18

So If I made a request register it in my dns, and then my dns is too long to propagate I'll have to redo it ?

19

Let's Encrypt only looks at the authoritative DNS servers so TTL propagation delay is not an issue. Other than the brief delay at your authoritative servers for them to sync

3 Likes
20

Please test using the staging environment.

4 Likes