org.shredzone.acme4j.exception.AcmeLazyLoadingException

The incorrect AcmeProtocolException is fixed in v3.3.0. It will be available on maven central in the next hour or so. (Note that it won't resolve the issue of the OP, but will just throw a more speaking exception now.)

3 Likes

we have a retry logic currently to trigger http challenge from LetEncrypt (3 attempts) and to poll authorization status (with sleep time in between polling status)

Also the logs show only 3 lets encrypt http challenge requests to ./well-known/challenge , with the new changes 5 requests are expected. Multi-Perspective Validation Improves Domain Validation Security - Let's Encrypt
It seems like the request is blocked or the domain name is not resolving from some of the locations.

most of the other domains are working with the same acme library version, we are seeing issues with some of them that do no have cname propagated to all locations and have a network zone configured. So wanted to confirm if there are any logs indicating domain validation failure or error resolving the domain url from lets encrypt?

Wild guess but Godaddy had resent dns api policy change (only giving to client with 10+ domains on it)

3 Likes

So the "log" that you're looking for is the error message returned from Let's Encrypt. From the https://acme-v02.api.letsencrypt.org/acme/authz-v3/348472255457 link that you posted, it looks like one problem is

During secondary validation: DNS problem: SERVFAIL looking up A for auth-test.phs.org - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for auth-test.phs.org - the domain's nameservers may be malfunctioning

Which looks like some sort of error resolving your DNS from some parts of the world. And the DNS entry for your name looks to be a chain so there are a lot of DNS servers involved. Are you consistently getting that "secondary validation" "SERVFAIL" message? Is there anything limiting access to the authoritative DNS servers of phs.org, oktapreview.com, or awsglobalaccelerator.com that you're aware of?

3 Likes

thanks @peter
we are not seeing any error in the logs indicating DNS problem but the Authorization status is stuck in pending after triggering the http challenge. Also we are seeing only 3 .well-known/acme-challenge requests in the logs, and expected is 5 requests as per Multi-Perspective Validation Improves Domain Validation Security - Let's Encrypt
So wanted to check if there was any error resolving the domain name from other two locations. From the logs you shared it looks like a DNS problem, we have informed customer to verify their DNS server settings
Thanks

1 Like

with acme 2.11 or new versions is there a way to check server side errors during DNS lookup? that will help identify why the Auth status is in pending

Sure! You can invoke Challenge.getError(). If the CA gives a reason for the error, you will find it there.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.