Performing DNS challenge Win-acme client, didn't query my name servers, had to wait propagation

My domain is: www.gerencial.fsp.usp.br

I am using win-acme.v2.0.0.177 and DNS challenge for this local intranet address.

I've tried to renew my SSL certificate and, when optimizing waiting time and trying to speed up, I've hit Enter after my name server was configured the TXT record.

(as read on I have to wait until DNS propagate for issuing certificate?)

... and it failed.

Despite the embarrassment with my team, I would like to know if others had this issue.

(now I've regenerated the nonce and I am patiently waiting for DNS propagation before hitting Enter on the TXT record confirmation prompt)

Which renewal would you like to run?: 1

 [INFO] Authorize identifier: www.gerencial.fsp.usp.br
 [INFO] Authorizing www.gerencial.fsp.usp.br using dns-01 validation (Manual)

 Domain:             www.gerencial.fsp.usp.br
 Record:             _acme-challenge.www.gerencial.fsp.usp.br
 Type:               TXT
 Content:            "/* MY_NOUNCE */"
 Note 1:             Some DNS control panels add quotes automatically. Only one set is required.
 Note 2:             Make sure your name servers are synchronised, this may take several minutes!

 Please press enter after you've created and verified the record

Thanks for you attention.

1 Like

Uma instituição mais importante que nunca!

Could you also show the error that you got back from the certificate authority in response to this attempt?

I'm initially a bit suspicious of the overall DNS configuration; for example one thing I notice is that the nameservers hemera.fsp.usp.br and tartaro.fsp.usp.br disagree with each other about the status of your TXT record. One of them serves a TXT record with a nonce for _acme-challenge, while the other one says this name is a CNAME to gerencial.fsp.usp.br.

2 Likes

Hi @schoen, thanks for the reply.

The wait was useless. I was monitoring propagation and since most DNS servers recognized the record, I've hit Enter and got the below reponse:

 [INFO] Answer should now be available at _acme-challenge.www.gerencial.fsp.usp.br
 [INFO] Preliminary validation looks good, but ACME will be more thorough...
 [WARN] First chance error calling into ACME server, retrying with new nonce...
 [EROR] Authorization timed out

 Domain:             www.gerencial.fsp.usp.br
 Record:             _acme-challenge.www.gerencial.fsp.usp.br
 Type:               TXT
 Content:            "wKA_RXadKAj18kiY4vk7Vus6_QHoy89AJqA52zoH__8"

 Please press enter after you've deleted the record

Thanks for the info about the conflicting records. On Monday I will ask the team to remove the @tartaro record and try again.

Have a good weekend!

PS: Did you study at USP ?

2 Likes

I'm not 100% certain that that specific behavior is the reason for the problem, but I do think that there's seems to be a problem with successfully synchronizing your TXT record onto all of the nameservers that are responsible for your domain. So maybe you could have a further discussion with the people responsible for DNS about whether there is anything (whether the CNAME behavior that I noticed, or anything else) that could stop the TXT record from being correctly served by all nameservers.

You too!

Nope, but I have a friend who did, and I've given a guest lecture there (about the Let's Encrypt project)!

2 Likes

I'm initially a bit suspicious of the overall DNS configuration; for example one thing I notice is that the nameservers hemera.fsp.usp.br and tartaro.fsp.usp.br disagree with each other about the status of your TXT record. One of them serves a TXT record with a nonce for _acme-challenge , while the other one says this name is a CNAME to gerencial.fsp.usp.br .

Do I have to setup the TXT record on both nameservers, or only in @hemera and remove the offending record from @tartaro ?

I ask because the domain name has other nameservers @usp which fsp can't edit (e.g. a.dns.usp.br), and in their configuration there is no such record _acme-challenge.

Also, what is the documented timeout for DNS validation on command prompt ? (there is no info here: win-acme) It did timeout on last try, less than a couple of hours helding on prompt (as I pasted above).

Thanks again,

1 Like

The tricky thing is that the validator may choose to consult any of the authoritative nameservers for your domain in querying the TXT record. So, if the TXT record isn't successfully synchronized to all of them, the validation may fail.

If it's difficult for you to guarantee that the other USP nameservers start serving your TXT record promptly, you could consider making _acme-challenge a CNAME to a record in some other DNS zone (including under a different domain name, if necessary) where you can more easily update the nameservers. The validation will follow a CNAME.

I'm not sure! Maybe someone else can answer this?

Hi Schoen,

Well the team identified the source configuration of the offending record, and now all nameservers synched (with old nonce).

We will try on Monday as soon as all nameservers update with new nonce.

Thanks for your support, and good weekend :slight_smile:

1 Like

Well, I was sure to query all nameservers with dig @nameserver syntax, waited for all to update the TXT record, hit Enter on prompt, and it didn't work :frowning:

Domain:             www.gerencial.fsp.usp.br
 Record:             _acme-challenge.www.gerencial.fsp.usp.br
 Type:               TXT
 Content:            "GfovYyZmDNcVzJqW49vaxWMsyjczFKJTItdF-i3puQ8"
 Note 1:             Some DNS control panels add quotes automatically. Only one set is required.
 Note 2:             Make sure your name servers are synchronised, this may take several minutes!

 Please press enter after you've created and verified the record

 [INFO] Answer should now be available at _acme-challenge.www.gerencial.fsp.usp.br
 [INFO] Preliminary validation looks good, but ACME will be more thorough...
 [WARN] First chance error calling into ACME server, retrying with new nonce...
 [EROR] Authorization timed out

Ok, it's renewed.

Actually there is one explanation and one incognito: I had to update win-acme to latest version 2.1.15 (was v2.0.0.177), and when I ran the new version, it accepted the old nonce! I didnt' have to bother team with another DNS update.

Thanks for your support.

1 Like

That's great! But I can promise you that the nonce for renewal in 90 days from now is going to be different, so I think you'll eventually want to find a more automated solution which doesn't require your colleagues to make manual DNS updates for you.

It's clear that manual DNS updates are a last resort for validation via Let's Encrypt and I would recommend that you don't use manual challenges unless you are just experimenting with Let's Encrypt.

Look at acme-dns and see if your team can setup an acme-dns server for the company to use, alternatively ask them to provide a scripted way to add/remove TXT records.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.