I am using win-acme.v2.0.0.177 and DNS challenge for this local intranet address.
I've tried to renew my SSL certificate and, when optimizing waiting time and trying to speed up, I've hit Enter after my name server was configured the TXT record.
Despite the embarrassment with my team, I would like to know if others had this issue.
(now I've regenerated the nonce and I am patiently waiting for DNS propagation before hitting Enter on the TXT record confirmation prompt)
Which renewal would you like to run?: 1
[INFO] Authorize identifier: www.gerencial.fsp.usp.br
[INFO] Authorizing www.gerencial.fsp.usp.br using dns-01 validation (Manual)
Domain: www.gerencial.fsp.usp.br
Record: _acme-challenge.www.gerencial.fsp.usp.br
Type: TXT
Content: "/* MY_NOUNCE */"
Note 1: Some DNS control panels add quotes automatically. Only one set is required.
Note 2: Make sure your name servers are synchronised, this may take several minutes!
Please press enter after you've created and verified the record
Could you also show the error that you got back from the certificate authority in response to this attempt?
I'm initially a bit suspicious of the overall DNS configuration; for example one thing I notice is that the nameservers hemera.fsp.usp.br and tartaro.fsp.usp.br disagree with each other about the status of your TXT record. One of them serves a TXT record with a nonce for _acme-challenge, while the other one says this name is a CNAME to gerencial.fsp.usp.br.
The wait was useless. I was monitoring propagation and since most DNS servers recognized the record, I've hit Enter and got the below reponse:
[INFO] Answer should now be available at _acme-challenge.www.gerencial.fsp.usp.br
[INFO] Preliminary validation looks good, but ACME will be more thorough...
[WARN] First chance error calling into ACME server, retrying with new nonce...
[EROR] Authorization timed out
Domain: www.gerencial.fsp.usp.br
Record: _acme-challenge.www.gerencial.fsp.usp.br
Type: TXT
Content: "wKA_RXadKAj18kiY4vk7Vus6_QHoy89AJqA52zoH__8"
Please press enter after you've deleted the record
Thanks for the info about the conflicting records. On Monday I will ask the team to remove the @tartaro record and try again.
I'm not 100% certain that that specific behavior is the reason for the problem, but I do think that there's seems to be a problem with successfully synchronizing your TXT record onto all of the nameservers that are responsible for your domain. So maybe you could have a further discussion with the people responsible for DNS about whether there is anything (whether the CNAME behavior that I noticed, or anything else) that could stop the TXT record from being correctly served by all nameservers.
You too!
Nope, but I have a friend who did, and I've given a guest lecture there (about the Let's Encrypt project)!
I'm initially a bit suspicious of the overall DNS configuration; for example one thing I notice is that the nameservers hemera.fsp.usp.br and tartaro.fsp.usp.br disagree with each other about the status of your TXT record. One of them serves a TXT record with a nonce for _acme-challenge , while the other one says this name is a CNAME to gerencial.fsp.usp.br .
Do I have to setup the TXT record on both nameservers, or only in @hemera and remove the offending record from @tartaro ?
I ask because the domain name has other nameservers @usp which fsp can't edit (e.g. a.dns.usp.br), and in their configuration there is no such record _acme-challenge.
Also, what is the documented timeout for DNS validation on command prompt ? (there is no info here: win-acme) It did timeout on last try, less than a couple of hours helding on prompt (as I pasted above).
The tricky thing is that the validator may choose to consult any of the authoritative nameservers for your domain in querying the TXT record. So, if the TXT record isn't successfully synchronized to all of them, the validation may fail.
If it's difficult for you to guarantee that the other USP nameservers start serving your TXT record promptly, you could consider making _acme-challenge a CNAME to a record in some other DNS zone (including under a different domain name, if necessary) where you can more easily update the nameservers. The validation will follow a CNAME.
Well, I was sure to query all nameservers with dig @nameserver syntax, waited for all to update the TXT record, hit Enter on prompt, and it didn't work
Domain: www.gerencial.fsp.usp.br
Record: _acme-challenge.www.gerencial.fsp.usp.br
Type: TXT
Content: "GfovYyZmDNcVzJqW49vaxWMsyjczFKJTItdF-i3puQ8"
Note 1: Some DNS control panels add quotes automatically. Only one set is required.
Note 2: Make sure your name servers are synchronised, this may take several minutes!
Please press enter after you've created and verified the record
[INFO] Answer should now be available at _acme-challenge.www.gerencial.fsp.usp.br
[INFO] Preliminary validation looks good, but ACME will be more thorough...
[WARN] First chance error calling into ACME server, retrying with new nonce...
[EROR] Authorization timed out
Actually there is one explanation and one incognito: I had to update win-acme to latest version 2.1.15 (was v2.0.0.177), and when I ran the new version, it accepted the old nonce! I didnt' have to bother team with another DNS update.
That's great! But I can promise you that the nonce for renewal in 90 days from now is going to be different, so I think you'll eventually want to find a more automated solution which doesn't require your colleagues to make manual DNS updates for you.
It's clear that manual DNS updates are a last resort for validation via Let's Encrypt and I would recommend that you don't use manual challenges unless you are just experimenting with Let's Encrypt.
Look at acme-dns and see if your team can setup an acme-dns server for the company to use, alternatively ask them to provide a scripted way to add/remove TXT records.