Posh-ACME errors "Authorization invalid" when generating certificate

I am using Posh-ACME to generate certificates for Veeam Cloud Connect using Windows DNS plugin.
when i use New-PACertificate TXT records get created on the DNS servers and after DNS sleep at Validation step a message appears "Nonce rejected by ACME server. Retrying with updated nonce". The TXT records gets deleted and the process fails.

Windows DNS/DC : Windows Server 2016

Any help is much appreciated.

Logs from Powershell Shell console.
PS C:\Users\Administrator.TESTING> New-PACertificate storcloud-vcc-dev.syd.nsw.au.imase.io -AcceptTOS -Contact storage@aseit.com.au -FriendlyName storcloud-vcc-dev.syd.nsw.au
.imase.io -Plugin Windows -PluginArgs @{WinServer='dev-sy3-dc2.testing.aseit.net'} -Verbose
VERBOSE: Updating directory info from https://acme-v02.api.letsencrypt.org/directory
VERBOSE: Using ACME Server https://acme-v02.api.letsencrypt.org/directory
VERBOSE: Using account 473122800
VERBOSE: Order name not specified, using 'storcloud-vcc-dev.syd.nsw.au.imase.io'
VERBOSE: Creating a new order 'storcloud-vcc-dev.syd.nsw.au.imase.io' for storcloud-vcc-dev.syd.nsw.au.imase.io
VERBOSE: Publishing challenge for Domain storcloud-vcc-dev.syd.nsw.au.imase.io with Token b-Xg2By7uXty1dix95HudVrgDZkj5rUorxXqBnQMq1E using Plugin Windows and DnsAlias ''.
VERBOSE: Connected to dev-sy3-dc2.testing.aseit.net
VERBOSE: Found imase.io
VERBOSE: Adding a TXT record for _acme-challenge.storcloud-vcc-dev.syd.nsw.au.imase.io with value Bn86VrREpJEkJwqJFiwvCMgMS6AgBGOC4Ng92UxuSJg
VERBOSE: Saving changes for Windows plugin
VERBOSE: Sleeping for 300 seconds while DNS change(s) propagate
VERBOSE: 240 seconds remaining to sleep
VERBOSE: 179 seconds remaining to sleep
VERBOSE: 119 seconds remaining to sleep
VERBOSE: 58 seconds remaining to sleep
VERBOSE: Requesting challenge validations
VERBOSE: Nonce rejected by ACME server. Retrying with updated nonce.
VERBOSE: Unpublishing challenge for Domain storcloud-vcc-dev.syd.nsw.au.imase.io with Token b-Xg2By7uXty1dix95HudVrgDZkj5rUorxXqBnQMq1E using Plugin Windows and DnsAlias ''.
VERBOSE: Connected to dev-sy3-dc2.testing.aseit.net
VERBOSE: Found imase.io
VERBOSE: Deleting _acme-challenge.storcloud-vcc-dev.syd.nsw.au.imase.io with value Bn86VrREpJEkJwqJFiwvCMgMS6AgBGOC4Ng92UxuSJg
VERBOSE: Saving changes for Windows plugin
Submit-ChallengeValidation : Authorization invalid for storcloud-vcc-dev.syd.nsw.au.imase.io: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.storcloud-vcc-dev.syd.nsw.au.imase.io - check that a DNS record exists for this domain
At C:\Program Files\WindowsPowerShell\Modules\Posh-ACME\4.13.1\Public\New-PACertificate.ps1:238 char:9

  •     Submit-ChallengeValidation
    
  •     ~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : OperationStopped: (Authorization i...for this domain:String) [Submit-ChallengeValidation], RuntimeException
    • FullyQualifiedErrorId : Authorization invalid for storcloud-vcc-dev.syd.nsw.au.imase.io: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.storcloud-vcc-dev.sy
      d.nsw.au.imase.io - check that a DNS record exists for this domain,Submit-ChallengeValidation

PS C:\Users\Administrator.TESTING>

Hey @nitish.chopra, I just responded to the issue you submitted on Github. If anyone cares to follow along, it's here.

My guess is that the Windows DNS server you're publishing the records to is an internal/LAN DNS server rather than the external/Internet DNS server for the imase.io domain. Let's Encrypt validation only works against authoritative Internet facing nameservers for a given domain.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.