Random change validation failure

I'd like to report a very strange issue, as I need some help from Let's Encrypt team to investigate it (and determine if it's a bug on the LE side or our side).

We designed a system to issue certificates using Let's Encrypt and the DNS challenge. The system is completely automated, including the provisioning.

Today we had an issue with a specific certificate that contained 9 SAN names. All the 9 SAN names belongs to the same domain, therefore the same DNS zone.

During the request process, the challenge verification succeded for 9 names, 1 failed.
We restarted the process, and the failed one failed again.
We restarted the process, and the failed one succeeded.

In both cases, the error we got back was:

{"type": "urn:acme:error:unauthorized", "detail": "Correct value not found for DNS challenge", "status": 403}

Also, it's important to mention that:

  1. we perform a DNS lookup on an external system before requesting Let's Encrypt to validate the challenge DNS record
  2. the validation procedure was the same for all domains
  3. the content of the DNS record successfully resolved

I was unable to find any possible cause on our side, therefore is there a way to know from Let's Encrypt:

  1. what was the expected record content (to understand why the "correct value was not found")
  2. whether the failure was correlated to some kind of DNS lookup error on Let's Encrypt side?

What's the best way to receive this kind of assistance that may involve disclosing sensitive information (such as the certificate domain and/or challenge details)?

@cpu are you able to help with this?

@schoen Sure - I'll get the ball rolling from our side. Thanks for the mention!

@weppos Can you reach out to me via e-mail with the domains, your reg ID, the challenge information, and anything else you might think is valuable? Are you using an off-the-shelf ACME client/library?

My email is my username @letsencrypt.org

  • Daniel

@schoen @cpu thanks a lot, I appreciate the prompt response.

@cpu I sent you an email with the details.

Hi @weppos,

Can I confirm you sent that to cpu AT letsencrypt.org ? I don’t have an email from you in my inbox/spam folder.

I did :confused:

Aha! My mistake. I see it in my spam folder now. Apologies.

“Why is this message in Spam? It’s similar to messages that were detected by our spam filters. Learn more” :rolling_eyes:

I’ll move the conversation there.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.