I'd like to report a very strange issue, as I need some help from Let's Encrypt team to investigate it (and determine if it's a bug on the LE side or our side).
We designed a system to issue certificates using Let's Encrypt and the DNS challenge. The system is completely automated, including the provisioning.
Today we had an issue with a specific certificate that contained 9 SAN names. All the 9 SAN names belongs to the same domain, therefore the same DNS zone.
During the request process, the challenge verification succeded for 9 names, 1 failed.
We restarted the process, and the failed one failed again.
We restarted the process, and the failed one succeeded.
In both cases, the error we got back was:
{"type": "urn:acme:error:unauthorized", "detail": "Correct value not found for DNS challenge", "status": 403}
Also, it's important to mention that:
- we perform a DNS lookup on an external system before requesting Let's Encrypt to validate the challenge DNS record
- the validation procedure was the same for all domains
- the content of the DNS record successfully resolved
I was unable to find any possible cause on our side, therefore is there a way to know from Let's Encrypt:
- what was the expected record content (to understand why the "correct value was not found")
- whether the failure was correlated to some kind of DNS lookup error on Let's Encrypt side?
What's the best way to receive this kind of assistance that may involve disclosing sensitive information (such as the certificate domain and/or challenge details)?
