"Some challenges have failed." with Google Cloud DNS Plugin

rubydotexe · November 29, 2023, 2:13am

Problem: I am not able to issue certificates like I previously was able before. I am not certain of what I have done to change the outcome.

My domain is: 4tress.xyz

I ran this command: sudo certbot certonly

It produced this output:

Cleaning up challenges
URL being requested: GET https://www.googleapis.com/discovery/v1/apis/dns/v1/rest
URL being requested: GET https://dns.googleapis.com/dns/v1/projects/foundryvtt-341901/managedZones?dnsName=4tress.xyz.&alt=json
Attempting refresh to obtain initial access_token
Refreshing access_token
URL being requested: GET https://dns.googleapis.com/dns/v1/projects/foundryvtt-341901/managedZones/5530503249015506808/rrsets?name=_acme-challenge.4tress.xyz.&type=TXT&alt=json
URL being requested: POST https://dns.googleapis.com/dns/v1/projects/foundryvtt-341901/managedZones/5530503249015506808/changes?alt=json
URL being requested: GET https://www.googleapis.com/discovery/v1/apis/dns/v1/rest
URL being requested: GET https://dns.googleapis.com/dns/v1/projects/foundryvtt-341901/managedZones?dnsName=4tress.xyz.&alt=json
Attempting refresh to obtain initial access_token
Refreshing access_token
URL being requested: GET https://dns.googleapis.com/dns/v1/projects/foundryvtt-341901/managedZones/5530503249015506808/rrsets?name=_acme-challenge.4tress.xyz.&type=TXT&alt=json
URL being requested: POST https://dns.googleapis.com/dns/v1/projects/foundryvtt-341901/managedZones/5530503249015506808/changes?alt=json
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Some interesting bits I found in the log:

2023-11-28 19:34:30,840:DEBUG:acme.client:Storing nonce: DjWxb77NGzdsDvnYghm1pehNHvo3HpUC1-nrccN_JniuHkGk_RE
2023-11-28 19:34:30,841:INFO:certbot._internal.auth_handler:Challenge failed for domain 4tress.xyz
2023-11-28 19:34:30,842:INFO:certbot._internal.auth_handler:Challenge failed for domain 4tress.xyz
2023-11-28 19:34:30,842:INFO:certbot._internal.auth_handler:dns-01 challenge for 4tress.xyz
2023-11-28 19:34:30,842:INFO:certbot._internal.auth_handler:dns-01 challenge for 4tress.xyz
2023-11-28 19:34:30,843:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: dns-google). The Certificate Authority reported these problems:
  Domain: 4tress.xyz
  Type:   unauthorized
  Detail: No TXT record found at _acme-challenge.4tress.xyz

  Domain: 4tress.xyz
  Type:   unauthorized
  Detail: During secondary validation: No TXT record found at _acme-challenge.4tress.xyz

Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-google. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-google-propagation-seconds (currently 60 seconds).

2023-11-28 19:34:30,845:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2023-11-28 19:34:30,845:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-11-28 19:34:30,845:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-11-28 19:34:30,850:INFO:googleapiclient.discovery:URL being requested: GET https://www.googleapis.com/discovery/v1/apis/dns/v1/rest
2023-11-28 19:34:31,126:INFO:googleapiclient.discovery:URL being requested: GET https://dns.googleapis.com/dns/v1/projects/foundryvtt-341901/managedZones?dnsName=4tress.xyz.&alt=json
2023-11-28 19:34:31,127:INFO:oauth2client.transport:Attempting refresh to obtain initial access_token

My web server is (include version):
Teleport
You can reference certificates as such

    https_keypairs:
    - key_file: /var/lib/teleport/webproxy_key.pem
      cert_file: /var/lib/teleport/webproxy_cert.pem
    - key_file: /etc/letsencrypt/live/*.teleport.example.com/privkey.pem
      cert_file: /etc/letsencrypt/live/*.teleport.example.com/fullchain.pem

The operating system my web server runs on is (include version):
Debian 12

My hosting provider, if applicable, is: Self hosted

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.1.0.

I use a cli.ini file for certbot. It is the following.

staging = 1
preferred-challenges =  dns 
dns-google = 1                                                
dns-google-credentials = /home/ruby/.secrets/credentials.json 
verbose = 1
domain = 4tress.xyz, *.4tress.xyz

Relevant Information: I am having similar let's encrypt issues with Caddy server. You can read more about it here. I am not sure if they are related.

I appreciate everyone's time in advance.

MikeMcQ · November 29, 2023, 3:19am

I see you got a wildcard cert just hours ago. And, you actually get more than needed (see pic below). Although, your server is not using these more recent certs. It is using one issued Nov21.

I see the error from your certbot command so am a little puzzled about the actual problem.

Can you show result of this

sudo certbot certificates

Your recent cert history on crt.sh

rubydotexe · November 30, 2023, 2:55pm

I was told

Some challenges have failed

and referred here, so I thought something was wrong. I'll need to do more testing when I get home.

rubydotexe · December 9, 2023, 4:39pm

Here it is:

certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following matching certs:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

My Live folder:

ls
4tress.xyz  README  teleport.4tress.xyz

Bruce5051 · December 9, 2023, 7:31pm

Using Let's Debug gives these results https://letsdebug.net/4tress.xyz/1730055

$ nmap -Pn -p80,443 4tress.xyz
Starting Nmap 7.80 ( https://nmap.org ) at 2023-12-09 11:30 PST
Nmap scan report for 4tress.xyz (68.13.176.197)
Host is up (0.087s latency).
rDNS record for 68.13.176.197: ip68-13-176-197.om.om.cox.net

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp closed   https

Nmap done: 1 IP address (1 host up) scanned in 2.51 seconds

Best Practice - Keep Port 80 Open

Bruce5051 · December 9, 2023, 7:33pm

But the DNS-01 Challenge is OK https://letsdebug.net/4tress.xyz/1730062

rubydotexe · December 27, 2023, 1:49pm

Thanks for the response. The DNS challenge with certbot wasn't an issue after all, like you suggested. This topic can be closed. I'm not sure what the issue was, but after a few days everything was back to normal.

system · January 26, 2024, 1:50pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certbot-dns-google Problems Help	7	3163	October 21, 2020
DNS-01 challenge, Error finding zone. Skipping cleanup Help	9	2696	June 17, 2019
Dns-google plugin failure to find managed domains Help	16	3508	April 27, 2019
Dns-google how-to? Help	18	5719	June 19, 2021
Cannot perform dns challenge on GCE Help	13	1253	October 31, 2020

"Some challenges have failed." with Google Cloud DNS Plugin

Related topics