"Some challenges have failed." with Google Cloud DNS Plugin

Problem: I am not able to issue certificates like I previously was able before. I am not certain of what I have done to change the outcome.

My domain is: 4tress.xyz

I ran this command: sudo certbot certonly

It produced this output:

Cleaning up challenges
URL being requested: GET https://www.googleapis.com/discovery/v1/apis/dns/v1/rest
URL being requested: GET https://dns.googleapis.com/dns/v1/projects/foundryvtt-341901/managedZones?dnsName=4tress.xyz.&alt=json
Attempting refresh to obtain initial access_token
Refreshing access_token
URL being requested: GET https://dns.googleapis.com/dns/v1/projects/foundryvtt-341901/managedZones/5530503249015506808/rrsets?name=_acme-challenge.4tress.xyz.&type=TXT&alt=json
URL being requested: POST https://dns.googleapis.com/dns/v1/projects/foundryvtt-341901/managedZones/5530503249015506808/changes?alt=json
URL being requested: GET https://www.googleapis.com/discovery/v1/apis/dns/v1/rest
URL being requested: GET https://dns.googleapis.com/dns/v1/projects/foundryvtt-341901/managedZones?dnsName=4tress.xyz.&alt=json
Attempting refresh to obtain initial access_token
Refreshing access_token
URL being requested: GET https://dns.googleapis.com/dns/v1/projects/foundryvtt-341901/managedZones/5530503249015506808/rrsets?name=_acme-challenge.4tress.xyz.&type=TXT&alt=json
URL being requested: POST https://dns.googleapis.com/dns/v1/projects/foundryvtt-341901/managedZones/5530503249015506808/changes?alt=json
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Some interesting bits I found in the log:

2023-11-28 19:34:30,840:DEBUG:acme.client:Storing nonce: DjWxb77NGzdsDvnYghm1pehNHvo3HpUC1-nrccN_JniuHkGk_RE
2023-11-28 19:34:30,841:INFO:certbot._internal.auth_handler:Challenge failed for domain 4tress.xyz
2023-11-28 19:34:30,842:INFO:certbot._internal.auth_handler:Challenge failed for domain 4tress.xyz
2023-11-28 19:34:30,842:INFO:certbot._internal.auth_handler:dns-01 challenge for 4tress.xyz
2023-11-28 19:34:30,842:INFO:certbot._internal.auth_handler:dns-01 challenge for 4tress.xyz
2023-11-28 19:34:30,843:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: dns-google). The Certificate Authority reported these problems:
  Domain: 4tress.xyz
  Type:   unauthorized
  Detail: No TXT record found at _acme-challenge.4tress.xyz

  Domain: 4tress.xyz
  Type:   unauthorized
  Detail: During secondary validation: No TXT record found at _acme-challenge.4tress.xyz

Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-google. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-google-propagation-seconds (currently 60 seconds).

2023-11-28 19:34:30,845:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2023-11-28 19:34:30,845:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-11-28 19:34:30,845:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-11-28 19:34:30,850:INFO:googleapiclient.discovery:URL being requested: GET https://www.googleapis.com/discovery/v1/apis/dns/v1/rest
2023-11-28 19:34:31,126:INFO:googleapiclient.discovery:URL being requested: GET https://dns.googleapis.com/dns/v1/projects/foundryvtt-341901/managedZones?dnsName=4tress.xyz.&alt=json
2023-11-28 19:34:31,127:INFO:oauth2client.transport:Attempting refresh to obtain initial access_token

My web server is (include version):
Teleport
You can reference certificates as such

    https_keypairs:
    - key_file: /var/lib/teleport/webproxy_key.pem
      cert_file: /var/lib/teleport/webproxy_cert.pem
    - key_file: /etc/letsencrypt/live/*.teleport.example.com/privkey.pem
      cert_file: /etc/letsencrypt/live/*.teleport.example.com/fullchain.pem

The operating system my web server runs on is (include version):
Debian 12

My hosting provider, if applicable, is: Self hosted

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.1.0.

I use a cli.ini file for certbot. It is the following.

staging = 1
preferred-challenges =  dns 
dns-google = 1                                                
dns-google-credentials = /home/ruby/.secrets/credentials.json 
verbose = 1
domain = 4tress.xyz, *.4tress.xyz

Relevant Information: I am having similar let's encrypt issues with Caddy server. You can read more about it here. I am not sure if they are related.

I appreciate everyone's time in advance.

I see you got a wildcard cert just hours ago. And, you actually get more than needed (see pic below). Although, your server is not using these more recent certs. It is using one issued Nov21.

I see the error from your certbot command so am a little puzzled about the actual problem.

Can you show result of this

sudo certbot certificates

Your recent cert history on crt.sh

3 Likes

I was told

Some challenges have failed

and referred here, so I thought something was wrong. I'll need to do more testing when I get home.

Here it is:

certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following matching certs:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

My Live folder:

ls
4tress.xyz  README  teleport.4tress.xyz

Using Let's Debug gives these results https://letsdebug.net/4tress.xyz/1730055

$ nmap -Pn -p80,443 4tress.xyz
Starting Nmap 7.80 ( https://nmap.org ) at 2023-12-09 11:30 PST
Nmap scan report for 4tress.xyz (68.13.176.197)
Host is up (0.087s latency).
rDNS record for 68.13.176.197: ip68-13-176-197.om.om.cox.net

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp closed   https

Nmap done: 1 IP address (1 host up) scanned in 2.51 seconds

Best Practice - Keep Port 80 Open

1 Like

But the DNS-01 Challenge is OK https://letsdebug.net/4tress.xyz/1730062

1 Like

Thanks for the response. The DNS challenge with certbot wasn't an issue after all, like you suggested. This topic can be closed. I'm not sure what the issue was, but after a few days everything was back to normal.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.