Staging server refers to TXT-records that have been deleted

I’m using Apache httpd with mod-md, to set up using dns-01 on the staging environment. Ordering seems to work, and the TXT-records have been created as requested. The domain lives with cloudflare, and the TXT-records have TTL=120

There has been a lot of back-and-forth with many restarts, so there has been many TXT records created.

My main question now is that the staging server keeps returning an error message that refers to a TXT record that was deleted more than 12 hours ago. It sounds like the letsencrypt staging server refers to old DNS-data, which again sounds weird. Is this significant? What should I do?

The current error message: is “Incorrect TXT record \“jh84NoW5kYUY5Lym5iDr1dIntuaLxba1TYT2P3-yZJE\” (and 2 more) found at _acme-challenge.dev.iknowbase.net”, while the current records (unchanged since yesterday) are other ones:

{\n “identifier”: {\n “type”: “dns”,\n “value”: “dev.iknowbase.net”\n },\n “status”: “invalid”,\n “expires”: “2020-03-31T16:32:04Z”,\n “challenges”: [\n {\n “type”: “dns-01”,\n “status”: “invalid”,\n “error”: {\n “type”: “urn:ietf:params:acme:error:unauthorized”,\n “detail”: “Incorrect TXT record \“jh84NoW5kYUY5Lym5iDr1dIntuaLxba1TYT2P3-yZJE\” (and 2 more) found at _acme-challenge.dev.iknowbase.net”,\n “status”: 403\n },\n “url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/45300225/YUGuGA”,\n “token”: “(removed)”\n }\n ]\n}

Here is the latest TXT record being created

[Tue Mar 24 17:32:06.310382 2020] [md:info] [pid 7:tid 140205830121216] cmd(/usr/local/apache2/conf.local/mdchallenge.sh) stderr: Operation: setup dev.iknowbase.net D3R2mrzPK5fPKSk0hhZCYVg3nbl8QY0aN2PkjG0Tlvc\n

Latest hourly verification messages

[Wed Mar 25 13:00:55.863399 2020] [md:trace1] [pid 7:tid 140205830121216] md_curl.c(239): request --> GET https://acme-staging-v02.api.letsencrypt.org/directory
[Wed Mar 25 13:00:56.615524 2020] [md:trace2] [pid 7:tid 140205830121216] md_acme.c(706): response: {\n “(removed)”: “Adding random entries to the directory”,\n “keyChange”: “https://acme-staging-v02.api.letsencrypt.org/acme/key-change”,\n “meta”: {\n “caaIdentities”: [\n “letsencrypt.org”\n ],\n “termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,\n “website”: “https://letsencrypt.org/docs/staging-environment/”\n },\n “newAccount”: “https://acme-staging-v02.api.letsencrypt.org/acme/new-acct”,\n “newNonce”: “https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce”,\n “newOrder”: “https://acme-staging-v02.api.letsencrypt.org/acme/new-order”,\n “revokeCert”: “https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert”\n}
[Wed Mar 25 13:00:57.864462 2020] [md:trace2] [pid 7:tid 140205830121216] md_acme.c(310): response: {\n “key”: {\n “kty”: “RSA”,\n “n”: “(removed)”,\n “e”: “AQAB”\n },\n “contact”: [\n “mailto:iknowbase-dev@acando.no”\n ],\n “initialIp”: “91.184.143.252”,\n “createdAt”: “2020-03-24T16:32:03Z”,\n “status”: “valid”\n}

[Wed Mar 25 13:00:57.865010 2020] [md:debug] [pid 7:tid 140205830121216] md_acme.c(363): sending req: GET https://acme-staging-v02.api.letsencrypt.org/acme/order/12885695/80959437
[Wed Mar 25 13:00:58.479189 2020] [md:trace2] [pid 7:tid 140205830121216] md_acme.c(310): response: {\n “status”: “invalid”,\n “expires”: “2020-03-31T16:32:04Z”,\n “identifiers”: [\n {\n “type”: “dns”,\n “value”: “dev.iknowbase.net”\n }\n ],\n “authorizations”: [\n “https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/45300225”\n ],\n “finalize”: “https://acme-staging-v02.api.letsencrypt.org/acme/finalize/12885695/80959437”\n}

[Wed Mar 25 13:00:58.482853 2020] [md:debug] [pid 7:tid 140205830121216] md_acme.c(363): sending req: GET https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/45300225
[Wed Mar 25 13:00:59.090442 2020] [md:trace2] [pid 7:tid 140205830121216] md_acme.c(310): response: {\n “identifier”: {\n “type”: “dns”,\n “value”: “dev.iknowbase.net”\n },\n “status”: “invalid”,\n “expires”: “2020-03-31T16:32:04Z”,\n “challenges”: [\n {\n “type”: “dns-01”,\n “status”: “invalid”,\n “error”: {\n “type”: “urn:ietf:params:acme:error:unauthorized”,\n “detail”: “Incorrect TXT record \“jh84NoW5kYUY5Lym5iDr1dIntuaLxba1TYT2P3-yZJE\” (and 2 more) found at _acme-challenge.dev.iknowbase.net”,\n “status”: 403\n },\n “url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/45300225/YUGuGA”,\n “token”: “phShZscbPna0AgQFHoZHPG0i8zZasnvNZbdFulhx8Ec”\n }\n ]\n}

+++++

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: iknowbase.net / dev.iknowbase.net

I ran this command:

I use Apache httpd with mod_md, and have set up using the staging server.

It produced this output:

My web server is (include version): Apache httpd/2.4.41

The operating system my web server runs on is (include version):

Running in docker, with a super simple Dockerfile:
FROM httpd:2.4.41
RUN set -x && apt update && apt-get install -y ca-certificates libapache2-mod-auth-openidc libapache2-mod-md jq curl

root@22fa4035d583:/usr/local/apache2# cat /etc/os-release
PRETTY_NAME=“Debian GNU/Linux 10 (buster)”

root@22fa4035d583:/usr/local/apache2# apt list libapache2-mod-md
Listing… Done
libapache2-mod-md/stable,stable,now 2.4.38-3+deb10u3 amd64 [installed]

My hosting provider, if applicable, is: -

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
mod-md 2.4.38

1 Like

Ensure all your DNS servers are up-to-date (synchronized).
[and delete any records you no longer need]

It can be, if they are out-of-sync, new renewals may hit that “bad” DNS and fail.

[I doubt this is the case with your CloudFlare DNS, but it is just general advice]

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.