Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
https://acme-staging.api.letsencrypt.org/acme/challenge//147456321 [invalid]
The key authorization file from the server did not match this challenge [Xj0dxuyZd5xiMMgJlCvn_yhVLA9JqPd6eI132y2lw9I.ZfeL86GSKOypsQmBSNW_Q8ng0-h-CWQdEBSsLqi4LNY] != []
if I understand it correct, you use the api with own parameters.
This
means: There is the correct file. But the content of this file is empty. Instead, it must be a combination of the token, a dot and a hash value of your account key.
Perhaps your api needs an update. Or you are using the functions with wrong parameters.
Hi @JuergenAuer This API is returning the error for this specific domain. For other domains its working fine. So API update won’t be an issue I guess. I am using http-01 acme challenge to register the cert.
@JuergenAuer We don’t create these files we are using SNI callback to generate certs on the fly. LetsEncrypt is creating all these files. We are using leStrore to store the generated certs and challanges
Which node library are you using to perform the certificate orchestration? Can you show a minimal standalone piece of code that exhibits the issue? There’s not a lot to go on here, because it comes down to your usage of the library.
we are usng letsencrypt.middleware api and then for registering domain we are using letsencrypt.register API which sends the challange to the domain and genrate the cert for this domain.
@JuergenAuer The logs I got while running letsEncypt in debug mode is this
[le/lib/core.js] checkAsync failed to find certificates
[le/lib/core.js] calling le.acme.getCertificateAsync [ 'docs.gluapi.com' ]
[le/lib/core.js] setChallenge called for 'docs.gluapi.com'
[le/lib/core.js] removeChallenge called for 'docs.gluapi.com'
This log indicates that challenge was successfully created and removed. This log is the same for successful cert generation and for this domain. After this, we get an error as mentioned in the above comments. I checked the challenge token and secret too for both successful and this domain, there is nothing different same strings are generated as token and secret.
@JuergenAuer Just one more question if the parent domain gluapi.com doesn’t contain an A record then this will cause an issue while generating the cert from letsEncrypt
@JuergenAuer No, we don’t store any challenge files. We just store token and secret in LeChallenge store which is the database in our case. And the entries from database gets deleted with each cert registration attempt.
@JuergenAuer Also these IP address will not cause any issues as the cname to this domain is pointed to one of the machines. So this domain docs.gluapi.com just have CNAME pointed to some service and there is no A record to this or its parent domain (gluapi.com). Just want to confirm I can generate the certificate using letsEncrypt for this situation?
Hi @JuergenAuer Thanks for providing this information. This removed lot of confusion. I want to know if it is possible to get information from which account these certs have been created. Can we get that information?
I’m afraid we can’t offer that level of hands-on help in this case. I would recommend adding more logging to your client, so you can debug similar issues in the future. Thanks!