There seems to be a difference between letsencrypt staging and production server


#1

Hi,

I used this letsencrypt client: https://github.com/komuW/sewer
and cloudflare is my dns provider.

When using the cli of that letsencrypt client on letsencrypt staging endpoint evrything works. However when I switch to the production/live letsencrypt endpoints, things do not work; I get the error : No TXT records found for DNS challenge

Here are the logs while using letsencrypt staging endpoint:
CLOUDFLARE_EMAIL=example CLOUDFLARE_API_KEY=example CLOUDFLARE_DNS_ZONE_ID=example sewer --dns cloudflare --action run --email test@gmail.com --domains staging.amqphosting.com --endpoint staging

2017-07-16 16:48.04 chosen_dns_provider message=Using cloudflare as dns provider.
2017-07-16 16:48.04 create_certificate_key client_name=ACMEclient
2017-07-16 16:48.04 create_csr client_name=ACMEclient
2017-07-16 16:48.04 get_certificate_chain client_name=ACMEclient
2017-07-16 16:48.06 get_certificate_chain_response client_name=ACMEclient status_code=200
2017-07-16 16:48.06 create_account_key client_name=ACMEclient
2017-07-16 16:48.07 write_account_key message=account key succesfully written to current directory.

2017-07-16 16:48.27 create_cloudflare_dns_record_response dns_provider_name=cloudflare response={u’errors’: [], u’messages’: [], u’result’: {u’proxiable’: False, u’locked’: False, u’name’: u’_acme-challenge.staging.amqphosting.com’, u’proxied’: False, u’content’: u’QsORyCVovq41vGUhS78KNHAtEPGNhXwMzvdlNz___ok’, u’created_on’: u’2017-07-16T13:48:27.220355Z’, u’meta’: {u’auto_added’: False}, u’ttl’: 1, u’modified_on’: u’2017-07-16T13:48:27.220355Z’, u’zone_name’: u’amqphosting.com’, u’type’: u’TXT’, u’id’: u’6ac2196cb6d2400dcf6ad3eb455d4e5d’, u’zone_id’: u’812286a52c9bc8ae5f210b77d1384a41’}, u’success’: True} status_code=200
2017-07-16 16:48.27 notify_acme_challenge_set ACME_CERTIFICATE_AUTHORITY_URL=https://acme-staging.api.letsencrypt.org client_name=ACMEclient client_version=0.2.1 domain_name=staging.amqphosting.com
2017-07-16 16:48.27 make_signed_acme_request ACME_CERTIFICATE_AUTHORITY_URL=https://acme-staging.api.letsencrypt.org client_name=ACMEclient client_version=0.2.1 domain_name=staging.amqphosting.com
2017-07-16 16:48.27 get_acme_header ACME_CERTIFICATE_AUTHORITY_URL=https://acme-staging.api.letsencrypt.org client_name=ACMEclient client_version=0.2.1 domain_name=staging.amqphosting.com
2017-07-16 16:48.32 sign_message ACME_CERTIFICATE_AUTHORITY_URL=https://acme-staging.api.letsencrypt.org client_name=ACMEclient client_version=0.2.1 domain_name=staging.amqphosting.com
2017-07-16 16:48.34 notify_acme_challenge_set_response ACME_CERTIFICATE_AUTHORITY_URL=https://acme-staging.api.letsencrypt.org client_name=ACMEclient client_version=0.2.1 domain_name=staging.amqphosting.com response={u’status’: u’pending’, u’keyAuthorization’: u’EvWapKhciXEEmr1i-DMavkMwkv5AstHt2U9wkYnuW6U.bvc7NiMDNxj87N1kMD7ZjHZ22_J1K-Gu1tXDdW7IVCg’, u’token’: u’EvWapKhciXEEmr1i-DMavkMwkv5AstHt2U9wkYnuW6U’, u’type’: u’dns-01’, u’uri’: u’https://acme-staging.api.letsencrypt.org/acme/challenge/wYej7IOXOg5Aqi04pLzt2sgOtatBqZcTLe95WLlp8K0/48404274’} status_code=202

2017-07-16 16:48.34 check_challenge ACME_CERTIFICATE_AUTHORITY_URL=https://acme-staging.api.letsencrypt.org client_name=ACMEclient client_version=0.2.1 domain_name=staging.amqphosting.com
2017-07-16 16:48.41 check_challenge_status_response ACME_CERTIFICATE_AUTHORITY_URL=https://acme-staging.api.letsencrypt.org client_name=ACMEclient client_version=0.2.1 domain_name=staging.amqphosting.com number_of_checks=1 response={u’status’: u’valid’, u’validationRecord’: [{u’addressesTried’: [], u’hostname’: u’staging.amqphosting.com’, u’addressUsed’: u’’, u’port’: u’’, u’addressesResolved’: []}], u’keyAuthorization’: u’EvWapKhciXEEmr1i-DMavkMwkv5AstHt2U9wkYnuW6U.bvc7NiMDNxj87N1kMD7ZjHZ22_J1K-Gu1tXDdW7IVCg’, u’uri’: u’https://acme-staging.api.letsencrypt.org/acme/challenge/wYej7IOXOg5Aqi04pLzt2sgOtatBqZcTLe95WLlp8K0/48404274’, u’token’: u’EvWapKhciXEEmr1i-DMavkMwkv5AstHt2U9wkYnuW6U’, u’type’: u’dns-01’} status_code=202

2017-07-16 16:48.41 delete_dns_record dns_provider_name=cloudflare
2017-07-16 16:48.49 delete_dns_record_response dns_provider_name=cloudflare response={u’errors’: [], u’messages’: [], u’result’: {u’id’: u’6ac2196cb6d2400dcf6ad3eb455d4e5d’}, u’success’: True} status_code=200
2017-07-16 16:48.49 get_certicate ACME_CERTIFICATE_AUTHORITY_URL=https://acme-staging.api.letsencrypt.org client_name=ACMEclient client_version=0.2.1 domain_name=staging.amqphosting.com
2017-07-16 16:48.49 make_signed_acme_request ACME_CERTIFICATE_AUTHORITY_URL=https://acme-staging.api.letsencrypt.org client_name=ACMEclient client_version=0.2.1 domain_name=staging.amqphosting.com
2017-07-16 16:48.49 get_acme_header ACME_CERTIFICATE_AUTHORITY_URL=https://acme-staging.api.letsencrypt.org client_name=ACMEclient client_version=0.2.1 domain_name=staging.amqphosting.com
2017-07-16 16:48.51 sign_message ACME_CERTIFICATE_AUTHORITY_URL=https://acme-staging.api.letsencrypt.org client_name=ACMEclient client_version=0.2.1 domain_name=staging.amqphosting.com
2017-07-16 16:48.54 the_end message=Certificate Succesfully issued. The certificate, certificate key and account key have been saved in the current directory

And here are the logs when using the production endpoint:
CLOUDFLARE_EMAIL=example CLOUDFLARE_API_KEY=example CLOUDFLARE_DNS_ZONE_ID=example sewer --dns cloudflare --action run --email test@gmail.com --domains production.amqphosting.com --endpoint production

2017-07-16 14:37.20 chosen_dns_provider message=Using cloudflare as dns provider.
2017-07-16 14:37.20 create_certificate_key client_name=ACMEclient
2017-07-16 14:37.21 create_csr client_name=ACMEclient
2017-07-16 14:37.21 get_certificate_chain client_name=ACMEclient
2017-07-16 14:37.21 get_certificate_chain_response client_name=ACMEclient status_code=200
2017-07-16 14:37.21 create_account_key client_name=ACMEclient
2017-07-16 14:37.21 write_account_key message=account key succesfully written to current directory.

2017-07-16 14:37.24 create_cloudflare_dns_record_response dns_provider_name=cloudflare response={u’errors’: [], u’messages’: [], u’result’: {u’proxiable’: False, u’locked’: False, u’name’: u’_acme-challenge.production.amqphosting.com’, u’proxied’: False, u’content’: u’BqxVZ3T9YM0Iy3pdwJO8yEAemQTm-q3QMMITtYHoU-k’, u’created_on’: u’2017-07-16T14:37:24.657203Z’, u’meta’: {u’auto_added’: False}, u’ttl’: 1, u’modified_on’: u’2017-07-16T14:37:24.657203Z’, u’zone_name’: u’amqphosting.com’, u’type’: u’TXT’, u’id’: u’a66998bc9b76351c2ade26b28348ca18’, u’zone_id’: u’812286a52c9bc8ae5f210b77d1384a41’}, u’success’: True} status_code=200
2017-07-16 14:37.24 notify_acme_challenge_set ACME_CERTIFICATE_AUTHORITY_URL=https://acme-v01.api.letsencrypt.org client_name=ACMEclient client_version=0.2.1 domain_name=production.amqphosting.com
2017-07-16 14:37.24 make_signed_acme_request ACME_CERTIFICATE_AUTHORITY_URL=https://acme-v01.api.letsencrypt.org client_name=ACMEclient client_version=0.2.1 domain_name=production.amqphosting.com
2017-07-16 14:37.24 get_acme_header ACME_CERTIFICATE_AUTHORITY_URL=https://acme-v01.api.letsencrypt.org client_name=ACMEclient client_version=0.2.1 domain_name=production.amqphosting.com
2017-07-16 14:37.24 sign_message ACME_CERTIFICATE_AUTHORITY_URL=https://acme-v01.api.letsencrypt.org client_name=ACMEclient client_version=0.2.1 domain_name=production.amqphosting.com
2017-07-16 14:37.25 notify_acme_challenge_set_response ACME_CERTIFICATE_AUTHORITY_URL=https://acme-v01.api.letsencrypt.org client_name=ACMEclient client_version=0.2.1 domain_name=production.amqphosting.com response={u’status’: u’pending’, u’keyAuthorization’: u’uqgkxjV61LOaxGrvQzC0lX8xPPj731k4pdsVpwHJY_g.PvhI24jYZ67gFBch_g-5n5nDr-j3CxBEqsM-ZtiEx00’, u’token’: u’uqgkxjV61LOaxGrvQzC0lX8xPPj731k4pdsVpwHJY_g’, u’type’: u’dns-01’, u’uri’: u’https://acme-v01.api.letsencrypt.org/acme/challenge/ZHcJ_ixppQwIknE19MpPUvFLCC3o6YhIVEGo8d1I-Ww/1556759370’} status_code=202

2017-07-16 14:37.25 check_challenge ACME_CERTIFICATE_AUTHORITY_URL=https://acme-v01.api.letsencrypt.org client_name=ACMEclient client_version=0.2.1 domain_name=production.amqphosting.com
2017-07-16 14:37.29 check_challenge_status_response ACME_CERTIFICATE_AUTHORITY_URL=https://acme-v01.api.letsencrypt.org client_name=ACMEclient client_version=0.2.1 domain_name=production.amqphosting.com number_of_checks=1 response={u’status’: u’invalid’, u’keyAuthorization’: u’uqgkxjV61LOaxGrvQzC0lX8xPPj731k4pdsVpwHJY_g.PvhI24jYZ67gFBch_g-5n5nDr-j3CxBEqsM-ZtiEx00’, u’uri’: u’https://acme-v01.api.letsencrypt.org/acme/challenge/ZHcJ_ixppQwIknE19MpPUvFLCC3o6YhIVEGo8d1I-Ww/1556759370’, u’token’: u’uqgkxjV61LOaxGrvQzC0lX8xPPj731k4pdsVpwHJY_g’, u’error’: {u’status’: 403, u’type’: u’urn:acme:error:unauthorized’, u’detail’: u’No TXT records found for DNS challenge’}, u’type’: u’dns-01’} status_code=202
.
.
15 other check_challenge log events here(looks like that acme client checks for challenge upto 15 times with about 4 seconds between each check)
.
.
2017-07-16 14:37.32 check_challenge_status_response ACME_CERTIFICATE_AUTHORITY_URL=https://acme-v01.api.letsencrypt.org client_name=ACMEclient client_version=0.2.1 domain_name=production.amqphosting.com number_of_checks=16 response={u’status’: u’invalid’, u’keyAuthorization’: u’uqgkxjV61LOaxGrvQzC0lX8xPPj731k4pdsVpwHJY_g.PvhI24jYZ67gFBch_g-5n5nDr-j3CxBEqsM-ZtiEx00’, u’uri’: u’https://acme-v01.api.letsencrypt.org/acme/challenge/ZHcJ_ixppQwIknE19MpPUvFLCC3o6YhIVEGo8d1I-Ww/1556759370’, u’token’: u’uqgkxjV61LOaxGrvQzC0lX8xPPj731k4pdsVpwHJY_g’, u’error’: {u’status’: 403, u’type’: u’urn:acme:error:unauthorized’, u’detail’: u’No TXT records found for DNS challenge’}, u’type’: u’dns-01’} status_code=202

2017-07-16 14:37.32 check_challenge ACME_CERTIFICATE_AUTHORITY_URL=https://acme-v01.api.letsencrypt.org client_name=ACMEclient client_version=0.2.1 domain_name=production.amqphosting.com error=Number of checks done is 16 which is greater than the maximum allowed of 15.

The error from letsencrypt production server for all those 15 checks is: No TXT records found for DNS challenge

I immediately used a dns client(dig), and we can see that the TXT record exists:

dig _acme-challenge.production.amqphosting.com -t TXT
;; ANSWER SECTION:
_acme-challenge.production.amqphosting.com. 299 IN TXT “BqxVZ3T9YM0Iy3pdwJO8yEAemQTm-q3QMMITtYHoU-k”
;; Query time: 24 msec


#2

hi @amqphosting

Is there a particular reason you chose to ignore the suggest questions and not fill them out?

Pasting a full log instead of answering the questions increases the time to find out basic information for example the domains

As you are using a client that is developed independently probably the best course of action is to submit a github issue to the writer of the client.

It could be that the challenge is not properly setup. What I mean by that is even though the record is created in DNS it’s not the correct record.

Note: certbot (the officially supported client) now supports CloudFlare DNS API so that is worthwhile having a go at it

Andrei


#3

@ahaw021 Hi thanks.

I hadn’t seen the questions.

Here are the answers.

My domain is:
production.amqphosting.com

I ran this command:
CLOUDFLARE_EMAIL=example CLOUDFLARE_API_KEY=example CLOUDFLARE_DNS_ZONE_ID=example sewer --dns cloudflare --action run --email test@gmail.com --domains production.amqphosting.com --endpoint production

It produced this output:
No TXT records found for DNS challenge

My web server is (include version):

N/A

The operating system my web server runs on is (include version):
unbuntu 16.04

My hosting provider, if applicable, is:
cloudflare as dns provider

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
N/A

The problem really was that when I run the same command but on staging letsencrypt server, I get certificates but not when using production letsencrypt server.

I’ll give another client a shot.


#4

Everything works now.

We were hitting some rate limits.

I looked for a way to close this topic but I couldn’t find any.


#5

There’s a way to mark a post as a solution, which marks the topic resolved, shows a little check in a box next to it.

That would be the best way.


#6

topics auto close after 30 days i believe

great that you found the solution though the logs don’t point to a rate limit error :frowning:

Enjoy Let’s Encrypt Certificates

Andrei


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.