Unable to complete dns-01 challenge on a multi-domain certificate request


#1

My domain is: asistv.org (among others, see command for all, ) - but this is the one I am having issues with.

I ran this command (limited output because ‘As a new member, you can only insert 20 URLs per post’…):

sudo certbot -d asisfoundation.org -d www.asisfoundation.org -d <8 removed per above comment> -d protectionofassets.com -d www.protectionofassets.com -d asistv.org -d www.asistv.org -d securityexpo.org -d www.securityexpo.org -d <4 more removed> -d asisonline.eu -d www.asisonline.eu -d securitycares.com -d www.securitycares.com --manual --preferred-challenges dns certonly

It produced this output (Slashes ‘/’ added to try and make them ‘not a URL’):

Failed authorization procedure. www.asistv./org (dns-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: No TXT record found at _acme-challenge.www.asistv./org, asistv./org (dns-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: No TXT record found at _acme-challenge./asistv./org

The operating system my web server runs on is (include version): 18.04.1 LTS
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
certbot 0.23.0

I’m trying to figure out what is happening here. When I first ran the above command, I noted down the TXT record results of all 24 requests, cancelled the command before fully completing it, and proceeded to add the TXT records to all of the various domains on our DNS provider. I then began to run the command again to ensure that the DNS challenge string did not change upon previously cancelling the command - and the first few that I looked at appeared to remain the same.

I left it alone overnight and came back to it the next day.

That following day (yesterday), I checked the DNS records to ensure they were all available and published from the provided. After confirmation, I ran the full command again and received the Output mentioned above, specifically:

Failed authorization procedure. www.asistv.org (dns-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: No TXT record found at _acme-challenge.www.asistv./org, asistv./org (dns-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: No TXT record found at _acme-challenge./asistv./org

Why that one? Maybe entered it incorrectly, or didn’t notate accurately? Thinking that, I ran the command above again and noted that the challenge string for all of the requested domains was still the same, except for asistv./org and www.asistv./org. They were completely different from what I had noted down, while everything before and after those two were the same. Weird - but still am thinking that maybe I initially noted it down wrong.

So I then updated the asistv./org TXT records on our DNS provider to the new challenge text, waited ~6 hours, and attempted again. Received the same results. Same error output revolving around asistv./org mentioned above, and yet another different DNS challenge text presented to me for asistv./org and www.asistv./org upon re-running the command. All while the challenge text for the other 22 domains is identical to when the command was first run.

I repeated the above paragraph one more time, but instead waited 18 hours or so before attempting to generate the certificates. Same thing.

I ran through this with a co-worker and our current thought is that something in the certbot code may be recognizing the ‘tv’ part of the domain rather than recognizing ‘.tv’ and is trying to do something odd because of that. This is just a guess. I am stuck.

Worthy mention: Using the dns-01 challenge is a technical requirement for this project.

Thank you in advance for assistance!


#2

Your problem is you have mixed authoritative nameservers that are not mastered from the same zonefile:

asistv.org.             86400   IN      NS      ns81.worldnic.com.
asistv.org.             86400   IN      NS      dns1.register.com.
asistv.org.             86400   IN      NS      ns82.worldnic.com.
asistv.org.             86400   IN      NS      dns2.register.com.

For example:

$ dig @ns81.worldnic.com +noall +answer _acme-challenge.www.asistv.org txt
_acme-challenge.www.asistv.org. 7200 IN TXT     "_1nn-yNFNDlsnpLA5MAxyoojBxckcVzY0830EIv6N8Q"

but compare:

$ dig @dns1.register.com +noall +answer _acme-challenge.www.asistv.org txt
<empty response>

Probably, you need to remove the register.com nameservers.


#3

Wow, 10 minutes is all it took for someone to come back with a credible, highly probable answer. I’m a bit blown away.

This makes the most sense, I don’t even recognize register.com. It was likely where this domain was purchased from and was then not migrated over to our provider cleanly. Thank you so much for this - I will return either with a ‘check’ for a solved problem or another inquiry, depending on my findings!

Edit: That was super easy with that diagnosis. All figured out - thank you again _az :slight_smile:


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.