Unable to validate acme challenge

Deirdre · July 5, 2022, 1:20pm

I am using ansible tower to run LE and it works fine usually. However I created a new DNS zone and I am having issues . My ansible playbook script is able to create the acme TXT record but then fails to validate it

My domain is: openbluecloud.cn

{
  "other": {
    "identifier": "dns:*.openbluecloud.cn",
    "authorization": {
      "identifier": {
        "type": "dns",
        "value": "openbluecloud.cn"
      },
      "status": "invalid",
      "expires": "2022-07-12T12:59:06Z",
      "challenges": [
        {
          "type": "dns-01",
          "status": "invalid",
          "error": {
            "type": "urn:ietf:params:acme:error:unauthorized",
            "detail": "No TXT record found at _acme-challenge.openbluecloud.cn",
            "status": 403
          },
          "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/BLABLA",
          "token": "BLABLA",
          "validated": "2022-07-05T12:59:16Z"
        }
      ],
      "wildcard": true,
      "uri": "https://acme-v02.api.letsencrypt.org/acme/authz-v3/BLABLA"
    }
  },
  "msg": "Failed to validate challenge for dns:*.openbluecloud.cn: Status is \"invalid\" and not \"valid\". Challenge dns-01: Error urn:ietf:params:acme:error:unauthorized: \"No TXT record found at _acme-challenge.openbluecloud.cn\".",
  "invocation": {
    "module_args": {
      "account_key_content": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
      "account_email": "be-taas-devops@jci.com",
      "csr": "/tmp/request.csr",
      "cert": "/tmp/cert.crt",
      "fullchain": "/tmp/fullchain.crt",
      "chain": "/tmp/intermediates.crt",
      "challenge": "dns-01",
      "acme_version": 2,
      "acme_directory": "https://acme-v02.api.letsencrypt.org/directory",
      "remaining_days": 30,
      "data": {
        "changed": true,
        "authorizations": {
          "*.openbluecloud.cn": {
            "identifier": {
              "type": "dns",
              "value": "openbluecloud.cn"
            },
            "status": "pending",
            "expires": "2022-07-12T12:59:06Z",
            "challenges": [
              {
                "type": "dns-01",
                "status": "pending",
                "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/BLABLA",
                "token": "BLABLABLA"
              }
            ],
            "wildcard": true,
            "uri": "https://acme-v02.api.letsencrypt.org/acme/authz-v3/BLABLA"
          }
        },
        "finalize_uri": "https://acme-v02.api.letsencrypt.org/acme/finalize/BLABLA",
        "order_uri": "https://acme-v02.api.letsencrypt.org/acme/order/BLABLA",
        "account_uri": "https://acme-v02.api.letsencrypt.org/acme/acct/BLABLA",
        "challenge_data": {
          "*.openbluecloud.cn": {
            "dns-01": {
              "resource": "_acme-challenge",
              "resource_value": "BLABLA",
              "record": "_acme-challenge.openbluecloud.cn"
            }
          }
        },
        "challenge_data_dns": {
          "_acme-challenge.openbluecloud.cn": [
            "BLABLA"
          ]
        },
        "cert_days": -1,
        "failed": false,
        "attempts": 1
      },
      "terms_agreed": true,
      "force": true,
      "dest": "/tmp/cert.crt",
      "fullchain_dest": "/tmp/fullchain.crt",
      "chain_dest": "/tmp/intermediates.crt",
      "validate_certs": true,
      "select_crypto_backend": "auto",
      "modify_account": true,
      "deactivate_authzs": false,
      "retrieve_all_alternates": false,
      "account_key_src": null,
      "account_key_passphrase": null,
      "account_uri": null,
      "agreement": null,
      "csr_content": null,
      "select_chain": null
    }
  },
  "_ansible_no_log": false,
  "attempts": 5,
  "changed": false
}

rg305 · July 5, 2022, 2:34pm

Hi @Deirdre, and welcome to the LE community forum

How do you know it creates the record?
Do you check both authoritative nameservers for that record?

openbluecloud.cn        nameserver = dns1.cscdns.net
openbluecloud.cn        nameserver = dns2.cscdns.net

Deirdre · July 5, 2022, 2:48pm

Hi @rg305
I can see the record being created in my DNS Zone . I attached a SS with the nameserver records

Deirdre · July 5, 2022, 2:49pm

and thanks for the welcome

rg305 · July 5, 2022, 3:05pm

Not sure where that is... but the authoritative nameservers for that domain are:

openbluecloud.cn        nameserver = dns1.cscdns.net
openbluecloud.cn        nameserver = dns2.cscdns.net

Deirdre · July 5, 2022, 4:41pm

I see what you mean, I just checked it and I see the same. I must raise this with Azure as it doesnt make sense

rg305 · July 5, 2022, 4:42pm

Where did you register the domain?

Deirdre · July 5, 2022, 4:44pm

I didnt handle that part. I was just given the domain name to deploy the application. I must follow up with the team that gave it to me

jvanasco · July 5, 2022, 6:02pm

Between ansible, azure, and a wildcard domain... it looks like you may be leveraging a solution to handle certificate procurement in an automated environment. If so, this is generally an anti-pattern, and should be replaced with a solution that uses persistent storage to save and retrieve active certificates.

Deirdre · July 6, 2022, 9:01am

Thanks for the help @rg305 It seems they never added the Azure nameserver records to where they bought the domain name from

system · August 5, 2022, 9:01am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.