Not sure whats gone wrong here… for the past year I’ve had no issues renewing certificates, but now I’m receiving this error
2022-07-11 10:22:25.934 -04:00 [INF] Cloudflare DNS API :: Could not add dns record _acme-challenge.domain.com to zone [zoneid]. Result: BadRequest - {"success":false,"errors":[{"code":10000,"message":"Authentication error"}]}
Using DNS-01 validation in order to get wildcard certificates… I’ve tried changing API keys, same issue
How should I proceed?
Renewed global API key and reentered email under credentials, now I’m seeing a new error
2022-07-11 13:47:16.450 -04:00 [INF] Validation of the required challenges did not complete successfully. A problem occurred while checking challenge responses: Certes.AcmeException: Fail to fetch new nonce.
at Certes.Acme.AcmeHttpClient.<FetchNonce>d__18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Certes.Acme.AcmeHttpClient.<ConsumeNonce>d__14.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certes.AcmeContext.<Sign>d__24.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certes.Acme.IAcmeHttpClientExtensions.<Post>d__0`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certes.Acme.ChallengeContext.<Validate>d__9.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Providers.ACME.Certes.CertesACMEProvider.<SubmitChallenge>d__33.MoveNext() in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Providers\ACME\Certes\CertesACMEProvider.cs:line 1016
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Certify.Management.CertifyManager.<CompleteCertificateRequestProcessing>d__23.MoveNext() in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 873
Resolved… Certify the web complained about the time (which was correct), set it to all auto in windows settings, then one site renewed fine but the other still gave the same error as shown above
Retried another 2-3 times and finally works? quite odd
The “Failed to fetch nonce” error is a thing where the app grabs a new temporary number from the Let’s Encrypt API. This “nonce” is used to prevent replay attacks on their API.
Occasionally the Let’s Encrypt servers cycle or forget the numbers they have issued and we have to fetch a new one and if that fails then basically their API is having a temporary problem and we have to wait it out.
With regards to the original error with the cloudflare API, it looks like they had some problems recently: https://www.cloudflarestatus.com/ but it’s not clear if these had anything to do with this problem.
Do you just use the Certify background service under the standard (local system) service account or do you change it? Whichever user is used in turn encrypts the stored credentials using their own account keys, so if the user on the service ever changes then the credentials would fail to decrypt. Upgrading the app would reset this if you have customised the service user in windows. That’s the main reason I could think of where credentials would get messed up.