Could not register domain identifier

I’m trying to get Let’s Encrypt working on my workstation running Windows/IIS, on a subdomain pointing to our local network, where the router forwards a specific port to my computer, with IIS set to listen for that port, and only that port.

My registrar is joker.com and they handle my nameservers as well. They have a faq specifically for Let’s Encrypt, though i do not know how to use that within Certify the Web.

So, i went forward with dns-01/(Update DNS Manually). Starting Request Certificate gets to the point where it asks for the TXT record, which i then add and wait a few minutes (i finally realized i had to wait on the last attempt, and then that i could just use nslookup to see the update locally) before clicking the button a second time, which resulted in an error.

To provide a log (and not get mixed up when copying), i closed the program, stopped the service, cleared the files, restarted the service, restarted the program, started a new certificate, and clicked Request Certificate. This gave me the same value for the TXT record as the last (failed) attempt. Is that supposed to happen?

Anyway, the log:

2020-11-25 13:14:18.714 -05:00 [INF] ---- Beginning Request [Default Web Site] ----
2020-11-25 13:14:18.722 -05:00 [INF] Certify/5.1.12.0 (Windows; Microsoft Windows NT 10.0.19041.0) 
2020-11-25 13:14:18.881 -05:00 [INF] Beginning Certificate Request Process: Default Web Site using ACME Provider:Certes
2020-11-25 13:14:18.881 -05:00 [INF] Requested domains to include on certificate: moocows.tmhc.net
2020-11-25 13:14:18.887 -05:00 [INF] Beginning certificate order for requested domains
2020-11-25 13:14:18.900 -05:00 [INF] BeginCertificateOrder: creating/retrieving order. Retries remaining:2 
2020-11-25 13:14:19.775 -05:00 [INF] Created ACME Order: https://acme-v02.api.letsencrypt.org/acme/order/103322049/6405496749
2020-11-25 13:14:19.914 -05:00 [INF] Fetching Authorizations.
2020-11-25 13:14:20.570 -05:00 [INF] Got http-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/8859413173/68ro-w
2020-11-25 13:14:20.825 -05:00 [INF] Got dns-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/8859413173/etV4oQ
2020-11-25 13:14:20.835 -05:00 [INF] Attempting Domain Validation: moocows.tmhc.net
2020-11-25 13:14:20.835 -05:00 [INF] Registering and Validating moocows.tmhc.net 
2020-11-25 13:14:20.835 -05:00 [INF] Performing automated challenge responses (moocows.tmhc.net)
2020-11-25 13:14:20.847 -05:00 [INF] DNS: Creating TXT Record '_acme-challenge.moocows.tmhc.net' with value '5HafX7qbrJwCCDTAsiLKZuTle-UnLEQgfVbj1sCrm-g', in Zone Id '' using API provider '(Update DNS Manually)'
2020-11-25 13:14:20.849 -05:00 [INF] DNS: (Update DNS Manually) :: Please login to your DNS control panel for the domain 'moocows.tmhc.net' and create a new TXT record named: 
_acme-challenge.moocows.tmhc.net 
with the value:
5HafX7qbrJwCCDTAsiLKZuTle-UnLEQgfVbj1sCrm-g
2020-11-25 13:14:20.849 -05:00 [INF] Requesting Validation: moocows.tmhc.net
2020-11-25 13:14:20.850 -05:00 [INF] (Update DNS Manually) :: Please login to your DNS control panel for the domain 'moocows.tmhc.net' and create a new TXT record named: 
_acme-challenge.moocows.tmhc.net 
with the value:
5HafX7qbrJwCCDTAsiLKZuTle-UnLEQgfVbj1sCrm-g

2020-11-25 13:14:22.811 -05:00 [INF] 
2020-11-25 13:17:20.421 -05:00 [INF] ---- Beginning Request [Default Web Site] ----
2020-11-25 13:17:20.440 -05:00 [INF] BeginCertificateOrder: creating/retrieving order. Retries remaining:2 
2020-11-25 13:17:20.440 -05:00 [INF] Created ACME Order: https://acme-v02.api.letsencrypt.org/acme/order/103322049/6405496749
2020-11-25 13:17:20.805 -05:00 [ERR] Could not begin certificate order: JWS has an invalid anti-replay nonce: "0103pYSWUSDldau-unx_sZEzM7QgSWaEWmU7wvEcnF1UcKQ"
2020-11-25 13:17:20.806 -05:00 [INF] Could not complete authorization for domain with the Certificate Authority: [moocows.tmhc.net] Could not register domain identifier
2020-11-25 13:17:21.689 -05:00 [INF] Validation of the required challenges did not complete successfully. [moocows.tmhc.net] : 
2020-11-25 13:17:21.689 -05:00 [INF] Validation of the required challenges did not complete successfully. [moocows.tmhc.net] : 
2020-11-25 13:17:21.689 -05:00 [INF] Validation of the required challenges did not complete successfully. [moocows.tmhc.net] : 

What does “JWS has an invalid anti-replay nonce” mean? Anyway, what do i need to do to get this working? I would appreciate any help.

For a unique certificate, Let’s Encrypt will cache requests for a period of time so that later requests soon after will be the same and you don’t end up with two challenges active at the same time and get confused on what response should be active. HTTP-01 validation does this as well.

The JWS message is a Let’s Encrypt thing as well. Skimming some posts, it sounds like a method of expiring past requests. It almost sounds like a FIFO buffer that is globally used and you only have a certain amount of time to complete the request. You might Google it a bit to find out more. It sounds temporary and may resolve itself? Manually doing it may be too slow depending on traffic, time-of-day, etc.

Looking at your DNS’s docs… I would suggest downloading a Windows build of cUrl and make a .bat file for your DNS updates(Use Custom Script in Certify). Their doc explains what the cUrl syntax should be. Unfortunately it looks like your provider expects the TXT label only and Certify’s scripting wants to provide the fully qualified zone. You might have to experiment with commandline to see if Joker will accept both or you need to get more creative with scripting.

Edit: Now that I think about it, just hardcode everything but the value in the .bat file and use %3 for that. That should align with the parameters Certify passes the .bat.

1 Like

DSN Validation
So as @jljtgr says you can script your DNS updates using a batch file and curl (https://docs.certifytheweb.com/docs/dns/providers/scripting)

Don’t use manual DNS validation unless you have a fantastic reason to, it’s not worth the pain and it’s not automated. If you’re going to do it manually though, update the TXT record value and wait until all of your name servers have replicated the change. This is usually a few seconds but can be up to an hour, this is up to your DNS provider.

Alternatively to start with you could just use acme-dns, which is a DNS service just for ACME/Let’s Encrypt DNS validation where you point a CNAME in your DNS to a TXT record on the acme-dns server, then all future renewals are automated. You can use a hosted service like https://auth.acme-dns.io/register or run your own.

Another (simple) alternative is just to switch to something like Cloudflare for your DNS, as this is already integrated into Certify.


Regarding errors and the log:

  • You don’t need to stop and start services at all. Just leave the Certify service running as normal.
  • The anti-reply nonce error is normal, you can ignore it. The next version of the app will catch this and silently retry. Basically Let’s Encrypt generate a random value they hold in memory and expect you to repeat back to them, as they scale their requests across servers the ‘nonce’ value can quickly become invalid as part of the normal operation of their service. The app normally handles this and fetches a new one, alternatively click ‘Request Certificate’ again.

So, to continue with your request, click Request Certificate again. You’ll get a new TXT record value, update that in DNS and wait for propagation, then click Request Certificate again to resume.

1 Like

Although i’m not scared away by having to write such a script, something hasn’t clicked yet, and i’m not exactly sure where to do what.

This is just to get things working in development, that is, i want to remove a roadblock while developing a webhook listener that requires an ssl certificate. In the end, i’m assuming they will have someone else handle all this. So, i’ll really only planning on doing this once, hence it doesn’t bother me if it’s not automated.

I’m more comfortable leaving my dns host at joker, so i don’t really like the idea of using another provider.

I was just deleting the log files so i could tell clearly which attempt i was on and copy the entire log here.

Thank you for the explanation!

Responds with “Method Not Allowed”. https://auth.acme-dns.io/ itself gives a 404.

I just tried the request again without changing anything, and it worked. Gave me the same TXT value as well. That’s three times in a row.

Your docs list the commandline you need to use, so the script is just that… but edited.

curl -X POST https://svc.joker.com/nic/replace -d 'username=your-username&password=your-password&zone=moocows.tmhc.net&label=_acme-challenge&type=TXT&value=%3'

You still need to change “your-username” and “your-password”. If your username/password is complex, it may need to be URL encoded to fit as a parameter. Press F12 in any browser and switch to the JavaScript “Console”. Type something like this in: encodeURIComponent('your-actual-password')… it’ll return a quoted string you can use. Don’t keep the quotes with curl.

Put that in a *.bat and point Certify to it with a DNS Update method of (Use Custom Script).

Edit: Used wrong JavaScript function.

2 Likes

Glad you got it working. As I said, manual DNS is error prone, it’s just how the ACME process works - it’s not really designed for people. Certify doesn’t determine what the TXT challenge should be, Let’s Encrypt does, so if they want to keep it the same that’s up to them (my guess if the challenge never actually got to the failed stage before, so it was still available for validation).

Regarding the acme-dns endpoint, that’s a URL for an acme-dns server API, it’s not a website for you to browse to.

1 Like

Thank you. That makes a little more sense in combing the two. If i end up renewing the certificate, this will come in handy!

Ah, i was assuming it was to register for it.