Manual DNS method authorisation - failing


#1

i’m having major problems renewing my certificate.

You are using the manual DNS method for authorization. You should create the following DNS (TXT) record in your DNS settings to continue renewal.

it requires me to add a TXT record called “_acme-challenge.blah.co.uk”, and gives me the code to use.
i create a TXT record with the required info and then re-attempt to renew.

it then says i need to add another one, which i do, it then fails.
i start over again, and i end up in a loop of keep having to create records with whatever code it tells me to use (i delete the existing TXT records before re-attempting each time).

this is the first time a renewal has been attempted (i was hoping this would be fully automated and not require me to manually do anything).

so where is this going wrong? every time i add what it asks me to add it just fails and i end up in a loop of constantly adding and removing TXT records.
i use google domains as the registrar.

2018-11-06 08:46:12.238 +00:00 [INF] Created ACME Order: https://acme-v02.api.letsencrypt.org/acme/order/39676522/158665093
2018-11-06 08:46:12.499 +00:00 [VRB] Fetching Authorizations.
2018-11-06 08:46:12.711 +00:00 [VRB] Fetching Authz Challenges.
2018-11-06 08:46:13.797 +00:00 [INF] Got dns-01 challenge https://acme-v02.api.letsencrypt.org/acme/challenge/H_BwrhnrFfz9bscD7Or01Ebe9CcJOhQ3PQDxfebLkuY/9007931010
2018-11-06 08:46:13.797 +00:00 [INF] Attempting Challenge Response Validation for Domain: *.blah.co.uk
2018-11-06 08:46:13.797 +00:00 [INF] Registering and Validating *.blah.co.uk 
2018-11-06 08:46:13.798 +00:00 [INF] Checking automated challenge response for Domain: *.blah.co.uk
2018-11-06 08:46:16.769 +00:00 [INF] Incorrect TXT record "2V9PoSop0aLm9tuh8eeT7ZRWF3yoMguMhlt6smusALk" (and 1 more) found at _acme-challenge.blah.co.uk
2018-11-06 08:46:18.656 +00:00 [INF] Validation of the required challenges did not complete successfully. Incorrect TXT record "2V9PoSop0aLm9tuh8eeT7ZRWF3yoMguMhlt6smusALk" (and 1 more) found at _acme-challenge.blah.co.uk
2018-11-06 08:46:18.657 +00:00 [INF] Validation of the required challenges did not complete successfully. Incorrect TXT record "2V9PoSop0aLm9tuh8eeT7ZRWF3yoMguMhlt6smusALk" (and 1 more) found at _acme-challenge.blah.co.uk

#2

@chenks to get fully automated renewal you need to use an API or a custom script, not the manual DNS option (because it requires a manual step for every renewal).

Sometime though there is a problem with the account id the app has for you and the one that Let’s Encrypt expects, to fix that update your email address under Settings (you can set it to the same email, it’s just to bump to account), I’m assuming you’re on the latest version (currently 4.0.10). Then try your manual renewal again. You can change the frequency of renewals under Settings (to a max of every 60 days), so it’s a bit less regular.

I’m guessing from the screenshot your with Google domains? We don’t yet have an API provider for them but there is some stuff planned for that soon.


#3

yes latest version.

tried updating email address (well there is no “update” option, only to add a new contact, which i did with the same email address as it already had.

now i get this

2018-11-06 12:08:22.911 +00:00 [INF] Created ACME Order: https://acme-v02.api.letsencrypt.org/acme/order/39676522/158857581
2018-11-06 12:08:23.133 +00:00 [VRB] Fetching Authorizations.
2018-11-06 12:08:23.351 +00:00 [VRB] Fetching Authz Challenges.
2018-11-06 12:08:24.415 +00:00 [INF] Got dns-01 challenge https://acme-v02.api.letsencrypt.org/acme/challenge/fU_RJXtlnK3E_C8ZdwjK1cLJ-GDRa1B6h1Zk90S7tkA/9011532118
2018-11-06 12:08:24.415 +00:00 [INF] Attempting Challenge Response Validation for Domain: *.blah.co.uk
2018-11-06 12:08:24.415 +00:00 [INF] Registering and Validating *.blah.co.uk 
2018-11-06 12:08:24.415 +00:00 [INF] Checking automated challenge response for Domain: *.blah.co.uk
2018-11-06 12:08:26.785 +00:00 [ERR] Submit Challenge failed: User account ID doesn't match account ID in authorization
2018-11-06 12:08:26.786 +00:00 [INF] Submit Challenge failed: User account ID doesn't match account ID in authorization
2018-11-06 12:08:29.387 +00:00 [INF] Validation of the required challenges did not complete successfully. Submit Challenge failed: User account ID doesn't match account ID in authorization
2018-11-06 12:08:29.387 +00:00 [INF] Validation of the required challenges did not complete successfully. Submit Challenge failed: User account ID doesn't match account ID in authorization

#4

Thanks, I’ve not seen this one before, clearly the account id settings are misbehaving. Can you try restarting the Certify background service in case something is being cached. You could also try adding an additional test hostname (‘certs.blah.co.uk’) to the certificate request, this will force the certificate to be seen as a new request by LE and will require new validations.

Once you can validate a single domain properly all other requests should work normally (unless they have stale authorizations like this example).


#5

My suspicion is that in some cases we’re still holding onto a reference of the old account identifier/key but it’s not clear how currently.


#6

can i re-clarify the process, as the instructions that appears during the process can be a little vague at time.

on the first request it asks to add a TXT record with the record code.
once i add that do i then re-run the renewal request again from scratch?
assuming yes, it then asks to add another TXT record with a different code, do i then delete the TXT record i have just added or add a second code to that existing one?

it’s not very clear, during the process, what the correct way to to this is.


#7

@chenks, clearly we need to sort out some docs for this part of the process but I think you did hit a bug regarding account id and it’s not clear if that still an issue for you or not. Have you tried using http validation instead - just a test with a single host name?

The manual DNS validation process is:

  • Hit ‘Request Certificate’, the app will contact Let’s Encrypt and determine what TXT records they want you to create, then the status screen of the managed certificate will look like this:
    image
  • You will then create the TXT record in your DNS control panel.

*If you are requesting both domain.com and .domain.com I recommend splitting that into 2 certificates when using manual DNS updates as otherwise it’s very confusing because both require an update to the same TXT record with different values. Alternatively you will need to add to the existing values until all your authorizations have completed, then you can delete the record.

  • After you have added the TXT record to your DNS and it has propagated to all of your name servers (give it 10 mins), you can click Request Certificate to resume (as per the on-screen instructions). This will resume your request, not start a new one.

  • If the request is successful (LE find your TXT record and are happy with it) the app will then fetch the new certificate.

  • If the request is unsuccessful (LE couldn’t find your TXT record or the value wasn’t as expected) the app will tell you the request failed and the log will show that too.

As an aside, I strongly recommend not using the manual DNS approach (or any manual steps) if you are serious about using Let’s Encrypt certificates as regular certificate renewal is mandatory.


#8

Looks like another person hitting issue with wildcard domain validation via DNS - see my response on Wildcard Failing dns-01 Acme Challenge to see how I got it working OK.


#9

i don’t have much choice but to at the moment though, as you don’t fully support google domains?


#10

I’m sure we will support Google domains when time allows. I’m also working on a general method to support any provider using CNAME redirection.


#11

still finding this impossible to renew certificate (even after the 2 updates pushed out over the past day or so).

i hit renew, it asks for a TXT record to be added.
i add it.
hit renew again and it seems to pass that stage
it then asks for another TXT record to be added
so i add the second one as an additional to the original one.
hit renew again, and it fails saying it can’t find the first one.
continual loop of adding, accepting, then rejecting.


#12

Capture2


#13

@chenks according to https://letsdebug.net verbose output the latest validation for your domain is against the staging API, so maybe your running your own debug build? If so you’ll need my fork of certes as the release version has an account key encoding bug. Or maybe you were just using some other tool.

Anyway, as you are using manual DNS the easiest option is to have one managed certificate for the wildcard (*.chenks.co.uk), get that working and apply it as required. Then create a new manage certificate for chenks.co.uk (just the domain) - you can use http validation or DNS validation for that one. Http validation is way easier than manual DNS if you are running this on your actual server, as that can be fully automated.


#14

i’m not runing anything other than the version i downloaded from your site?

as far as i’m aware i do just have 1 managed certificate for the wildcard? that’s all that i’m trying to get working and apply.


#15


#16

Thanks, the letsdebug.net message must just be a red herring, can you send my your log file through to support {at} certifytheweb.com?


#17

It’s linked from the Status tab


#18

have sent it as requested


#19

Thanks! Can you delete all of your _acme-challenge TXT records in your domain, wait 5 mins then try your certificate request again.

I think there’s some confusion happening because there are two TXT records currently. A single wildcard certificate like this only needs one TXT record (and when it’s multiple values, it’s still only one TXT record, but with multiple values).

Note that the wildcard certificate you get will only cover subdomains of chenks.co.uk so you will need another certificate to cover the top level domain if that’s required. Again, I would recommend the http challenge for that.


#20

that’s what i already had 1 TXT record but with multiple values.
not sure where it was seeing two TXT records from (i included a screenshot of the TXT records previously).