Manual DNS method authorisation - failing


#1

i’m having major problems renewing my certificate.

You are using the manual DNS method for authorization. You should create the following DNS (TXT) record in your DNS settings to continue renewal.

it requires me to add a TXT record called “_acme-challenge.blah.co.uk”, and gives me the code to use.
i create a TXT record with the required info and then re-attempt to renew.

it then says i need to add another one, which i do, it then fails.
i start over again, and i end up in a loop of keep having to create records with whatever code it tells me to use (i delete the existing TXT records before re-attempting each time).

this is the first time a renewal has been attempted (i was hoping this would be fully automated and not require me to manually do anything).

so where is this going wrong? every time i add what it asks me to add it just fails and i end up in a loop of constantly adding and removing TXT records.
i use google domains as the registrar.

2018-11-06 08:46:12.238 +00:00 [INF] Created ACME Order: https://acme-v02.api.letsencrypt.org/acme/order/39676522/158665093
2018-11-06 08:46:12.499 +00:00 [VRB] Fetching Authorizations.
2018-11-06 08:46:12.711 +00:00 [VRB] Fetching Authz Challenges.
2018-11-06 08:46:13.797 +00:00 [INF] Got dns-01 challenge https://acme-v02.api.letsencrypt.org/acme/challenge/H_BwrhnrFfz9bscD7Or01Ebe9CcJOhQ3PQDxfebLkuY/9007931010
2018-11-06 08:46:13.797 +00:00 [INF] Attempting Challenge Response Validation for Domain: *.blah.co.uk
2018-11-06 08:46:13.797 +00:00 [INF] Registering and Validating *.blah.co.uk 
2018-11-06 08:46:13.798 +00:00 [INF] Checking automated challenge response for Domain: *.blah.co.uk
2018-11-06 08:46:16.769 +00:00 [INF] Incorrect TXT record "2V9PoSop0aLm9tuh8eeT7ZRWF3yoMguMhlt6smusALk" (and 1 more) found at _acme-challenge.blah.co.uk
2018-11-06 08:46:18.656 +00:00 [INF] Validation of the required challenges did not complete successfully. Incorrect TXT record "2V9PoSop0aLm9tuh8eeT7ZRWF3yoMguMhlt6smusALk" (and 1 more) found at _acme-challenge.blah.co.uk
2018-11-06 08:46:18.657 +00:00 [INF] Validation of the required challenges did not complete successfully. Incorrect TXT record "2V9PoSop0aLm9tuh8eeT7ZRWF3yoMguMhlt6smusALk" (and 1 more) found at _acme-challenge.blah.co.uk

#2

@chenks to get fully automated renewal you need to use an API or a custom script, not the manual DNS option (because it requires a manual step for every renewal).

Sometime though there is a problem with the account id the app has for you and the one that Let’s Encrypt expects, to fix that update your email address under Settings (you can set it to the same email, it’s just to bump to account), I’m assuming you’re on the latest version (currently 4.0.10). Then try your manual renewal again. You can change the frequency of renewals under Settings (to a max of every 60 days), so it’s a bit less regular.

I’m guessing from the screenshot your with Google domains? We don’t yet have an API provider for them but there is some stuff planned for that soon.


#3

yes latest version.

tried updating email address (well there is no “update” option, only to add a new contact, which i did with the same email address as it already had.

now i get this

2018-11-06 12:08:22.911 +00:00 [INF] Created ACME Order: https://acme-v02.api.letsencrypt.org/acme/order/39676522/158857581
2018-11-06 12:08:23.133 +00:00 [VRB] Fetching Authorizations.
2018-11-06 12:08:23.351 +00:00 [VRB] Fetching Authz Challenges.
2018-11-06 12:08:24.415 +00:00 [INF] Got dns-01 challenge https://acme-v02.api.letsencrypt.org/acme/challenge/fU_RJXtlnK3E_C8ZdwjK1cLJ-GDRa1B6h1Zk90S7tkA/9011532118
2018-11-06 12:08:24.415 +00:00 [INF] Attempting Challenge Response Validation for Domain: *.blah.co.uk
2018-11-06 12:08:24.415 +00:00 [INF] Registering and Validating *.blah.co.uk 
2018-11-06 12:08:24.415 +00:00 [INF] Checking automated challenge response for Domain: *.blah.co.uk
2018-11-06 12:08:26.785 +00:00 [ERR] Submit Challenge failed: User account ID doesn't match account ID in authorization
2018-11-06 12:08:26.786 +00:00 [INF] Submit Challenge failed: User account ID doesn't match account ID in authorization
2018-11-06 12:08:29.387 +00:00 [INF] Validation of the required challenges did not complete successfully. Submit Challenge failed: User account ID doesn't match account ID in authorization
2018-11-06 12:08:29.387 +00:00 [INF] Validation of the required challenges did not complete successfully. Submit Challenge failed: User account ID doesn't match account ID in authorization

#4

Thanks, I’ve not seen this one before, clearly the account id settings are misbehaving. Can you try restarting the Certify background service in case something is being cached. You could also try adding an additional test hostname (‘certs.blah.co.uk’) to the certificate request, this will force the certificate to be seen as a new request by LE and will require new validations.

Once you can validate a single domain properly all other requests should work normally (unless they have stale authorizations like this example).


#5

My suspicion is that in some cases we’re still holding onto a reference of the old account identifier/key but it’s not clear how currently.


#6

can i re-clarify the process, as the instructions that appears during the process can be a little vague at time.

on the first request it asks to add a TXT record with the record code.
once i add that do i then re-run the renewal request again from scratch?
assuming yes, it then asks to add another TXT record with a different code, do i then delete the TXT record i have just added or add a second code to that existing one?

it’s not very clear, during the process, what the correct way to to this is.


#7

@chenks, clearly we need to sort out some docs for this part of the process but I think you did hit a bug regarding account id and it’s not clear if that still an issue for you or not. Have you tried using http validation instead - just a test with a single host name?

The manual DNS validation process is:

  • Hit ‘Request Certificate’, the app will contact Let’s Encrypt and determine what TXT records they want you to create, then the status screen of the managed certificate will look like this:
    image
  • You will then create the TXT record in your DNS control panel.

*If you are requesting both domain.com and .domain.com I recommend splitting that into 2 certificates when using manual DNS updates as otherwise it’s very confusing because both require an update to the same TXT record with different values. Alternatively you will need to add to the existing values until all your authorizations have completed, then you can delete the record.

  • After you have added the TXT record to your DNS and it has propagated to all of your name servers (give it 10 mins), you can click Request Certificate to resume (as per the on-screen instructions). This will resume your request, not start a new one.

  • If the request is successful (LE find your TXT record and are happy with it) the app will then fetch the new certificate.

  • If the request is unsuccessful (LE couldn’t find your TXT record or the value wasn’t as expected) the app will tell you the request failed and the log will show that too.

As an aside, I strongly recommend not using the manual DNS approach (or any manual steps) if you are serious about using Let’s Encrypt certificates as regular certificate renewal is mandatory.