Manual DNS method authorisation - failing

yes latest version.

tried updating email address (well there is no “update” option, only to add a new contact, which i did with the same email address as it already had.

now i get this

2018-11-06 12:08:22.911 +00:00 [INF] Created ACME Order: https://acme-v02.api.letsencrypt.org/acme/order/39676522/158857581
2018-11-06 12:08:23.133 +00:00 [VRB] Fetching Authorizations.
2018-11-06 12:08:23.351 +00:00 [VRB] Fetching Authz Challenges.
2018-11-06 12:08:24.415 +00:00 [INF] Got dns-01 challenge https://acme-v02.api.letsencrypt.org/acme/challenge/fU_RJXtlnK3E_C8ZdwjK1cLJ-GDRa1B6h1Zk90S7tkA/9011532118
2018-11-06 12:08:24.415 +00:00 [INF] Attempting Challenge Response Validation for Domain: *.blah.co.uk
2018-11-06 12:08:24.415 +00:00 [INF] Registering and Validating *.blah.co.uk 
2018-11-06 12:08:24.415 +00:00 [INF] Checking automated challenge response for Domain: *.blah.co.uk
2018-11-06 12:08:26.785 +00:00 [ERR] Submit Challenge failed: User account ID doesn't match account ID in authorization
2018-11-06 12:08:26.786 +00:00 [INF] Submit Challenge failed: User account ID doesn't match account ID in authorization
2018-11-06 12:08:29.387 +00:00 [INF] Validation of the required challenges did not complete successfully. Submit Challenge failed: User account ID doesn't match account ID in authorization
2018-11-06 12:08:29.387 +00:00 [INF] Validation of the required challenges did not complete successfully. Submit Challenge failed: User account ID doesn't match account ID in authorization

Thanks, I’ve not seen this one before, clearly the account id settings are misbehaving. Can you try restarting the Certify background service in case something is being cached. You could also try adding an additional test hostname (‘certs.blah.co.uk’) to the certificate request, this will force the certificate to be seen as a new request by LE and will require new validations.

Once you can validate a single domain properly all other requests should work normally (unless they have stale authorizations like this example).

My suspicion is that in some cases we’re still holding onto a reference of the old account identifier/key but it’s not clear how currently.

can i re-clarify the process, as the instructions that appears during the process can be a little vague at time.

on the first request it asks to add a TXT record with the record code.
once i add that do i then re-run the renewal request again from scratch?
assuming yes, it then asks to add another TXT record with a different code, do i then delete the TXT record i have just added or add a second code to that existing one?

it’s not very clear, during the process, what the correct way to to this is.

@chenks, clearly we need to sort out some docs for this part of the process but I think you did hit a bug regarding account id and it’s not clear if that still an issue for you or not. Have you tried using http validation instead - just a test with a single host name?

The manual DNS validation process is:

  • Hit ‘Request Certificate’, the app will contact Let’s Encrypt and determine what TXT records they want you to create, then the status screen of the managed certificate will look like this:
    image
  • You will then create the TXT record in your DNS control panel.

*If you are requesting both domain.com and .domain.com I recommend splitting that into 2 certificates when using manual DNS updates as otherwise it’s very confusing because both require an update to the same TXT record with different values. Alternatively you will need to add to the existing values until all your authorizations have completed, then you can delete the record.

  • After you have added the TXT record to your DNS and it has propagated to all of your name servers (give it 10 mins), you can click Request Certificate to resume (as per the on-screen instructions). This will resume your request, not start a new one.

  • If the request is successful (LE find your TXT record and are happy with it) the app will then fetch the new certificate.

  • If the request is unsuccessful (LE couldn’t find your TXT record or the value wasn’t as expected) the app will tell you the request failed and the log will show that too.

As an aside, I strongly recommend not using the manual DNS approach (or any manual steps) if you are serious about using Let’s Encrypt certificates as regular certificate renewal is mandatory.

Looks like another person hitting issue with wildcard domain validation via DNS - see my response on Wildcard Failing dns-01 Acme Challenge to see how I got it working OK.

i don’t have much choice but to at the moment though, as you don’t fully support google domains?

I’m sure we will support Google domains when time allows. I’m also working on a general method to support any provider using CNAME redirection.

1 Like

still finding this impossible to renew certificate (even after the 2 updates pushed out over the past day or so).

i hit renew, it asks for a TXT record to be added.
i add it.
hit renew again and it seems to pass that stage
it then asks for another TXT record to be added
so i add the second one as an additional to the original one.
hit renew again, and it fails saying it can’t find the first one.
continual loop of adding, accepting, then rejecting.

Capture2

@chenks according to https://letsdebug.net verbose output the latest validation for your domain is against the staging API, so maybe your running your own debug build? If so you’ll need my fork of certes as the release version has an account key encoding bug. Or maybe you were just using some other tool.

Anyway, as you are using manual DNS the easiest option is to have one managed certificate for the wildcard (*.chenks.co.uk), get that working and apply it as required. Then create a new manage certificate for chenks.co.uk (just the domain) - you can use http validation or DNS validation for that one. Http validation is way easier than manual DNS if you are running this on your actual server, as that can be fully automated.

i’m not runing anything other than the version i downloaded from your site?

as far as i’m aware i do just have 1 managed certificate for the wildcard? that’s all that i’m trying to get working and apply.

Thanks, the letsdebug.net message must just be a red herring, can you send my your log file through to support {at} certifytheweb.com?

It’s linked from the Status tab

have sent it as requested

1 Like

Thanks! Can you delete all of your _acme-challenge TXT records in your domain, wait 5 mins then try your certificate request again.

I think there’s some confusion happening because there are two TXT records currently. A single wildcard certificate like this only needs one TXT record (and when it’s multiple values, it’s still only one TXT record, but with multiple values).

Note that the wildcard certificate you get will only cover subdomains of chenks.co.uk so you will need another certificate to cover the top level domain if that’s required. Again, I would recommend the http challenge for that.

that’s what i already had 1 TXT record but with multiple values.
not sure where it was seeing two TXT records from (i included a screenshot of the TXT records previously).

Thanks, I’m using mx toolbox. Just delete the value you have and start again, you don’t need both. If you can use a lower TTL it may(?) affect propagation to your other nameservers. Let’s Encrypt will try any one of the authoritative nameservers for your DNS, you currently have 4 and they all have to respond with the same answer.

it always seems to pass the first stage of authentication once i put the first TXT record in.
then it asks me to enter a second, i add an additional entry to the existing TXT record and that’s where it fails.