Resolved (sort of, possible bug?) Failed Renewals DNS01- nothing has changed - logs included

Hello all,

(UPDATE FINAL)

Im wondering if there is a bug of sorts to be sorted, I’d be happy to assist. Here’s what I know, and how I resolved it:

I have 4 domain names. I generate a single certificate for all. It includes all 4 domains, and all their subdomains. ie. domain1.com, *.domain1.com, domain2.com, *.domain2.com, etc. These are listed in the Certificate Domains section of CTW.

In the Authorization section of CTW, I use challenge type DNS-01 for validation as none of these domains host websites, only mail and 1 has an ftp server, so I must validate against DNS. I use an API to perform the acme record writes to the DNS records. In the DNS Zone ID section of this same section, you must select 1 of the 4 domains. For this example, domain1.com.

I now run the test, and all tests come back good. This means CTW was as to successfully write the DNS acme txt records.

Now I run the Request Certificate. It does it’s thing, and fails, unable to validate domain1.com. Looking at my DNS records for the 4 domains, all 8 acme txt records are written to domain4.com, 6 pointing to the other 3 domains and *.domains. The other 3 domains are untouched.

I then deaelected domain3.com and domain4.com (and related *.domainX.com), and ran it. It failed on domain2.com. So I then in Authorization change the Zone ID to domain2.com, rerun, and voa, success! I then re-add a domain and sub back into the list (domain3.com and *.domain3.com), change Zone ID to domain3.com, run Request Certificate, and again, success. I re-add domain4.com and *.domain4.com to the list, change Zone I’d to domain4.com, run Request Certificate, and again, success.

I now have all 4 domains again into a single certificate.

It appears that generating a certificate via DNS for multiple domains, CYW writes all the acme txt records to one of the domains, which causes the Zone id domain to fail. If I add them back in one at a time, changing the Zone id to the previous listed failed auth, the process works.

QUESTION:. When generating a single certificate for multiple domains, why doesn’t CTW write the acme txt records to their respective domains in DNS instead of all to one domain? As it stands, I have to jump through hoops listed above for success. Based on the logs, it appears it fails because near the end, it attempts to validate a domain which doesn’t have an acme txt records for it’s domain, because it’s written to another domain in the list.

I suspect if the acme txt records were written to their respective domains regardless of Zone ID, it wld be successful every time. This is based on the above process of what I had to do to get it to work. Im afraid I don’t understand the purpose of Zone ID, but it appears that my troubles are related to that implementation.

Any clarity on this would be really appreciated! Thanks all, I really can’t say it enough, CTW is brilliant. Unfortunately I can’t automate as I need to do this unwieldy process for success. If there is ANY WAY I can help resolve this I’m more than happy to do so, please just ask. And if it’s because I’m ignorant of something Im overlooking, please fill in the blanks for me.

Original post, log removed:
I’ve successfully renewed my certificate for multiple domains for a few months now, even have scripting working.

The last 2 days are yielding failures though and I can’t figure out what’s going on. I do see problems in the log, which I’m pasting below.

Reviewing the logs from earlier and where the latest is different from a success, it appears the creating certificate order process is where it’s failing, setting up the rest of the process to fail as well.

I run a test first and it completes without error. I’ve rebooted the machine, ensured I can reach acme-v02.api.letsencrypt dot org(104.109.194.172). Nothing in my control has changed.

Can anyone provide some enlightenment and a fix? Again, absolutely nothing has changed with the machine, the API creds, the DNS setup, etc, since all previous successes. It’s writing the txt challenge records.

Here’s the log, all looks correct except at the end it just fails.

(Update:. Retrying removed the JWS anti-nonce error, but now it just fails at the end. Everything appears to work the way it should. The DNS records are being written by the API, I confirm they’re all there)

Thanks for any help, I’m absolutely stumped. Sorry about the bold, no idea why it’s doing this, but at least Im able to post the log as before it was limiting based on links.

(Update 2:. I’ve now got a rate limit and can no longer even begin the renewal process. Going downhill fast for me here. Please, anyone have any ideas? I’m stressing out)

Hi, the general design for multiple dns zones is in one certificate is to add multiple authorization configurations, that way tyou can set a different zone ID in each one. Alternatively setup a managed certificate per zone.

Regarding rate limits, it depends which one you have hit but the usual workaround is to add a different domain or subdomain to the certificate so that it’s seen as a new certificate by Let’s Encrypt.

Update Final:. It works perfectly! I couldn’t stand it, I had to test it out. So smooth, no leftover acme txt records all over my DNS records!! I feel a bit foolish missing that bit, but on the plus side you filled in the final question mark for me and I understand it now top to bottom.

Here’s something odd though, but not critical. Now when I run a test with the auth for each domain configured, the tests pass fine, but I get a notice that “IIS wasn’t available, likely because an IIS website isn’t configured”, then proceeds to run the tests, everything passes. I never got that notice when I had it misconfigured with a single Zone ID. The summary confirms my triple checking that I had no options to use IIS in the whole thing, not sure why CTW cares now, but it’s fine as it all works perfectly.

Thanks again, your help is sooo appreciated!!

Update: I figured there wouldnt be a problem if I just set it up and confirm before I run it.

I now have 4 configs listed in the auth section, 1 for each domain.
In the Domain Match field for each, I listed (domain1.com; *.domain1.com) and the Zone ID of domain1.com. did that for all 4 domains.

CTW even populated each added auth config with the same info (dns-01, API provider, API creds), so I suspect this is the correct method.

I haven’t pulled the trigger yet because I just got the renewed certificate earlier today, but if I can get a confirmation that I’ve got it right I’ll sleep well knowing it should do its thing correctly on the next go round!

Thanks again for taking time to turn on the lightbulb for me, the relief I’m feeling about the whole process is palpable.

Original post:
Thank you SO MUCH for for the reply!! Is that what the “Add Configurations” would do? Forgive my noobness, this is all fairly new to me. I suppose when I set this up I read the text about it’s purpose and assumed it would be specifically for another type of auth.

So, to make this single certificate to cover all domains (what I’ve been doing), I should leave all the domains in the Certificate Domains section selected, but in the Authorization section, instead of just picking one Zone ID, I should Add Configuration for EACH of the 4 root domains, and THEN when I obtain a certificate next time, it will authorize for each root domains I’ve added a configuration for? That sure makes sense, man I feel a bit foolish now.

Can you confirm I’ve got it right before I go and change it? A simple “You got it” would suffice If not, maybe point me in the right direction.

Again, eternal thanks for taking time and spelling it out, it was the only portion that never made sense and I’ve always been baffled by. If I interpreted your reply correctly,there will be no more mysteries!

On the rate limit, I believe shuffling through the Zone IDs did the same thing as once I changed it as described I was able to get the cert. If your explanation of Zone IDs fixes me up, Id bet I’ll not haven to worry about rate limits again!

Hi, sorry I was off camping with my son, yep sounds like you have it all working!

Hey there, no worries, priorities are in order! Hope you had a wonderful time,.nothing I’d rather do than spend time with my son too!

I am grateful beyond words for the quick reply you did fire off, I obsess over problems, and your help was the difference between freaking out and getting it fixed. Again, thanks for everything you do, CTW makes the amazing work that is “let’s encrypt” accessible in a way it just wouldn’t otherwise be to many.

So happy, have a wonderful week my friend!