LetsEncrypt Issue

AidySmith

Verified User
Joined
Dec 10, 2017
Messages
59
Location
UK
Requesting new certificate order...
Nonce is empty. Exiting. dig output of acme-v02.api.letsencrypt.org:
prod.api.letsencrypt.org.
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
172.65.32.248
Full nonce request output:
HTTP/2 200
server: nginx
date: Tue, 24 Sep 2019 20:06:16 GMT
cache-control: public, max-age=0, no-cache
link: ;rel="index"
replay-nonce: 0002_7rYVlCqCmNH37n-iPjh7_q4DGmNoGCayTNTHpB8bjo
x-frame-options: DENY
strict-transport-security: max-age=604800
 
I updated which first gave an error then seconds time it worked fine.

Now trying to add to a different domain and its saying...

Found wildcard domain name and http-01 challenge type, switching to dns-01 validation.
DNS challenge test fail for _acme-challenge-test.hautetownbooking.com IN TXT "pre-check", retrying...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
DNS validation failed. Exiting...

That fails then instead of selecting a wildcard I select them individually which works, very strange.
 
I updated which first gave an error then seconds time it worked fine.

Now trying to add to a different domain and its saying...

Found wildcard domain name and http-01 challenge type, switching to dns-01 validation.
DNS challenge test fail for _acme-challenge-test.hautetownbooking.com IN TXT "pre-check", retrying...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
DNS validation failed. Exiting...

That fails then instead of selecting a wildcard I select them individually which works, very strange.

1.1.29 should have this solved :)
 
Well, the problem seems back in 1.1.30

I'm having the issue now on a VPS with a personal license but fully up 2 date:
Code:
[root@server: /usr/local/directadmin/scripts]# ./letsencrypt.sh renew my-domain.com
Found wildcard domain name and http-01 challenge type, switching to dns-01 validation.
DNS challenge test fail for _acme-challenge-test.my.domain.com IN TXT "pre-check", retrying...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
etc.
etc.
etc.

Nameservers are set to:
Code:
[root@server: ~]# less /etc/resolv.conf 
search invalid
nameserver 127.0.0.1
nameserver 1.1.1.1
nameserver 213.136.95.11
nameserver 213.136.95.10
Last 2 are from the vps host. First 2 are added after it Letsencrypt failed the first time.
 
Sorry, but without domain name - no :) As it's likely hosted elsewhere, or has wrong TTL. Not sure. It's not related to the initial issue fixed in 1.1.29.
 
Oke the hostname is mike-modding.com which is running on a VPS.
Since it only has 1 ip address the nameservers are running on the DNS of the domain provider.

I made some screenshots for you. This is from userlevel:
screenshot-mike-modding.com_2222-2019.09.29-15_28_41.png

When I go to administrator level and select "list administrators" and click on admin it's like this:
Code:
Name Server 1	ns1.mike-modding.com		
Name Server 2	ns2.mike-modding.com

But when I then click on the upper right corner on "admin's user data" it shows:
Code:
Name Server 1	ns1.vimexx.nl
Name Server 2	ns2.vimexx.nl
 
Well... I had kind of the same issue with one of my company's domain on the dedicated server I had never issues with:

Code:
Found wildcard domain name and http-01 challenge type, switching to dns-01 validation.
Requesting new certificate order...
Processing authorization for company.nl...
Challenge is valid.
Processing authorization for company.nl...
DNS challenge test fail for _acme-challenge.company.nl IN TXT "MUbeR1_jo21xo3CavxxJFWxBRiqS8BqZs533daXZ1Bs", retrying...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Waiting for domain verification...
Challenge is valid.
Generating 4096 bit RSA key for company.nl...
openssl genrsa 4096 > "/usr/local/directadmin/data/users/admin/domains/company.nl.key.new"
Generating RSA private key, 4096 bit long modulus
...............................++
.............................++
e is 65537 (0x10001)
Checking Certificate Private key match... Match!
Certificate for company.nl has been created successfully!

So at the end it did create a certificate, but those challenge tests fails is odd isn't it?
 
Any fix for post #8?
I also got this issue on the server where the retry also failed a lot of times before it worked with another account.
 
Well... I had kind of the same issue with one of my company's domain on the dedicated server I had never issues with:

Code:
Found wildcard domain name and http-01 challenge type, switching to dns-01 validation.
Requesting new certificate order...
Processing authorization for company.nl...
Challenge is valid.
Processing authorization for company.nl...
DNS challenge test fail for _acme-challenge.company.nl IN TXT "MUbeR1_jo21xo3CavxxJFWxBRiqS8BqZs533daXZ1Bs", retrying...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Waiting for domain verification...
Challenge is valid.
Generating 4096 bit RSA key for company.nl...
openssl genrsa 4096 > "/usr/local/directadmin/data/users/admin/domains/company.nl.key.new"
Generating RSA private key, 4096 bit long modulus
...............................++
.............................++
e is 65537 (0x10001)
Checking Certificate Private key match... Match!
Certificate for company.nl has been created successfully!

So at the end it did create a certificate, but those challenge tests fails is odd isn't it?

Nothing wrong with it, it means DNS entry wasn't there until that time. It kept retrying every 15secs to check if it's there. Regarding your other post:
Since it only has 1 ip address the nameservers are running on the DNS of the domain provider.

This is likely the problem, as it needs to be hosted on the same server, or DNS changes synced immediately.
 
it means DNS entry wasn't there until that time.
I don't understand. Which DNS entry wasn't there? That domein exists already for many years.

As for the post #8 question:
This is likely the problem, as it needs to be hosted on the same server, or DNS changes synced immediately.
Isn't this the case when you look at the screenshots I posted?
Maybe I wrote it wrong. Nameserver is also running locally, but with the registrar the nameservers point to the registrars DNs server.

Or must we conclude that letsencrypt updates only take place when running your own nameserver locally? That would mean a lot of vps systems can't update automatically.
Because it's not done to run 2 nameservers on a single ip, correct?
That would be odd because we had a VPS with single ip on Contabo using Contabo's nameservers and no issues on renewing Letsencrypt.
 
I don't understand. Which DNS entry wasn't there? That domein exists already for many years.

As for the post #8 question:

Isn't this the case when you look at the screenshots I posted?
Maybe I wrote it wrong. Nameserver is also running locally, but with the registrar the nameservers point to the registrars DNs server.

Or must we conclude that letsencrypt updates only take place when running your own nameserver locally? That would mean a lot of vps systems can't update automatically.
Because it's not done to run 2 nameservers on a single ip, correct?
That would be odd because we had a VPS with single ip on Contabo using Contabo's nameservers and no issues on renewing Letsencrypt.


Hi Richard.
Contabo we have one 2 but not DA control panel.

We only use there the DNS and nameservers of Contabo self.

So don't using nameserver and dns on the VPS itself. is working for other panel ( don't have wildcard LE - that is different and... then ), here in forum is some info and also question about not using DNS on DA boxes.

I asked also others what to do with DKIM then, ALex replied good Question.

Or having double dns is hurting i don't know more work yes.

Some links https://forum.directadmin.com/showthread.php?t=58206


Don't know if using more nameservers ( meaning the normal from registrar / hosters and extra also own on the box) hurts i gues if not using options as master slave well.. parent child glue and so on, also having problems with some double settings local dns differences and so on depending where the CP and all LE gets their information .

If having more nameservers, then you don't know upfront which service is using which nameserver cachings and more, makes troubleshooting difficult then. ( when having then a kind of double own on your box and thos from registrar / hoster i mean even more difficult for troubleshooting)

Alle test you do yourself could give false positives then , some online services do tests from several locations. >> ( not gving much info https://dnsmap.io but as example

For wildcard LE do you need to run DNS and nameservers on the same BOX as DA and domains are on?
 
Last edited:
Hello Ikkeben.

I don't know how I can not use dns and nameserver on the DNS itself. Because I'm sure there are other verification ways then only DNS verification.
As for DKIM that is not a big deal. Directadmin creates DKIM records, you only have to copy those to your external DNS and it works that way. However you must be able to see the record to be able to copy it indeed.

For wildcard LE do you need to run DNS and nameservers on the same BOX as DA and domains are on?
Yes it looks that way. But it would be nice if other verification methods for wildcards could also be implemented in case of external DNS use.
I have now created a new certificate, so no wildcard certificate but a "normal" certificat and just selected all options manually (like ftp and mail etc.) so it's almost the same as wildcard, and now indeed it works.
Thank you for this tip!
Now we have to wait if automatic verification works next time. If not, I will suggest my friend to use an extra ip.

Still.... I heard there were other verification methods which could be used in case of external DNS.
 
As you have a contabo vps account you should have also customer interface where you can handle set dns for your domains. ( DNSSEC and so still no support sofar i know there)

Don't know if this is for every vps / customer.

Then yup the NODNS directadmin should be nice having good solution for DKIM. and those wildcard LE....?
 
As said, my friend have a Contabo VPS but are using the DNS from the registrar. I also have access to this DNS. We could also use Contabo DNS but that makes no difference.

NODNS does not mean that there is no dns, only that the user has no dns. However, this is a personal license which only has the admin user, which has DNS access anyway.

Wildcard DNS can't be used, not even with nodns, because the Letsencrypt methode can't change the DNS setting (to add the acme-challenge line) in the DNS of either Contabo or the registrar.
That's also what SMtalk says. Wildcard SSL is not possiible when not using your own DNS server locally, which require's 2 ip's at least.

We don't have DKIM issue because we copied the DKIM line from DA dns section to the registrars DNS section which is working fine.
 
We don't have DKIM issue because we copied the DKIM line from DA dns section to the registrars DNS section which is working fine.

Is only possible if yes DNS is for that domain / user on DA, is ok.

BUT It should be possible to have all DNS external third party (if you like geodns things ddos dns and so on) and still DKIM on DA and Wildcard LE. THIS IS NOT for the moment :(
 
Is only possible if yes DNS is for that domain / user on DA, is ok.
You can also do this as Admin or Reseller for the user if Dns management is set to no for the user. The user can't do it himself indeed in that case.

There is room for improvement when external DNS is used, but that is off-topic here, but a good thing for the feature request section.
I added a +1 at your request.

My issue is solved for the moment. ;)
 
About the initial problem (from post #1 to #3),
I've found the problem it's simply DA unable to create the txt record _acme-challenge-test from scratch.
From the DNS management I've created the txt record _acme-challenge-test and it worked immediately.
 
From the DNS management I've created the txt record _acme-challenge-test and it worked immediately.
Are you sure everything is working as it should? Because this looks to me as a test method due to the -test behind the line.
Normally only the _acme-challenge is used as TXT record with a verification code which changes every time.
 
Back
Top