LetsEncrypt Issue

_rik_

Verified User
Joined
Sep 25, 2019
Messages
24
Location
England
@Richard
I can also reply to your previous question for sure because I've asked: the webserver is connected to external nameserver servers and runs all DNS via those 2 servers.
 

_rik_

Verified User
Joined
Sep 25, 2019
Messages
24
Location
England
Even more interesting: I've asked my provider to run bash -x letsencrypt.sh domain renew because smtalk needed it to understand something.
Now in such domain I have
_acme-challenge-test="0"
_acme-challenge="xxxxxxxxxxxxxxxxxxxx" (proper token)


NB:
_acme-challenge-test="0"
is what I wrote manually days ago because DA wasn't able to create the record from scratch but was able to update it (see post #19).
In fact I then used the DA->LE function in the web interface and the "0" was overwritten with a token after 1 minute.
Now the original value is back... back from where?! And the proper _acme-challenge has also appeared on the scene for the first time.

So it seems that running letsencrypt.sh from the terminal works properly while via DA web interface does not.
 
Last edited:

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,221
Location
Maastricht
Still I wonder why you get the _acme-challenge-test. It's good to now you're running external nameservers. And I hope you don't have to run to the bush people on renewing. ;)

According to SMtalk (and everybody in fact), auto-renewal can't be done with wildcard certificates and external DNS. We all use the pre-check which is present in DNS.
It would be a nice solution if this issue with external dns could be fixed when auto renewal would use the -test.

However, it's odd that on manual renew you now have two records, amongst which 1 proper one:
Code:
Now in such domain I have
_acme-challenge-test="0"
_acme-challenge="xxxxxxxxxxxxxxxxxxxx" (proper token)
So I will just wait and be curious to the result of smtalk's investigations.
Thanks for the update!
 

_rik_

Verified User
Joined
Sep 25, 2019
Messages
24
Location
England
Hi Richard,
And I hope you don't have to run to the bush people on renewing. ;)
at the moment I only hope SMtalk has not already joined the alaskan bush people... ;)
 

glio

Verified User
Joined
Jan 8, 2008
Messages
54
Thank you for update, but I don't know why my server still same problem:

Found wildcard domain name and http-01 challenge type, switching to dns-01 validation.
DNS challenge test fail for _acme-challenge-test.xxxxxx.net IN TXT "pre-check", retrying...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
DNS validation failed. Exiting...
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,340
Location
LT, EU
Thank you for update, but I don't know why my server still same problem:

Found wildcard domain name and http-01 challenge type, switching to dns-01 validation.
DNS challenge test fail for _acme-challenge-test.xxxxxx.net IN TXT "pre-check", retrying...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
DNS validation failed. Exiting...
Are you sure that domain nameservers are pointed to the server you're generating the cert on? If yes, I'd suggest creating a ticket at tickets.directadmin.com.
 

ikkeben

Verified User
Joined
May 22, 2014
Messages
642
Location
Netherlands Germany
Last edited:

_rik_

Verified User
Joined
Sep 25, 2019
Messages
24
Location
England
@Richard
So I will just wait and be curious to the result of smtalk's investigations.
Thanks for the update!
He says it's not a problem because the DNS about the acme challenge could exists or not, doesn't matter. :confused:
In the end I understand the obvious: the important thing to have a certificate no matter how.;)
Let's hope for the renewal of the 60+ domains that, being a migration, it will happen basically in 1 day for all of them. I'm getting ready to join the alaskan bush people, just in case.... ;) ;) ;)
 

ikkeben

Verified User
Joined
May 22, 2014
Messages
642
Location
Netherlands Germany
@Richard

He says it's not a problem because the DNS about the acme challenge could exists or not, doesn't matter. :confused:
In the end I understand the obvious: the important thing to have a certificate no matter how.;)
Let's hope for the renewal of the 60+ domains that, being a migration, it will happen basically in 1 day for all of them. I'm getting ready to join the alaskan bush people, just in case.... ;) ;) ;)
Don't know take care of rate limits (subdomains) or other separate parts for those 60
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,221
Location
Maastricht
@Rik: Sorry I don't understand this sentence (I'm not native English):
He says it's not a problem because the DNS about the acme challenge could exists or not, doesn't matter.
You're using external DNS correct? He says wildcard does not work with external DNS, but you have it working so I don't understand what this means.
Ofcourse it's important to have a certificate, but it's odd you got it renewed with creating a -test challenge entry yourself.
 

_rik_

Verified User
Joined
Sep 25, 2019
Messages
24
Location
England
@Richard
Sorry I don't understand this sentence (I'm not native English):
He says it's not a problem because the DNS about the acme challenge could exists or not, doesn't matter.
Basically it's all ok regardless of the presence of the acme challenge record and regardless of its value.

You're using external DNS correct? He says wildcard does not work with external DNS, but you have it working so I don't understand what this means.
Ofcourse it's important to have a certificate, but it's odd you got it renewed with creating a -test challenge entry yourself
Since halloween is coming let's add some weirdness: I don't even need to create _acme-challenge-test manually anymore.;)

Recap the new behaviour.
Letsencrypt.sh 1.1.31 and non local nameserver
- I create a new account
- From the panel I run LE as usual, ticking "Wildcard"
- In a matter of seconds I get a working certificate for *.domain.tld and domain.tld
- In the DNS I found the new record _acme-challenge-test with value "pre-check" and TTL 5
No more tokens, no more _acme-challenge, only _acme-challenge-test="pre-check"

It's a total new behaviour.
For the next account I won't be surprised if I get something like
_acme-challenge-evil="spooooooky!" ttl=666 ;) ;) ;) ;)
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,221
Location
Maastricht
Basically it's all ok regardless of the presence of the acme challenge record and regardless of its value.
Yes but what is ok? The script or the fact that in your case things are working while they should not work since you use external DNS?

It's a total new behaviour.
Yes oke, but is this new behaviour being "as designed" so did SMtalk fix it so it will work now with wildcards when using external nameservers?
And is this only working when creating new domains or is this also working on renewal?

I still find it very confusing. What is the official "working as designed" way with Letsencrypt.sh 1.1.31?
 

ikkeben

Verified User
Joined
May 22, 2014
Messages
642
Location
Netherlands Germany
About pre-check.

This test here should or could? i don't know about that?

give 2 as result at one "date/time" one with pre-check

You can check some more info abour LE certs here on this site, also the advanced option is nice there.
https://crt.sh/

then result pre > Precertificate:

CT Precertificate Poison: critical
0000 - 05 00
result second normal > Leaf certificate:
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1(0)
Take a look click on your cert sh id's there
 

_rik_

Verified User
Joined
Sep 25, 2019
Messages
24
Location
England
@Richard
I dont' have the answers to your questions. These answers can only be answered from the DA team.
I can only say that I've just created a new account 5 minutes ago, and running LE for the first time has resulted in the same latter behaviour:
_acme-challenge-test="pre-check"
and the wildcard certificate is working properly in a matter of seconds (with non local nameserver).

And is this only working when creating new domains or is this also working on renewal?
From your question depends me joining the alaskan bush people or not.;) I reckon/hope yes. At the moment I only know for sure that relaunching LE for the second time returns no errors.

did SMtalk fix it so it will work now with wildcards when using external nameservers?
Maybe it's working since LE 1.1.31
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,221
Location
Maastricht
Maybe it's working since LE 1.1.31
That could be the case. Thank you in any case for sharing your test results. I don't have another domain to create at this moment on the vps with external DNS but will test as soon as I do.

Due to your positive results I've decided to stay for the moment and not join the alaskan bush people, maybe on the next crisis. :D
 

glio

Verified User
Joined
Jan 8, 2008
Messages
54
Thanks, yes that is the main domainname @server, but it only happening for wild card.
 

glio

Verified User
Joined
Jan 8, 2008
Messages
54
Anyone can tell me which version with out "pre-check" and _acme-challenge-test? because the old version of LE plugin, I have no problem, however after change to _acme-challenge-test.xxxxxx.net IN TXT "pre-check" it 100% faild, Thank you so much
 
Last edited:

_rik_

Verified User
Joined
Sep 25, 2019
Messages
24
Location
England
Hi Glio,
the 1.1.25 is the last one without _acme-challenge-test and pre-check
 
Top