LetsEncrypt Issue
- Thread starter AidySmith
- Start date
Even more interesting: I've asked my provider to run bash -x letsencrypt.sh domain renew because smtalk needed it to understand something.
Now in such domain I have
_acme-challenge-test="0"
_acme-challenge="xxxxxxxxxxxxxxxxxxxx" (proper token)
NB:
_acme-challenge-test="0"
is what I wrote manually days ago because DA wasn't able to create the record from scratch but was able to update it (see post #19).
In fact I then used the DA->LE function in the web interface and the "0" was overwritten with a token after 1 minute.
Now the original value is back... back from where?! And the proper _acme-challenge has also appeared on the scene for the first time.
So it seems that running letsencrypt.sh from the terminal works properly while via DA web interface does not.
Now in such domain I have
_acme-challenge-test="0"
_acme-challenge="xxxxxxxxxxxxxxxxxxxx" (proper token)
NB:
_acme-challenge-test="0"
is what I wrote manually days ago because DA wasn't able to create the record from scratch but was able to update it (see post #19).
In fact I then used the DA->LE function in the web interface and the "0" was overwritten with a token after 1 minute.
Now the original value is back... back from where?! And the proper _acme-challenge has also appeared on the scene for the first time.
So it seems that running letsencrypt.sh from the terminal works properly while via DA web interface does not.
Last edited:
Richard G
Verified User
Still I wonder why you get the _acme-challenge-test. It's good to now you're running external nameservers. And I hope you don't have to run to the bush people on renewing. 
According to SMtalk (and everybody in fact), auto-renewal can't be done with wildcard certificates and external DNS. We all use the pre-check which is present in DNS.
It would be a nice solution if this issue with external dns could be fixed when auto renewal would use the -test.
However, it's odd that on manual renew you now have two records, amongst which 1 proper one:
So I will just wait and be curious to the result of smtalk's investigations.
Thanks for the update!
According to SMtalk (and everybody in fact), auto-renewal can't be done with wildcard certificates and external DNS. We all use the pre-check which is present in DNS.
It would be a nice solution if this issue with external dns could be fixed when auto renewal would use the -test.
However, it's odd that on manual renew you now have two records, amongst which 1 proper one:
Code:
Now in such domain I have
_acme-challenge-test="0"
_acme-challenge="xxxxxxxxxxxxxxxxxxxx" (proper token)Thanks for the update!
Richard G
Verified User
I highly doubt it, smtalk is a real troubleshooter, he survives everywhere I guess. 
Thank you for update, but I don't know why my server still same problem:
Found wildcard domain name and http-01 challenge type, switching to dns-01 validation.
DNS challenge test fail for _acme-challenge-test.xxxxxx.net IN TXT "pre-check", retrying...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
DNS validation failed. Exiting...
Found wildcard domain name and http-01 challenge type, switching to dns-01 validation.
DNS challenge test fail for _acme-challenge-test.xxxxxx.net IN TXT "pre-check", retrying...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
DNS validation failed. Exiting...
Are you sure that domain nameservers are pointed to the server you're generating the cert on? If yes, I'd suggest creating a ticket at tickets.directadmin.com.
ikkeben
Verified User
Don't know or it matters but Letsencrypt is also busy with changes to the v2 version.
Does someone knows if those are giving problems as in this topic or else / other?
https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430
and this one
https://community.letsencrypt.org/t...velopers-regarding-acme-v1-deprecation/100795
You can check some more info abour LE certs here on this site, also the advanced option is nice there.
https://crt.sh/
Does someone knows if those are giving problems as in this topic or else / other?
https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430
and this one
https://community.letsencrypt.org/t...velopers-regarding-acme-v1-deprecation/100795
You can check some more info abour LE certs here on this site, also the advanced option is nice there.
https://crt.sh/
Last edited:
@Richard
In the end I understand the obvious: the important thing to have a certificate no matter how.
Let's hope for the renewal of the 60+ domains that, being a migration, it will happen basically in 1 day for all of them. I'm getting ready to join the alaskan bush people, just in case....
He says it's not a problem because the DNS about the acme challenge could exists or not, doesn't matter.
In the end I understand the obvious: the important thing to have a certificate no matter how.
Let's hope for the renewal of the 60+ domains that, being a migration, it will happen basically in 1 day for all of them. I'm getting ready to join the alaskan bush people, just in case....
ikkeben
Verified User
@Richard
He says it's not a problem because the DNS about the acme challenge could exists or not, doesn't matter.
In the end I understand the obvious: the important thing to have a certificate no matter how.
Let's hope for the renewal of the 60+ domains that, being a migration, it will happen basically in 1 day for all of them. I'm getting ready to join the alaskan bush people, just in case....
Don't know take care of rate limits (subdomains) or other separate parts for those 60
Richard G
Verified User
@Rik: Sorry I don't understand this sentence (I'm not native English):
Ofcourse it's important to have a certificate, but it's odd you got it renewed with creating a -test challenge entry yourself.
You're using external DNS correct? He says wildcard does not work with external DNS, but you have it working so I don't understand what this means.
Ofcourse it's important to have a certificate, but it's odd you got it renewed with creating a -test challenge entry yourself.
@Richard
Recap the new behaviour.
Letsencrypt.sh 1.1.31 and non local nameserver
- I create a new account
- From the panel I run LE as usual, ticking "Wildcard"
- In a matter of seconds I get a working certificate for *.domain.tld and domain.tld
- In the DNS I found the new record _acme-challenge-test with value "pre-check" and TTL 5
No more tokens, no more _acme-challenge, only _acme-challenge-test="pre-check"
It's a total new behaviour.
For the next account I won't be surprised if I get something like
_acme-challenge-evil="spooooooky!" ttl=666
Basically it's all ok regardless of the presence of the acme challenge record and regardless of its value.
Since halloween is coming let's add some weirdness: I don't even need to create _acme-challenge-test manually anymore.
Recap the new behaviour.
Letsencrypt.sh 1.1.31 and non local nameserver
- I create a new account
- From the panel I run LE as usual, ticking "Wildcard"
- In a matter of seconds I get a working certificate for *.domain.tld and domain.tld
- In the DNS I found the new record _acme-challenge-test with value "pre-check" and TTL 5
No more tokens, no more _acme-challenge, only _acme-challenge-test="pre-check"
It's a total new behaviour.
For the next account I won't be surprised if I get something like
_acme-challenge-evil="spooooooky!" ttl=666
Richard G
Verified User
Yes but what is ok? The script or the fact that in your case things are working while they should not work since you use external DNS?
Yes oke, but is this new behaviour being "as designed" so did SMtalk fix it so it will work now with wildcards when using external nameservers?
And is this only working when creating new domains or is this also working on renewal?
I still find it very confusing. What is the official "working as designed" way with Letsencrypt.sh 1.1.31?
ikkeben
Verified User
About pre-check.
This test here should or could? i don't know about that?
give 2 as result at one "date/time" one with pre-check
You can check some more info abour LE certs here on this site, also the advanced option is nice there.
https://crt.sh/
then result pre > Precertificate:
result second normal > Leaf certificate:
Take a look click on your cert sh id's there
This test here should or could? i don't know about that?
give 2 as result at one "date/time" one with pre-check
You can check some more info abour LE certs here on this site, also the advanced option is nice there.
https://crt.sh/
then result pre > Precertificate:
result second normal > Leaf certificate:
Take a look click on your cert sh id's there
@Richard
I dont' have the answers to your questions. These answers can only be answered from the DA team.
I can only say that I've just created a new account 5 minutes ago, and running LE for the first time has resulted in the same latter behaviour:
_acme-challenge-test="pre-check"
and the wildcard certificate is working properly in a matter of seconds (with non local nameserver).
I reckon/hope yes. At the moment I only know for sure that relaunching LE for the second time returns no errors.
I dont' have the answers to your questions. These answers can only be answered from the DA team.
I can only say that I've just created a new account 5 minutes ago, and running LE for the first time has resulted in the same latter behaviour:
_acme-challenge-test="pre-check"
and the wildcard certificate is working properly in a matter of seconds (with non local nameserver).
From your question depends me joining the alaskan bush people or not.
I reckon/hope yes. At the moment I only know for sure that relaunching LE for the second time returns no errors.Maybe it's working since LE 1.1.31
Richard G
Verified User
That could be the case. Thank you in any case for sharing your test results. I don't have another domain to create at this moment on the vps with external DNS but will test as soon as I do.
Due to your positive results I've decided to stay for the moment and not join the alaskan bush people, maybe on the next crisis.
Anyone can tell me which version with out "pre-check" and _acme-challenge-test? because the old version of LE plugin, I have no problem, however after change to _acme-challenge-test.xxxxxx.net IN TXT "pre-check" it 100% faild, Thank you so much
Last edited: