0

Problem validating certain subdomains

I am trying to create a SAN certificate for prod-api.glucura.io and prod-db.glucura.io. I am using goacme/lego v4.14 with DNS validation. The same method works for stage-api.glucura.io and stage-db.glucura.io.

This is the output of lego:
 

2024/01/04 11:35:53 No key found for account [redacted]. Generating a P256 key.
2024/01/04 11:35:53 Saved key to /.lego/accounts/api.buypass.com/[redacted]/keys/[redacted].key
2024/01/04 11:35:53 [INFO] acme: Registering account for [redacted]
2024/01/04 11:35:54 [INFO] [prod-api.glucura.io, prod-db.glucura.io] acme: Obtaining bundled SAN certificate
2024/01/04 11:35:55 [INFO] [prod-api.glucura.io] AuthURL: https://api.buypass.com/acme-v02/authz/pTtn13dzI9dcnyfxUqVcX8vlVli3iuHLcnKH9UV-P1Y
2024/01/04 11:35:55 [INFO] [prod-db.glucura.io] AuthURL: https://api.buypass.com/acme-v02/authz/x43WxCWUaKNQZR2q_y0YVF25HMc7bYBZESFaAcHu-pU
2024/01/04 11:35:55 [INFO] [prod-api.glucura.io] acme: Could not find solver for: http-01
2024/01/04 11:35:55 [INFO] [prod-api.glucura.io] acme: use dns-01 solver
2024/01/04 11:35:55 [INFO] [prod-db.glucura.io] acme: Could not find solver for: http-01
2024/01/04 11:35:55 [INFO] [prod-db.glucura.io] acme: use dns-01 solver
2024/01/04 11:35:55 [INFO] [prod-api.glucura.io] acme: Preparing to solve DNS-01
2024/01/04 11:35:56 [INFO] [prod-db.glucura.io] acme: Preparing to solve DNS-01
2024/01/04 11:35:57 [INFO] [prod-api.glucura.io] acme: Trying to solve DNS-01
2024/01/04 11:35:57 [INFO] [prod-api.glucura.io] acme: Checking DNS record propagation using [1.1.1.1:53]
2024/01/04 11:35:59 [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]
2024/01/04 11:35:59 [INFO] [prod-api.glucura.io] acme: Waiting for DNS record propagation.
2024/01/04 11:36:01 [INFO] [prod-api.glucura.io] acme: Waiting for DNS record propagation.
2024/01/04 11:36:03 [INFO] [prod-api.glucura.io] acme: Waiting for DNS record propagation.
!!!! HEADS UP !!!!
Your account credentials have been saved in your Let's Encrypt
configuration directory at "/.lego/accounts".
You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2024/01/04 11:36:05 [INFO] [prod-api.glucura.io] acme: Waiting for DNS record propagation.
2024/01/04 11:36:07 [INFO] [prod-api.glucura.io] acme: Waiting for DNS record propagation.
2024/01/04 11:36:09 [INFO] [prod-api.glucura.io] acme: Waiting for DNS record propagation.
2024/01/04 11:36:11 [INFO] [prod-api.glucura.io] acme: Waiting for DNS record propagation.
2024/01/04 11:44:30 [INFO] [prod-db.glucura.io] acme: Trying to solve DNS-01
2024/01/04 11:44:30 [INFO] [prod-db.glucura.io] acme: Checking DNS record propagation using [1.1.1.1:53]
2024/01/04 11:44:32 [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]
2024/01/04 11:51:53 [INFO] [prod-api.glucura.io] acme: Cleaning DNS-01 challenge
2024/01/04 11:51:54 [INFO] [prod-db.glucura.io] acme: Cleaning DNS-01 challenge
2024/01/04 11:51:56 [INFO] Deactivating auth: https://api.buypass.com/acme-v02/authz/pTtn13dzI9dcnyfxUqVcX8vlVli3iuHLcnKH9UV-P1Y
2024/01/04 11:51:56 [INFO] Deactivating auth: https://api.buypass.com/acme-v02/authz/x43WxCWUaKNQZR2q_y0YVF25HMc7bYBZESFaAcHu-pU
2024/01/04 11:51:56 Could not obtain certificates:
        error: one or more domains had a problem:
[prod-api.glucura.io] the server didn't respond to our request
[prod-db.glucura.io] the server didn't respond to our request

In the auth URL I can see the following
 


{"type": "urn:ietf:params:acme:error:incorrectResponse","detail": "Response received didn't match the challenge's requirements","code": 0}

I don't know which requirements are not fulfilled. I don't understand how this happens as I am using the same method on the same 2nd level domain where one works and another does not.

5replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • This sounds like what I'm seeing here: https://community.buypass.com/t/p8y3pma/dns-validation-currently-broken

    I was starting to think that it was DNSSEC based issue - but it doesn't look like your domain has DNSSEC enabled?

    Like
    • Steven Haigh No I do not have DNSSEC enabled. 

      Like
    • Benjamin Schäfer Thanks for confirming..... That blows one theory I had out of the water then....

      I guess we can only wait for Buypass Customer Support or Buypass IT Operations to see if they can spot anything weird...

      Like 1
  • Hi Benjamin Schäfer , are you still experiencing problems with the renewal of your certificates? We have made some minor updates to our service the last couple of days.
    Could you please retry?

    Like
    • Hello Buypass Customer Support , the problem seems to be solved now for the domain.

      Like 1
Like Follow
  • Status Answered
  • 10 mths agoLast active
  • 5Replies
  • 170Views
  • 3 Following

Buypass Official Community

This is the official community of Buypass.  A Root CA located in Norway.

Sign-up using free email domains have been blocked due to increased spam. https://community.forumbee.com/t/63zsyt/blocked-email-domains