0

Unable to validate sub-domains on prod server, only on test.

Hi

I'm using DNS validation via a domain-alias. Client is acme.sh. I can validate just fine with the test server, https://api.test4.buypass.no/acme/directory. With the prod server https://api.buypass.com/acme/directory I can only validate the root domain, not any sub domains like www.

Error message is:

[Tue Apr 27 14:07:47 CEST 2021] test.****.com:Challenge error: {"type":"urn:ietf:params:acme:error:incorrectResponse","detail":"Response received didn't match
 the challenge's requirements","code":400,"message":"MALFORMED_BAD_REQUEST","details":"HTTP 400 Bad Request"}

or
 

[Tue Apr 27 14:06:41 CEST 2021] Error, can not get domain uri. "type":"dns-01","token":"29B55C4016DB632CD0BDD8ABE8D76CE634C6B126","status":"pending","validated"
:"2021-04-26T13:01:49Z","error":{"type":"urn:ietf:params:acme:error:incorrectResponse","detail":"Response received didn't match the challenge's requirements","c
ode":0
5replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • Hi lars

     

    Could you provide us with more details, like “MDC-correlationId” response header value, which is sent as a response header from our server and also the date/time for the failed challenge validation request.

     

    Regards,

    Andriy

    Like
      • lars
      • lars
      • 2 yrs ago
      • Reported - view

      Andriy Mahats 
      Hi. Thanks for responding.

      There are time stamps on both error messages I've posted. I can't find MDC-correlationId in the acme.sh.log. Attaching the full debug output. I've only replaced the domain name with ***.
       

    • Hi lars 

       

      There were challenge validation attempts on 3 domains  - one base domain and two subdomains. The challenge on base domain was validated successfully. Whereas the challenge validation attempts on 2 subdomains failed, since after querying the TXT records no records were found.

      This might be due to DNS slow propagation issue.

       

      Regards,

      Andriy

      Like
    • lars
    • lars
    • 2 yrs ago
    • Reported - view

    Hm. I've tried several times. It works as it should on test. I use the same command, just switch out "--server" between test and prod.

    Like
    • Hi lars 

       

      Our implementation will not verify the challenge again until we get explicit request from client.

      As we see there were no further requests in production for challenge verification from ACME-client after 26th of April.

      So these authorizations and challenges are left in pending state.

       

      Regards,

      Andriy

      Like
Like
  • Status Answered
  • 2 yrs agoLast active
  • 5Replies closed
  • 150Views
  • 2 Following

Buypass Official Community

This is the official community of Buypass.  A Root CA located in Norway.

Sign-up using free email domains have been blocked due to increased spam. https://community.forumbee.com/t/63zsyt/blocked-email-domains