letsencrypt-manual-hook icon indicating copy to clipboard operation
letsencrypt-manual-hook copied to clipboard

Published 20 hours ago verified publisher icon jbjonesjr

Challenge Failing with matching TXT record

Open stephenjudge opened this issue 7 years ago • 0 comments

This may not be a good place to request assistance but I can't think where else to get help. I am installing Let's Encrypt for the first time, and it's on a company intranet. I have control over the subdomain which I want to install the cert, but not over the root domain. I have followed what I think is the correct process and even though my DNS TXT entry matches that requested by dehydrated, and dehydrated verifies the match, it still fails the challenge. I can't figure why or what I'm doing wrong.

Our DNS is on Windows Server 2008 R2 and I'm installing Let's Encrypt on an Xubuntu 16.04 VM. Below is the command I ran and the outcome. I have replace the true root domain with company.com, however the true root domain is valid and resolvable both inside and outside our network, only the subdomain is internal only.

I also changed the values in the /etc/dehydrated/domains.txt from the default entries to just containing a single entry of wiki.company.com

Any assistance at all would be great.

xwiki@xwiki:~$ sudo ./dehydrated/dehydrated -c -t dns-01 -d wiki.company.com -k ./dehydrated/hooks/manual/manual_hook.rb
[sudo] password for xwiki:
# INFO: Using main config file /etc/dehydrated/config
Processing wiki.company.com
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting authorization for wiki.company.com...
 + 1 pending challenge(s)
 + Deploying challenge tokens...
Checking for pre-existing TXT record for the domain: '_acme-challenge.wiki.company.com'.
Found IRuosj38RBgVpK_R_gpCSF6Tsg5bDlGYL9QQi1YBqA. no match.
Create TXT record for the domain: '_acme-challenge.wiki.company.com'. TXT record:
'-IRuosj38RBgVpK_R_gpCSF6Tsg5bDlGYL9QQi1YBqA'
Press enter when DNS has been updated...

Found -IRuosj38RBgVpK_R_gpCSF6Tsg5bDlGYL9QQi1YBqA. match.
 + Responding to challenge for wiki.company.com authorization...
Challenge complete. Leave TXT record in place to allow easier future refreshes.
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "dns-01",
  "status": "invalid",
  "error": {
    "type": "urn:acme:error:connection",
    "detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.wiki.company.com",
    "status": 400
  },
  "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/NKQ9YHl0JyukZ4huvZ7uKmSoK2f9Gg7KptyYg1hYP_A/3308960735",
  "token": "wQbrFK-uMHl-5d6_XcJK0MnwwitpTru2RIwnlAT1nDw",
  "keyAuthorization": "wQbrFK-uMHl-5d6_XcJK0MnwwitpTru2RIwnlAT1nDw.bWinojXTWVUGHhO6wbWrkMvXZvir5DKWGBu7aX7dQ1c"
})
xwiki@xwiki:~$

stephenjudge avatar Feb 13 '18 19:02 stephenjudge