[GH-ISSUE #6] Configuration/Setup is accepted/verified as valid but challenge fails #3

New issue

Closed

opened 2026-03-13 16:23:19 +03:00 by kerem · 3 comments

kerem commented 2026-03-13 16:23:19 +03:00

Owner

Copy link

Originally created by @JJ-Author on GitHub (Feb 17, 2021).
Original GitHub issue: https://github.com/acme-dns/acme-dns-client/issues/6

Hi,

first of all, nice work. Unfortunately, I am failing to acquire the wildcard certificate.

I am using v0.2 client release and certbot 0.40.0 and https://hub.docker.com/layers/joohoi/acme-dns/latest/images/sha256-dd671a4fc86863f9dc9bace1dee7c986034aa3946e36f079fbd9ed58a4f3c639?context=explore (from january 2021).

As one can see the acme-dns-client reports everything is set up correctly. The hook updates the txt records in the acme-dns (I checked the log from acme dns server, and verified with dig -> see below).

I am a bit lost now and would appreciate any help. Is there A) an error in the setup verification of the client and the setup is actually incorrect, or B) did just call the client/cerbot in an incorrect way?

(As a sidenote: I also realized that the setup check does not take into account whether the update of txt records actually works - so if the credentials to the acme dns server work and the allowFrom config works)

cerbot call

certbot certonly --manual --preferred-challenges dns --manual-auth-hook '/root/configs/dns/acme-dns-client' -d *.tools.dbpedia.org                                         
Saving debug log to /var/log/letsencrypt/letsencrypt.log                                                                                                                                                    
Plugins selected: Authenticator manual, Installer None                                                                                                                                                      
Obtaining a new certificate                                                                                                                                                                                 
Performing the following challenges:                                                                                                                                                                        
dns-01 challenge for tools.dbpedia.org                                                                                                                                                                      
                                                                                                                                                                                                            
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -                                                                                                                             
NOTE: The IP of this machine will be publicly logged as having requested this                                                                                                                               
certificate. If you're running certbot in manual mode on a machine that is not                                                                                                                              
your server, please ensure you're okay with that.                                                                                                                                                           
                                                                                                                                                                                                            
Are you OK with your IP being logged?                                                                                                                                                                       
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -                                                                                                                             
(Y)es/(N)o: Y                                                                                                                                                                                               
Running manual-auth-hook command: /root/configs/dns/acme-dns-client                                                                                                                                         
Waiting for verification...                                                                                                                                                                                 
Challenge failed for domain tools.dbpedia.org                                                                                                                                                               
dns-01 challenge for tools.dbpedia.org                                                                                                                                                                      
Cleaning up challenges                                                                                                                                                                                      
Some challenges have failed.                                                                                                                                                                                
                                                                                                                                                                                                            
IMPORTANT NOTES:                                                                                                                                                                                            
 - The following errors were reported by the server:                                                                                                                                                        
                                                                                                                                                                                                            
   Domain: tools.dbpedia.org                                                                                                                                                                                
   Type:   unauthorized                                                                                                                                                                                     
   Detail: No TXT record found at _acme-challenge.tools.dbpedia.org                                                                                                                                         
                                                                                                                                                                                                            
   To fix these errors, please make sure that your domain name was                                                                                                                                          
   entered correctly and the DNS A/AAAA record(s) for that domain                                                                                                                                           
   contain(s) the right IP address.                         

acme client check

root@APP-DBpedia ~/configs/dns # ./acme-dns-client list
Number of acme-dns accounts found on this system: 1 
Performing CNAME checks...

Working:
[*] tools.dbpedia.org

root@APP-DBpedia ~/configs/dns # ./acme-dns-client check
Checking acme-dns configuration for domain tools.dbpedia.org
 [*] Registered acme-dns account found!
 [*] CNAME record found and set up correctly!
 [W] No CAA record found
 [W] No CAA AccountURI found

dns check

kilt@kilt-Latitude-E6540:~$ dig _acme-challenge.tools.dbpedia.org txt

; <<>> DiG 9.10.3-P4-Ubuntu <<>> _acme-challenge.tools.dbpedia.org txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31243
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_acme-challenge.tools.dbpedia.org. IN	TXT

;; ANSWER SECTION:
_acme-challenge.tools.dbpedia.org. 2801	IN CNAME ec471a93-bf4a-4604-aeef-1bce270b5f0e.tools.dbpedia.org.

;; AUTHORITY SECTION:
dbpedia.org.		108	IN	SOA	ns.namespace4you.de. hostmaster.dbpedia.org. 1612978941 16384 2048 1048576 2560

;; Query time: 2 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Wed Feb 17 15:38:58 CET 2021
;; MSG SIZE  rcvd: 179




kilt@kilt-Latitude-E6540:~$ dig ec471a93-bf4a-4604-aeef-1bce270b5f0e.tools.dbpedia.org txt  @ec471a93-bf4a-4604-aeef-1bce270b5f0e.tools.dbpedia.org

; <<>> DiG 9.10.3-P4-Ubuntu <<>> ec471a93-bf4a-4604-aeef-1bce270b5f0e.tools.dbpedia.org txt @ec471a93-bf4a-4604-aeef-1bce270b5f0e.tools.dbpedia.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28240
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;ec471a93-bf4a-4604-aeef-1bce270b5f0e.tools.dbpedia.org.	IN TXT

;; ANSWER SECTION:
ec471a93-bf4a-4604-aeef-1bce270b5f0e.tools.dbpedia.org.	1 IN TXT "psvkYpoKxiPXcDyRhABLfOA3l1ehIn0VK0vTpJZE7-E"
ec471a93-bf4a-4604-aeef-1bce270b5f0e.tools.dbpedia.org.	1 IN TXT "Ih70MG_RcgDYPPcOCczDj7X5tlrZOqK04yz4A-12VbI"

;; Query time: 44 msec
;; SERVER: 95.217.207.179#53(95.217.207.179)
;; WHEN: Wed Feb 17 15:39:45 CET 2021
;; MSG SIZE  rcvd: 303

Originally created by @JJ-Author on GitHub (Feb 17, 2021). Original GitHub issue: https://github.com/acme-dns/acme-dns-client/issues/6 Hi, first of all, nice work. Unfortunately, I am failing to acquire the wildcard certificate. I am using v0.2 client release and certbot 0.40.0 and https://hub.docker.com/layers/joohoi/acme-dns/latest/images/sha256-dd671a4fc86863f9dc9bace1dee7c986034aa3946e36f079fbd9ed58a4f3c639?context=explore (from january 2021). As one can see the acme-dns-client reports everything is set up correctly. The hook updates the txt records in the acme-dns (I checked the log from acme dns server, and verified with dig -> see below). I am a bit lost now and would appreciate any help. Is there A) an error in the setup verification of the client and the setup is actually incorrect, or B) did just call the client/cerbot in an incorrect way? (As a sidenote: I also realized that the setup check does not take into account whether the update of txt records actually works - so if the credentials to the acme dns server work and the allowFrom config works) ## cerbot call ``` certbot certonly --manual --preferred-challenges dns --manual-auth-hook '/root/configs/dns/acme-dns-client' -d *.tools.dbpedia.org Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Obtaining a new certificate Performing the following challenges: dns-01 challenge for tools.dbpedia.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y Running manual-auth-hook command: /root/configs/dns/acme-dns-client Waiting for verification... Challenge failed for domain tools.dbpedia.org dns-01 challenge for tools.dbpedia.org Cleaning up challenges Some challenges have failed. IMPORTANT NOTES: - The following errors were reported by the server: Domain: tools.dbpedia.org Type: unauthorized Detail: No TXT record found at _acme-challenge.tools.dbpedia.org To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. ``` ## acme client check ``` root@APP-DBpedia ~/configs/dns # ./acme-dns-client list Number of acme-dns accounts found on this system: 1 Performing CNAME checks... Working: [*] tools.dbpedia.org root@APP-DBpedia ~/configs/dns # ./acme-dns-client check Checking acme-dns configuration for domain tools.dbpedia.org [*] Registered acme-dns account found! [*] CNAME record found and set up correctly! [W] No CAA record found [W] No CAA AccountURI found ``` ## dns check ``` kilt@kilt-Latitude-E6540:~$ dig _acme-challenge.tools.dbpedia.org txt ; <<>> DiG 9.10.3-P4-Ubuntu <<>> _acme-challenge.tools.dbpedia.org txt ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31243 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;_acme-challenge.tools.dbpedia.org. IN TXT ;; ANSWER SECTION: _acme-challenge.tools.dbpedia.org. 2801 IN CNAME ec471a93-bf4a-4604-aeef-1bce270b5f0e.tools.dbpedia.org. ;; AUTHORITY SECTION: dbpedia.org. 108 IN SOA ns.namespace4you.de. hostmaster.dbpedia.org. 1612978941 16384 2048 1048576 2560 ;; Query time: 2 msec ;; SERVER: 127.0.1.1#53(127.0.1.1) ;; WHEN: Wed Feb 17 15:38:58 CET 2021 ;; MSG SIZE rcvd: 179 kilt@kilt-Latitude-E6540:~$ dig ec471a93-bf4a-4604-aeef-1bce270b5f0e.tools.dbpedia.org txt @ec471a93-bf4a-4604-aeef-1bce270b5f0e.tools.dbpedia.org ; <<>> DiG 9.10.3-P4-Ubuntu <<>> ec471a93-bf4a-4604-aeef-1bce270b5f0e.tools.dbpedia.org txt @ec471a93-bf4a-4604-aeef-1bce270b5f0e.tools.dbpedia.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28240 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;ec471a93-bf4a-4604-aeef-1bce270b5f0e.tools.dbpedia.org. IN TXT ;; ANSWER SECTION: ec471a93-bf4a-4604-aeef-1bce270b5f0e.tools.dbpedia.org. 1 IN TXT "psvkYpoKxiPXcDyRhABLfOA3l1ehIn0VK0vTpJZE7-E" ec471a93-bf4a-4604-aeef-1bce270b5f0e.tools.dbpedia.org. 1 IN TXT "Ih70MG_RcgDYPPcOCczDj7X5tlrZOqK04yz4A-12VbI" ;; Query time: 44 msec ;; SERVER: 95.217.207.179#53(95.217.207.179) ;; WHEN: Wed Feb 17 15:39:45 CET 2021 ;; MSG SIZE rcvd: 303 ```

kerem 2026-03-13 16:23:19 +03:00

• closed this issue
• added the
  question
  label

kerem commented 2026-03-13 16:23:35 +03:00

Author

Owner

Copy link

@joohoi commented on GitHub (Feb 18, 2021):

Hi,

It looks like the acme-dns is not configured correctly. It seems to be missing the mandatory NS record. The acme-dns-client only checks for the validity of the client configuration, and not one of the servers.

See https://github.com/joohoi/acme-dns#dns-records for more information about this.

<!-- gh-comment-id:781174252 --> @joohoi commented on GitHub (Feb 18, 2021): Hi, It looks like the `acme-dns` is not configured correctly. It seems to be missing the mandatory `NS` record. The `acme-dns-client` only checks for the validity of the client configuration, and not one of the servers. See https://github.com/joohoi/acme-dns#dns-records for more information about this.

kerem commented 2026-03-13 16:23:40 +03:00

Author

Owner

Copy link

@JJ-Author commented on GitHub (Feb 18, 2021):

Ah I see. Thanks a lot. It might be still a bit confusing, and it could be potentially useful if the client would check also for this mandatory NS record in case the cname entry would not use the default acme-dns provider. But from my side this could be closed.

<!-- gh-comment-id:781574013 --> @JJ-Author commented on GitHub (Feb 18, 2021): Ah I see. Thanks a lot. It might be still a bit confusing, and it could be potentially useful if the client would check also for this mandatory NS record in case the cname entry would not use the default acme-dns provider. But from my side this could be closed.

kerem commented 2026-03-13 16:23:45 +03:00

Author

Owner

Copy link

@joohoi commented on GitHub (Feb 19, 2021):

it could be potentially useful if the client would check also for this mandatory NS record in case the cname entry would not use the default acme-dns provider.

Yeah I agree. There are however bunch of corner cases in that as well, that might cause confusion. I'll keep this in back of my head going forward. Have a great weekend!

<!-- gh-comment-id:782177080 --> @joohoi commented on GitHub (Feb 19, 2021): > it could be potentially useful if the client would check also for this mandatory NS record in case the cname entry would not use the default acme-dns provider. Yeah I agree. There are however bunch of corner cases in that as well, that might cause confusion. I'll keep this in back of my head going forward. Have a great weekend!

kerem referenced this issue 2026-03-13 16:27:08 +03:00

[PR #3] [MERGED] Exit successfully if certbot renew validation is successful #23

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

release03

fix_wildcard

fix_goreleaser

prepare_v0.2

v0.3

v0.2

v0.1

Labels

Clear labels   

pull-request

Mirrored from GitHub Pull Request

  

question

  

question

No labels

pull-request

question

question

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/acme-dns-client#3

No description provided.