starred/acme-dns-client
1
0
Fork 0
mirror of https://github.com/acme-dns/acme-dns-client.git synced 2026-04-25 21:35:57 +03:00
Code Issues 20 Projects Releases 3 Packages Wiki Activity

[GH-ISSUE #16] Can't renew certs #8

New issue
Closed
opened 2026-03-13 16:24:27 +03:00 by kerem · 2 comments
kerem commented 2026-03-13 16:24:27 +03:00
Owner
Copy link

Originally created by @Serpher1 on GitHub (Apr 27, 2022).
Original GitHub issue: https://github.com/acme-dns/acme-dns-client/issues/16

I've set it up 2 months ago and I got certs no problem (acme-dns and acme-dns-client). I haven't touched it since and now I get a timeout. The only thing that could change are some security updates to Debian 10 and maybe Certbot (I started with 1.23 and now it's 1.26).
Acme-dns creates records on demand but somehow LE can't get to them.
Ports 80/53 are open to the acme-dns server.

acme-dns-client register -d wyniki.spzozmm.pl -s http://localhost:8080
[W] Acme-dns account already registered for domain wyniki.spzozmm.pl
[*] CNAME record seems to already be set up correctly, you are good to go

A CAA record allows you to control additional certificate issuance safeguards. The currently supported
version allows the domain owner to control which certificate authorities are all owed to issue certificates for the domain in question.
The certificate authorities MUST check and respect the CAA records in the validation process.

There's also a standard (RFC 8657) that extends the CAA record to limit the issuance of certificates to a specific validation
method and/or to a specific ACME account. While they can be tested using staging environment of Let's Encrypt for example,
they're not enabled in the production yet. It is still be worthwhile to configure them so you'll be protected when the feature gets enabled.
Do you wish to set up a CAA record now? [y/N]: n
root@acme:~# certbot certonly --manual --preferred-challenges dns --manual-auth- hook 'acme-dns-client' -d wyniki.spzozmm.pl
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for wyniki.spzozmm.pl

Certbot failed to authenticate some domains (authenticator: manual). The Certifi cate Authority reported these problems:
 Domain: wyniki.spzozmm.pl
 Type: dns
 Detail: DNS problem: query timed out looking up TXT for _acme-challenge.pacs.s pzozmm.pl

Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot -- help manual" and the Certbot User Guide.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See t he logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for mo re details.

letsencrypt log

2022-04-27 13:26:48,005:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2022-04-27 13:26:48,005:DEBUG:certbot._internal.error_handler:Calling registered functions
2022-04-27 13:26:48,005:INFO:certbot._internal.auth_handler:Cleaning up challenges
2022-04-27 13:26:48,006:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/snap/certbot/1952/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/main.py", line 1723, in main
    return config.func(config, plugins)
  File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/main.py", line 1582, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/main.py", line 129, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 344, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/client.py", line 441, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/client.py", line 493, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2022-04-27 13:26:48,007:ERROR:certbot._internal.log:Some challenges have failed.
Originally created by @Serpher1 on GitHub (Apr 27, 2022). Original GitHub issue: https://github.com/acme-dns/acme-dns-client/issues/16 I've set it up 2 months ago and I got certs no problem (acme-dns and acme-dns-client). I haven't touched it since and now I get a timeout. The only thing that could change are some security updates to Debian 10 and maybe Certbot (I started with 1.23 and now it's 1.26). Acme-dns creates records on demand but somehow LE can't get to them. Ports 80/53 are open to the acme-dns server. ``` acme-dns-client register -d wyniki.spzozmm.pl -s http://localhost:8080 [W] Acme-dns account already registered for domain wyniki.spzozmm.pl [*] CNAME record seems to already be set up correctly, you are good to go A CAA record allows you to control additional certificate issuance safeguards. The currently supported version allows the domain owner to control which certificate authorities are all owed to issue certificates for the domain in question. The certificate authorities MUST check and respect the CAA records in the validation process. There's also a standard (RFC 8657) that extends the CAA record to limit the issuance of certificates to a specific validation method and/or to a specific ACME account. While they can be tested using staging environment of Let's Encrypt for example, they're not enabled in the production yet. It is still be worthwhile to configure them so you'll be protected when the feature gets enabled. Do you wish to set up a CAA record now? [y/N]: n root@acme:~# certbot certonly --manual --preferred-challenges dns --manual-auth- hook 'acme-dns-client' -d wyniki.spzozmm.pl Saving debug log to /var/log/letsencrypt/letsencrypt.log Renewing an existing certificate for wyniki.spzozmm.pl Certbot failed to authenticate some domains (authenticator: manual). The Certifi cate Authority reported these problems: Domain: wyniki.spzozmm.pl Type: dns Detail: DNS problem: query timed out looking up TXT for _acme-challenge.pacs.s pzozmm.pl Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot -- help manual" and the Certbot User Guide. Some challenges have failed. Ask for help or search for solutions at https://community.letsencrypt.org. See t he logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for mo re details. ``` letsencrypt log ``` 2022-04-27 13:26:48,005:DEBUG:certbot._internal.error_handler:Encountered exception: Traceback (most recent call last): File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations self._poll_authorizations(authzrs, max_retries, best_effort) File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations raise errors.AuthorizationError('Some challenges have failed.') certbot.errors.AuthorizationError: Some challenges have failed. 2022-04-27 13:26:48,005:DEBUG:certbot._internal.error_handler:Calling registered functions 2022-04-27 13:26:48,005:INFO:certbot._internal.auth_handler:Cleaning up challenges 2022-04-27 13:26:48,006:DEBUG:certbot._internal.log:Exiting abnormally: Traceback (most recent call last): File "/snap/certbot/1952/bin/certbot", line 8, in <module> sys.exit(main()) File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/main.py", line 19, in main return internal_main.main(cli_args) File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/main.py", line 1723, in main return config.func(config, plugins) File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/main.py", line 1582, in certonly lineage = _get_and_save_cert(le_client, config, domains, certname, lineage) File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/main.py", line 129, in _get_and_save_cert renewal.renew_cert(config, domains, le_client, lineage) File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 344, in renew_cert new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key) File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/client.py", line 441, in obtain_certificate orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names) File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/client.py", line 493, in _get_order_and_authorizations authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort) File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations self._poll_authorizations(authzrs, max_retries, best_effort) File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations raise errors.AuthorizationError('Some challenges have failed.') certbot.errors.AuthorizationError: Some challenges have failed. 2022-04-27 13:26:48,007:ERROR:certbot._internal.log:Some challenges have failed. ```
kerem closed this issue 2026-03-13 16:24:32 +03:00
kerem commented 2026-03-13 16:24:38 +03:00
Author
Owner
Copy link

@Serpher1 commented on GitHub (Apr 28, 2022):

Ok I may have solved the DNS issue but the acme-dns server is not working as intended.

 certbot certonly --manual --preferred-challenges dns --manual-auth-hook acme-dns-client -d wyniki.spzozmm.pl -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Certificate is due for renewal, auto-renewing...
Renewing an existing certificate for wyniki.spzozmm.pl
Performing the following challenges:
dns-01 challenge for wyniki.spzozmm.pl
Running manual-auth-hook command: acme-dns-client
Waiting for verification...
Challenge failed for domain wyniki.spzozmm.pl
dns-01 challenge for wyniki.spzozmm.pl

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
  Domain: wyniki.spzozmm.pl
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.wyniki.spzozmm.pl - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.

Cleaning up challenges
Some challenges have failed.

Wasn't the acme-dns-client's job to return the TXT value ? Acme-dns service generates proper values.

<!-- gh-comment-id:1111780586 --> @Serpher1 commented on GitHub (Apr 28, 2022): Ok I may have solved the DNS issue but the acme-dns server is not working as intended. ``` certbot certonly --manual --preferred-challenges dns --manual-auth-hook acme-dns-client -d wyniki.spzozmm.pl -v Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Certificate is due for renewal, auto-renewing... Renewing an existing certificate for wyniki.spzozmm.pl Performing the following challenges: dns-01 challenge for wyniki.spzozmm.pl Running manual-auth-hook command: acme-dns-client Waiting for verification... Challenge failed for domain wyniki.spzozmm.pl dns-01 challenge for wyniki.spzozmm.pl Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems: Domain: wyniki.spzozmm.pl Type: dns Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.wyniki.spzozmm.pl - check that a DNS record exists for this domain Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide. Cleaning up challenges Some challenges have failed. ``` Wasn't the acme-dns-client's job to return the TXT value ? Acme-dns service generates proper values.
kerem commented 2026-03-13 16:24:43 +03:00
Author
Owner
Copy link

@Serpher1 commented on GitHub (Apr 28, 2022):

Solved it. Firewall blocked UDP ports.

<!-- gh-comment-id:1112329766 --> @Serpher1 commented on GitHub (Apr 28, 2022): Solved it. Firewall blocked UDP ports.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
release03
fix_wildcard
fix_goreleaser
prepare_v0.2
v0.3
v0.2
v0.1
Labels
Clear labels   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question
No labels
pull-request
question
question
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/acme-dns-client#8
No description provided.