Dns-desec failed to verify the DNS TXT

un99known99 · October 31, 2024, 10:13pm

Hi,
my certbot LE renewal process fails with following error:

Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-desec. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-desec-propagation-seconds (currently 80 seconds).

Certbot failed to authenticate some domains (authenticator: dns-desec). The Certificate Authority reported these problems:
1835 Domain: mydomain.dedyn.io
1836 Type: caa
1837 Detail: CAA record for mydomain.dedyn.io prevents issuance
1838
1839 Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-desec. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-desec-propagation-seconds (currently 80 seconds).
1840
1841 2024-10-31 22:59:22,993:DEBUG:certbot._internal.error_handler:Encountered exception:
1842 Traceback (most recent call last):
1843 File “/usr/local/lib/python3.11/dist-packages/certbot/_internal/auth_handler.py”, line 108, in handle_authorizations
1844 self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
1845 File “/usr/local/lib/python3.11/dist-packages/certbot/_internal/auth_handler.py”, line 212, in _poll_authorizations
1846 raise errors.AuthorizationError(‘Some challenges have failed.’)
1847 certbot.errors.AuthorizationError: Some challenges have failed.

Nothing has changed on my side since last renewal 2 months ago.

Any problems known with CAA / TLSA?

Certbot failed to authenticate some domains (authenticator: dns-desec). The Certificate Authority reported these problems:
Domain: mydomain.dedyn.io
Type: caa
Detail: CAA record for mydomain.dedyn.io prevents issuance

Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-desec. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-desec-propagation-seconds (currently 80 seconds).

Any help available?

Thanks.

Bruce5051 · October 31, 2024, 10:27pm

Hello @un99known99,

Check your domain name’s CAA record with https://unboundtest.com/

Try testing your domain name with DNS-01 challenge here Let’s Debug

Edit

Are you using --dry-run certbot option?
I see a reference for that here: Certbot 2.7.2 / error for CAA - #12 by mcpherrinm - Help - Let's Encrypt Community Support

Edit 2

as I see this, only one account not two (one for production, the other one for staging)

<redacted>.dedyn.io.	0	IN	CAA	128 issuewild "letsencrypt.org;accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/<redacted>"

Bruce5051 · November 1, 2024, 2:54am

Also I do not believe that your issue is due to deSEC.

un99known99 · November 1, 2024, 7:23am

"Check your domain name’s CAA record with https://unboundtest.com/

Try testing your domain name with DNS-01 challenge here Let’s Debug"

showing no issues

un99known99 · November 1, 2024, 7:49am

hm, but what about that:

Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-desec. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-desec-propagation-seconds (currently 80 seconds).

un99known99 · November 1, 2024, 3:09pm

2024-11-01 16:05:49,404:DEBUG:acme.client:Storing nonce: KlfSZIVgiyf8vFF7u4lbNH5Q6Ehrsunzc7uZgbUX8qF03_rehNs
2024-11-01 16:05:49,406:INFO:certbot._internal.auth_handler:dns-01 challenge for miharu.dedyn.io
2024-11-01 16:05:49,408:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: dns-desec). The Certificate Authority reported these problems:
Domain: miharu.dedyn.io
Type: caa
Detail: CAA record for miharu.dedyn.io prevents issuance

Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-desec. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-desec-propagation-seconds (currently 80 seconds).

constantly failing, from error desc looks like a desec.io issue …?

peter · November 1, 2024, 3:24pm

Detail: CAA record for miharu.dedyn.io prevents issuance

This message indicates that your certificate request is incompatible with your CAA record.

Here’s your CAA record:

$ dig +short CAA miharu.dedyn.io
128 issuewild "letsencrypt.org;accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/125274239"

Are you sure it is correct? (Are you using this CA? Are you indeed using account 125274239?)

Stay secure,
Peter

Bruce5051 · November 1, 2024, 4:19pm

And follow this thread too

un99known99 · November 1, 2024, 5:14pm

It seemed to be 2 problems, one with the staging system of LE (I did not have a 2nd CAA record) and some internal changes/restrictions from LE - they are investigating internally atm.
If you are interested in: CAA record prevents issuance - #43 by MikeMcQ - Help - Let's Encrypt Community Support

Bruce5051 · November 1, 2024, 7:10pm

I am posting this to help others in the future.

More restrictive CAA record fields demonstration
for both Let’s Encrypt production and staging environments.

This is for the DNS-01 challenge of the Challenge Types - Let's Encrypt

I am demonstration with a test domain of mine and Certbot Instructions | Certbot
I had a propagation issue with the default of 80 second so I change to 300 seconds with this option added to the certbot command line --dns-desec-propagation-seconds=300

$ nslookup -q=caa fivvy.us.eu.org ns1.desec.io.
;; Truncated, retrying in TCP mode.
Server:         ns1.desec.io.
Address:        45.54.76.1#53

fivvy.us.eu.org rdata_257 = 128 issue "letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/130474314"
fivvy.us.eu.org rdata_257 = 128 issue "letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1483983656"
fivvy.us.eu.org rdata_257 = 128 issuewild "letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/130474314"
fivvy.us.eu.org rdata_257 = 128 issuewild "letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1483983656"

$ nslookup -q=caa fivvy.us.eu.org ns2.desec.org.
;; Truncated, retrying in TCP mode.
Server:         ns2.desec.org.
Address:        157.53.224.1#53

fivvy.us.eu.org rdata_257 = 128 issue "letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/130474314"
fivvy.us.eu.org rdata_257 = 128 issue "letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1483983656"
fivvy.us.eu.org rdata_257 = 128 issuewild "letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/130474314"
fivvy.us.eu.org rdata_257 = 128 issuewild "letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1483983656"

$ sudo certbot show_account
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account details for server https://acme-v02.api.letsencrypt.org/directory:
  Account URL: https://acme-v02.api.letsencrypt.org/acme/acct/1483983656
  Account Thumbprint: QX3VW-VjJ6ZlVTPv9Mm6QR6zMQW8U1pGGXPI0CP4psI
  Email contact: bam@figment.biz

$ sudo certbot show_account --staging
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account details for server https://acme-staging-v02.api.letsencrypt.org/directory:
  Account URL: https://acme-staging-v02.api.letsencrypt.org/acme/acct/130474314
  Account Thumbprint: kHnkBT36Jx_qD9cOeAg1Bs-7pMT4UC8DNzoY6moVaCk
  Email contact: none

$ sudo certbot renew --dry-run --renew-by-default -v --dns-desec-propagation-seconds=300
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/fivvy.us.eu.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator dns-desec, Installer None
Simulating renewal of an existing certificate for fivvy.us.eu.org and *.fivvy.us.eu.org
Performing the following challenges:
dns-01 challenge for fivvy.us.eu.org
dns-01 challenge for fivvy.us.eu.org
Waiting 300 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
  /etc/letsencrypt/live/fivvy.us.eu.org/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

$ sudo certbot renew --renew-by-default -v --dns-desec-propagation-seconds=300
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/fivvy.us.eu.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator dns-desec, Installer None
Renewing an existing certificate for fivvy.us.eu.org and *.fivvy.us.eu.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded:
  /etc/letsencrypt/live/fivvy.us.eu.org/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: fivvy.us.eu.org
    Serial Number: 4cc83e3d16d09496a1e1fb99732673fe632
    Key Type: ECDSA
    Domains: fivvy.us.eu.org *.fivvy.us.eu.org
    Expiry Date: 2025-01-30 17:42:41+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/fivvy.us.eu.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/fivvy.us.eu.org/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

$ sudo certbot --version
certbot 2.11.0

un99known99 · November 1, 2024, 9:02pm

can dns-desec-propagation-seconds=300 be set in the config file in
/etc/letsencrypt/renewal/miharu.dedyn.io.conf ?

Or to be set here in /etc/cron.d:

0 */12 * * * root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e ‘sleep int(rand(43200))’ && certbot -q renew --no-random-sleep-on-renew

to add the options --dns-desec-propagation-seconds=300?

Bruce5051 · November 1, 2024, 9:34pm

Documentation can be found here User Guide — Certbot 2.11.0 documentation

The top level of the documentation is here Welcome to the Certbot documentation! — Certbot 2.11.0 documentation

Edit
And this too GitHub - desec-io/certbot-dns-desec: Let's Encrypt Certificates for Domains Hosted at deSEC
certbot-dns-desec · PyPI