Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

During secondary validation: Incorrect TXT record #5106

Open
DesireWithin opened this issue Apr 23, 2024 · 1 comment
Open

During secondary validation: Incorrect TXT record #5106

DesireWithin opened this issue Apr 23, 2024 · 1 comment

Comments

@DesireWithin
Copy link

Steps to reproduce

I can't renew my certs, I guess there are 12 txt record of "_acme-challenge.gtjaqh.net" in aliyun(include 2 add by this operation and then remove because validation failed), but acme(or maybe letsencrypt, I'm not sure) only query the first eight of them.

Commands

/root/.acme.sh/acme.sh --set-default-ca --server letsencrypt    # run first time
/root/.acme.sh/acme.sh --renew --force --dns dns_ali -d 'gtjaqh.net' -d '*.gtjaqh.net' --home /root/.acme.sh --keylength 2048 --debug

Debug log

[Tue Apr 23 17:15:32 CST 2024] d='gtjaqh.net'
[Tue Apr 23 17:15:32 CST 2024] _d_alias
[Tue Apr 23 17:15:32 CST 2024] txtdomain='_acme-challenge.gtjaqh.net'
[Tue Apr 23 17:15:32 CST 2024] txt='fyWkFwj4i1XQe1k8g11AXxVhyz6Ogfmhn8Wri5oBIjU'
[Tue Apr 23 17:15:32 CST 2024] d_api='/root/.acme.sh/dnsapi/dns_ali.sh'
[Tue Apr 23 17:15:32 CST 2024] dns_entry='gtjaqh.net,_acme-challenge.gtjaqh.net,,dns_ali,fyWkFwj4i1XQe1k8g11AXxVhyz6Ogfmhn8Wri5oBIjU,/root/.acme.sh/dnsapi/dns_ali.sh'
[Tue Apr 23 17:15:32 CST 2024] Found domain api file: /root/.acme.sh/dnsapi/dns_ali.sh
[Tue Apr 23 17:15:32 CST 2024] Adding txt value: fyWkFwj4i1XQe1k8g11AXxVhyz6Ogfmhn8Wri5oBIjU for domain:  _acme-challenge.gtjaqh.net
[Tue Apr 23 17:15:32 CST 2024] First detect the root zone
[Tue Apr 23 17:15:32 CST 2024] GET
[Tue Apr 23 17:15:32 CST 2024] url='https://alidns.aliyuncs.com/?AccessKeyId=...'
[Tue Apr 23 17:15:32 CST 2024] timeout=
[Tue Apr 23 17:15:32 CST 2024] Http already initialized.
[Tue Apr 23 17:15:32 CST 2024] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  --trace-ascii /tmp/tmp.Tp5rRofsL0  -g '
[Tue Apr 23 17:15:33 CST 2024] ret='0'
[Tue Apr 23 17:15:33 CST 2024] response='{"TotalCount":741,"PageSize":20,"RequestId":"...","DomainRecords":...,"PageNumber":1}'
[Tue Apr 23 17:15:33 CST 2024] _sub_domain='_acme-challenge'
[Tue Apr 23 17:15:33 CST 2024] _domain='gtjaqh.net'
[Tue Apr 23 17:15:33 CST 2024] Add record
[Tue Apr 23 17:15:34 CST 2024] GET
[Tue Apr 23 17:15:34 CST 2024] url='https://alidns.aliyuncs.com/?AccessKeyId=...'
[Tue Apr 23 17:15:34 CST 2024] timeout=
[Tue Apr 23 17:15:34 CST 2024] Http already initialized.
[Tue Apr 23 17:15:34 CST 2024] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  --trace-ascii /tmp/tmp.Tp5rRofsL0  -g '
[Tue Apr 23 17:15:34 CST 2024] ret='0'
[Tue Apr 23 17:15:34 CST 2024] response='{"RequestId":"...","RecordId":"..."}'
[Tue Apr 23 17:15:34 CST 2024] The txt record is added: Success.
[Tue Apr 23 17:15:34 CST 2024] gtjaqh.net,_acme-challenge.gtjaqh.net,,dns_ali,fyWkFwj4i1XQe1k8g11AXxVhyz6Ogfmhn8Wri5oBIjU,/root/.acme.sh/dnsapi/dns_ali.sh

(added Successful for d='*.gtjaqh.net')
...
[Tue Apr 23 17:15:36 CST 2024] Let's check each DNS record now. Sleep 20 seconds first.
[Tue Apr 23 17:15:57 CST 2024] You can use '--dnssleep' to disable public dns checks.
[Tue Apr 23 17:15:57 CST 2024] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck
[Tue Apr 23 17:15:57 CST 2024] _is_idn_d='_acme-challenge.gtjaqh.net'
[Tue Apr 23 17:15:57 CST 2024] _idn_temp
[Tue Apr 23 17:15:57 CST 2024] _is_idn_d='_acme-challenge.gtjaqh.net'
[Tue Apr 23 17:15:57 CST 2024] _idn_temp
[Tue Apr 23 17:15:57 CST 2024] d='gtjaqh.net'
[Tue Apr 23 17:15:57 CST 2024] txtdomain='_acme-challenge.gtjaqh.net'
[Tue Apr 23 17:15:57 CST 2024] aliasDomain='_acme-challenge.gtjaqh.net'
[Tue Apr 23 17:15:57 CST 2024] txt='fyWkFwj4i1XQe1k8g11AXxVhyz6Ogfmhn8Wri5oBIjU'
[Tue Apr 23 17:15:57 CST 2024] d_api='/root/.acme.sh/dnsapi/dns_ali.sh'
[Tue Apr 23 17:15:57 CST 2024] Checking gtjaqh.net for _acme-challenge.gtjaqh.net
[Tue Apr 23 17:15:57 CST 2024] _c_txtdomain='_acme-challenge.gtjaqh.net'
[Tue Apr 23 17:15:57 CST 2024] _c_aliasdomain='_acme-challenge.gtjaqh.net'
[Tue Apr 23 17:15:57 CST 2024] _c_txt='fyWkFwj4i1XQe1k8g11AXxVhyz6Ogfmhn8Wri5oBIjU'
[Tue Apr 23 17:15:57 CST 2024] Detect dns server first.
...
[Tue Apr 23 17:16:08 CST 2024] _answers='"Answer":[
"name":"_acme-challenge.gtjaqh.net.","TTL":600,"type":16,"data":"\"pUpttbpk-LKoqw8Ai51ah-Srt8sY4QjWpN0H5TrS99E\"",
"name":"_acme-challenge.gtjaqh.net.","TTL":600,"type":16,"data":"\"Ewf-MW4igSMpMKpO0Ym0vkylTbjBwF9jhsluPKmUdU4\"",
"name":"_acme-challenge.gtjaqh.net.","TTL":600,"type":16,"data":"\"yjIffHTg3F8UDyXRmoutToO8Ed_uxSo4ZIej4SWok6g\"",
"name":"_acme-challenge.gtjaqh.net.","TTL":600,"type":16,"data":"\"l3Dy8BeZsZoz97kbw3AEZyB4trllQI3K8CMSWuLjUO4\"",
"name":"_acme-challenge.gtjaqh.net.","TTL":600,"type":16,"data":"\"5GlkBuChYGOWhXMkcDmFRmNxoW09qcAd4pOIBxTeKLE\"",
"name":"_acme-challenge.gtjaqh.net.","TTL":600,"type":16,"data":"\"fyWkFwj4i1XQe1k8g11AXxVhyz6Ogfmhn8Wri5oBIjU\"",
"name":"_acme-challenge.gtjaqh.net.","TTL":600,"type":16,"data":"\"RSFhUuyZJ3XFhU-RZFNSLOV23umzv2D59836gDX11O8\"",
"name":"_acme-challenge.gtjaqh.net.","TTL":600,"type":16,"data":"\"rpBuC-0qIPD1d_1YU63kbUODx_CgamTyGTy2c3zFglA\"",
"name":"_acme-challenge.gtjaqh.net.","TTL":600,"type":16,"data":"\"TYPZNVAUMZUkTc8VPd5sFN7p-IXjfl8pe0Uo0iQODvU\"",
"name":"_acme-challenge.gtjaqh.net.","TTL":600,"type":16,"data":"\"EA6OFwSJntP7zSuSoZwb-iZI5JBKQ6lSU16mHTzDD0U\"",
"name":"_acme-challenge.gtjaqh.net.","TTL":600,"type":16,"data":"\"AVLhrVK15qyqlZdYOmnqTpeNOc9YFiSrhHeBDX6P5aQ\"",
"name":"_acme-challenge.gtjaqh.net.","TTL":600,"type":16,"data":"\"gNngisNxiJg99Ee6SsQC-WPsriLMINHGCwOIY9bF0eE\""]'
[Tue Apr 23 17:16:08 CST 2024] Domain gtjaqh.net '_acme-challenge.gtjaqh.net' success.

(also successful for d='*.gtjaqh.net')
...

But during secondary validation, I notice that the response body said it only find 8 txt records:

[Tue Apr 23 17:16:09 CST 2024] Pending, The CA is processing your order, please just wait. (1/30)
[Tue Apr 23 17:16:09 CST 2024] sleep 2 secs to verify again
[Tue Apr 23 17:16:12 CST 2024] checking
....
[Tue Apr 23 17:16:14 CST 2024] responseHeaders='HTTP/1.1 200 OK
Server: nginx
Date: Tue, 23 Apr 2024 09:16:13 GMT
Content-Type: application/json
Content-Length: 847
Connection: keep-alive
Boulder-Requester: 1306814826
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: ....
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
'
[Tue Apr 23 17:16:14 CST 2024] code='200'
[Tue Apr 23 17:16:14 CST 2024] original='{
  "identifier": {
    "type": "dns",
    "value": "gtjaqh.net"
  },
  "status": "invalid",
  "expires": "2024-04-30T09:15:29Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "During secondary validation: Incorrect TXT record \"gNngisNxiJg99Ee6SsQC-WPsriLMINHGCwOIY9bF0eE\" (and 7 more) found at _acme-challenge.gtjaqh.net",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/.....",
      "token": ".....",
      "validationRecord": [
        {
          "hostname": "gtjaqh.net",
          "resolverAddrs": [
            "....."
          ]
        }
      ],
      "validated": "2024-04-23T09:16:09Z"
    }
  ]
}'
@github-actions GitHub Actions
Copy link

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@DesireWithin