Acme certs fail> "Not valid yet, let's wait 10 seconds and check next one."

jcubillo

Hello,

Acme package was configured about 3 years ago and working correctly renewing 1 cert with 2 domains. This renewal period the certs are failing with the following messages in logs>

acmeLogs.txt

As can be seen on the logs... the TXT records appear to be correctly created in GoDaddy DNS servers... but then cloudflare/ACME servers does not seem to be able to verify them and issue the cert.

Any idea what may be wrong here?

Gertjan

@jcubillo said in Acme certs fail> "Not valid yet, let's wait 10 seconds and check next one.":

As can be seen on the logs... the TXT records appear to be correctly created in GoDaddy DNS servers... but then cloudflare/ACME servers does not seem to be able to verify them and issue the cert.

During this wait :

These same messages repeat tens of times....

you can do the same test that acme does.

dig _acme-challenge.subdomain1.domain.com TXT

and

dig _acme-challenge.subdomain2.domain.com TXT

Both should return the value "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

You can even be mare precise : before starting the certificat renewal, get a list of all your domain name servers. There should be at least 2.

dig domain.com NS

Now you can ask them one by one :

dig @NS1 _acme-challenge.subdomain1.domain.com TXT
dig @NS2 _acme-challenge.subdomain1.domain.com TXT

whgere NS is your first domain name server, NS
the second, etc.

This manual checking is exactly to what Letsencrypt does - no more, no less. This is how they check if you control the domain : only you were able to set this random TXT value, a value generated unknown upfront as Letsencrypt gave it to the acme script when you started to renew.

Try also this : set a value here :

and be generous. "180" isn't much as all the DNS salves need to sync up with the domain master, and there is no law or obligation of how fast this needs to happen.
When acme echeks, it could pick, by chance, a slave domain name server that wasn't synced yet ... and you'll have a fail.

jcubillo

@Gertjan
Thanks for the help. Just found the real reason why my cert renewals are failing... Seems that Godaddy changed their API access and now you need at leasts 10 domains to be able to use their DNS API> https://www.reddit.com/r/PFSENSE/comments/1cwuwdo/psa_godaddy_has_changed_its_api_access_affects/

This is why my certs are failing and probably many others....

I will have to manually update the certs and will be changing "dns providers" in the next weeks.

Thanks!

Gertjan

@jcubillo

Oh ... great. I guess they want to stop being the registrar for 'everybody'.