Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Acme certs fail> "Not valid yet, let's wait 10 seconds and check next one."

    ACME
    acme certificate
    2
    4
    527
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jcubillo
      last edited by

      Hello,

      Acme package was configured about 3 years ago and working correctly renewing 1 cert with 2 domains. This renewal period the certs are failing with the following messages in logs>

      acmeLogs.txt

      As can be seen on the logs... the TXT records appear to be correctly created in GoDaddy DNS servers... but then cloudflare/ACME servers does not seem to be able to verify them and issue the cert.

      Any idea what may be wrong here?

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @jcubillo
        last edited by Gertjan

        @jcubillo said in Acme certs fail> "Not valid yet, let's wait 10 seconds and check next one.":

        As can be seen on the logs... the TXT records appear to be correctly created in GoDaddy DNS servers... but then cloudflare/ACME servers does not seem to be able to verify them and issue the cert.

        During this wait :

        These same messages repeat tens of times....

        you can do the same test that acme does.

        dig _acme-challenge.subdomain1.domain.com TXT

        and

        dig _acme-challenge.subdomain2.domain.com TXT

        Both should return the value "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

        You can even be mare precise : before starting the certificat renewal, get a list of all your domain name servers. There should be at least 2.

        dig domain.com NS

        Now you can ask them one by one :

        dig @NS1 _acme-challenge.subdomain1.domain.com TXT
dig @NS2 _acme-challenge.subdomain1.domain.com TXT

        whgere NS is your first domain name server, NS
        the second, etc.

        This manual checking is exactly to what Letsencrypt does - no more, no less. This is how they check if you control the domain : only you were able to set this random TXT value, a value generated unknown upfront as Letsencrypt gave it to the acme script when you started to renew.

        Try also this : set a value here :

        605a4b42-b15b-4e20-8e69-f84a80a276ce-image.png

        and be generous. "180" isn't much as all the DNS salves need to sync up with the domain master, and there is no law or obligation of how fast this needs to happen.
        When acme echeks, it could pick, by chance, a slave domain name server that wasn't synced yet ... and you'll have a fail.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        J 1 Reply Last reply Reply Quote 0
        • J
          jcubillo @Gertjan
          last edited by

          @Gertjan
          Thanks for the help. Just found the real reason why my cert renewals are failing... Seems that Godaddy changed their API access and now you need at leasts 10 domains to be able to use their DNS API> https://www.reddit.com/r/PFSENSE/comments/1cwuwdo/psa_godaddy_has_changed_its_api_access_affects/

          This is why my certs are failing and probably many others....

          I will have to manually update the certs and will be changing "dns providers" in the next weeks.

          Thanks!

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @jcubillo
            last edited by

            @jcubillo

            Oh ... great. I guess they want to stop being the registrar for 'everybody'.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • GertjanG Gertjan referenced this topic on
            • First post
              Last post