Challenge failed

Question

Challenge failed

Closed this issue 5 years ago · 14 comments

I tried to create a new cert for one of my subdomains. Installed a clean new certbot and setup the plugin but when I run the command to get the certs, I get a "Challenge failed".

My netcup api-key and api-password is working as I've tested it with a different script and was able to update dns settings.

Running on macOS Catalina and certbot 1.0.0. Any hints?

Answer 1 · 2019-12-22T17:05:24.000Z

According to the netcup API log, the following error occurs:

Value in field domainname does not match requirements of type: domainname.

Answer 2 · 2019-12-29T09:29:34.000Z

Hi, thanks for reporting!, and sorry for the late response. I will try to investigate a bit during the next week.

Answer 3 · 2019-12-31T13:23:55.000Z

with some time on my hands now, some additional info may be helpful:

certbot command you run
the certbot output
any additional config file values?

One possibility is that you may get challenge failed if the dns records do not propagate quickly enough, in this case it may be enough to specify larger propagation time, e.g. --certbot-dns-netcup:dns-netcup-propagation-seconds 900 or even more.

Answer 4 · 2019-12-31T13:51:06.000Z

According to the netcup API log, the following error occurs:

Value in field domainname does not match requirements of type: domainname.

What is the form of the domain you are using this for? If you have a multi-dot domain, e.g. *.co.uk, this could be the source of the message. I have so far only used the plugin with domains as 'domain.tld' (with only a single dot). I'm not exactly sure anymore as to how the domain is determined, but I believe it is guessed by certbot, which tries different levels until it succeeds. In this case, this message may be expected one of the failing guesses.

It would be important to see the certbot debug log, which is by default located in /var/log/letsencrypt/ (can be changed using --log-dir DIR).

Answer 5 · 2019-12-31T17:19:51.000Z

The domain is not multi-dot as it is a simple .de-Domain. I'll add the certbot log.

Answer 6 · 2019-12-31T17:25:58.000Z

2019-12-22 18:11:12,705:INFO:certbot._internal.auth_handler:Performing the following challenges:
2019-12-22 18:11:12,706:INFO:certbot._internal.auth_handler:dns-01 challenge for test.example.com
2019-12-22 18:11:12,711:DEBUG:lexicon.providers.netcup:login({})
2019-12-22 18:11:12,714:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net
2019-12-22 18:11:13,192:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 236
2019-12-22 18:11:13,196:DEBUG:lexicon.providers.netcup:infoDnsZone({'domainname': 'test.example.com'})
2019-12-22 18:11:13,200:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net
2019-12-22 18:11:13,604:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 211
2019-12-22 18:11:13,608:DEBUG:lexicon.providers.netcup:login({})
2019-12-22 18:11:13,612:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net
2019-12-22 18:11:14,116:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 236
2019-12-22 18:11:14,120:DEBUG:lexicon.providers.netcup:infoDnsZone({'domainname': 'example.com'})
2019-12-22 18:11:14,123:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net
2019-12-22 18:11:14,627:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 245
2019-12-22 18:11:14,632:DEBUG:lexicon.providers.netcup:infoDnsRecords({'domainname': 'example.com'})
2019-12-22 18:11:14,635:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net
2019-12-22 18:11:15,139:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 639
2019-12-22 18:11:15,144:DEBUG:lexicon.providers.netcup:list_records: []
2019-12-22 18:11:15,144:DEBUG:lexicon.providers.netcup:updateDnsRecords({'domainname': 'example.com', 'dnsrecordset': {'dnsrecords': [{'type': 'TXT', 'hostname': '_acme-challenge.test', 'destination': 'abc_changed_for_demonstration'}]}})
2019-12-22 18:11:15,147:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net
2019-12-22 18:11:17,904:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 710
2019-12-22 18:11:17,909:DEBUG:lexicon.providers.netcup:create_record: True

No error here. I changed my domain to example.com before posting here.

Answer 7 · 2019-12-31T18:19:53.000Z

Ok, but there is no error message here? You said you got "challenge failed"?

Edit: Ah, I see, the debug log doesn't contain the error message (weird). Getting the full command and its output would still be useful then.

Answer 8 · 2020-01-02T10:04:49.000Z

The issue is, that the netcup part of the certbot plugin got a "DNS successfully updated" return, but this wasn't the case as netcups DNS API log says that there was an error.
Then certbot looks for the TXT entry and can't find it.

Answer 9 · 2020-01-02T10:07:13.000Z

Full command:

certbot certonly \
     --agree-tos -m $email_address \
     --no-eff-email \
     --config-dir $cert_dir --work-dir $cert_dir --logs-dir $cert_dir \
     --manual-public-ip-logging-ok \
     --authenticator certbot-dns-netcup:dns-netcup \
     --certbot-dns-netcup:dns-netcup-credentials ~/.secrets/certbot/netcup.ini \
     --certbot-dns-netcup:dns-netcup-propagation-seconds 15 \
     --server https://acme-v02.api.letsencrypt.org/directory \
     -d 'test.example.com'

Answer 10 · 2020-01-02T10:16:02.000Z

--certbot-dns-netcup:dns-netcup-propagation-seconds 15

That is probably the issue, see above:

One possibility is that you may get challenge failed if the dns records do not propagate quickly enough, in this case it may be enough to specify larger propagation time, e.g. --certbot-dns-netcup:dns-netcup-propagation-seconds 900 or even more.

This kinda sucks interactively, but in an automated script it is no problem.

Answer 11 · 2020-01-02T10:17:17.000Z

I tried. It's not the issue as:

Value in field domainname does not match requirements of type: domainname.

this is what happens on nectup's side. With the other DNS API script, changes are made immediately.

Answer 12 · 2020-01-02T10:31:27.000Z

The message value in field domainname does not match requirements of type: domainname doesn't necessarily indicate an error, since according to your debug log, it seems to try test.example.com before example.com. In this case, the message is expected response from netcup for the first attempt and informs the plugin that it should continue trying another domain. That's how the certbot lexicon provider works, IIRC.

What is the full certbot output (stdout + stderr + debug log) for the command, when using --certbot-dns-netcup:dns-netcup-propagation-seconds 900? You still didn't show any output that contained "challenge failed".

Answer 13 · 2020-01-02T11:28:16.000Z

I will provide the full log as soon as I get to my computer.

Answer 14 · 2020-01-30T21:51:07.000Z

yes, you were right. with propagation seconds high enough it will renew the certificates eventually. Thanks for the hint!