New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
the supported validation types are: http-01 , but you specified: dns-01 #2695
Comments
A note: I got the
Maybe this is possibly coming from Let's Encrypt, when dns-01 is not supported for a domain? (But I'm unsure why this should happen.) I worked around this by getting two separate certificates: Maybe this is related to this thread from the Let's Encrypt forum: https://community.letsencrypt.org/t/undocumented-challenge-hangs-for-dns-01-on-the-apex-domain-w-valid-http-01/106214/8 |
Same here with a renew:
worked before for month - nothing was changed. |
OK, next domains has this error. It is trouble for us. Any idea? |
please paste your full command line, and output with |
`
` |
Any idea please? |
Same issue here. If domain has been verified earlier with http authentication (domain.fi), we are unable to get dns validated certificate for domain.fi (but can get one for *.domain.fi) This used to work last month, but something has changed. acme.sh is the latest version (also tried with 2.8.5 branch) I guess this has something to do with the order of validation requests, maybe Letsencrypt prefers the first one that has been successfully validated earlier and acme.sh incorrectly uses it instead of new dns-01 request. Validation requests will expire eventually, and it is possible that after expiration dns-01 will succeed. Anyway this makes switching from http to dns validation very hard for plain domain name without any subdomains. |
Post opened here too. https://community.letsencrypt.org/t/the-supported-validation-types-are-http-01-but-you-specified-dns-01/111561/4
If you can write there too, we can do more :) |
@rajcz I believe that this is caused by the Letsencrypt CA changes. I'm fixing it now. wait a moment. |
If a domain was already verified by http-01 method, when we try to issue a cert for them same domain with dns-01 method, we just get only one challenge object of type http-01 with "valid" status, from the authz-v3 url. So, we report error that we are not able the validate the domain, because of that we don't find dns-01 challenge. This behavior is not the same as before. I believe it was changed by the letsencrypt CA.
Excellent! It's working now Thanks a lot! |
@dlt- |
OK! But with that commit I got two different domains validated that caused errors earlier with 2.8.5 branch and 2.8.3. |
Yes, you can do some testing on your side at the same time. I'm also doing more testing before I'm sure to merge it. |
If a domain was already verified by http-01 method, when we try to issue a cert for them same domain with dns-01 method, we just get only one challenge object of type http-01 with "valid" status, from the authz-v3 url. So, we report error that we are not able the validate the domain, because of that we don't find dns-01 challenge. This behavior is not the same as before. I believe it was changed by the letsencrypt CA.
Hi All, It's fixed. please upgrade to the latest code and try again. acme.sh --upgrade |
Hi @cpu I would appreciate it very much if you could drop a comment. It seems that the challenges objects in the authorization url response has changed recently. Before, the response always contained 3 challenge objects: dns-01, http-01 and tls-alpn-01. However, for now, it returns 3 objects only when none of them is valid. Once one of them is valid status, it will return only the valid one. Here are more details: when we first issue a cert with standalone method:
we got three challenge objects, all of which are pending.
We select the http-01 challenge to validate the domain. And everything is ok. We got the cert. However, when we issue a new cert for the same domain with dns method,
we got authorization urls:
When we try the first authorization url https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/35413462 to get
It's http-01 type with valid status. But we want to validate it with dns-01 method. Thanks in advance. |
The fix works for me. Thanks! |
@Neilpang Yes, that changed recently. See https://community.letsencrypt.org/t/acme-v1-v2-changing-challenges-returned-for-invalid-valid-authorizations/107661. Apparently the old behavior was against RFC 8555. |
@mnordhoff Thank you. |
@Neilpang I can confirm @mnordhoff's answer (thanks for posting!). Pebble has been using this RFC 8555 compliant behaviour since ~April 2018. Have you considered adding integration testing against a Pebble CA to your CI? |
Thank you so much. Thanks. |
Hello,
I know about error with supported dns-01 - specified dns-01, but I get vice-versa error now.
[Fri Jan 17 09:00:39 CET 2020] Error, can not get domain token entry **********.org
[Fri Jan 17 09:00:39 CET 2020] The supported validation types are: http-01 , but you specified: dns-01
It is wildcard certificate for 2 domains. This is scripted enviroment, others requests are ok. But why I got http-01 for wildcard?
Thank you Pavel
The text was updated successfully, but these errors were encountered: