the supported validation types are: http-01 , but you specified: dns-01

[rajcz]

Hello,

I know about error with supported dns-01 - specified dns-01, but I get vice-versa error now.

[Fri Jan 17 09:00:39 CET 2020] Error, can not get domain token entry **********.org
[Fri Jan 17 09:00:39 CET 2020] The supported validation types are: http-01 , but you specified: dns-01

It is wildcard certificate for 2 domains. This is scripted enviroment, others requests are ok. But why I got http-01 for wildcard?

Thank you Pavel

[joellimberg]

A note: I got the "the supported validation types are: http-01 , but you specified: dns-01" error, when requesting a certificate (with --signcsr) for 4 domains (example.com, *.example.com, otherdomain.com, www.otherdomain.com).

example.com got dns-01 challenges, but otherdomain.com apparently received only http-01 challenges.

Maybe this is possibly coming from Let's Encrypt, when dns-01 is not supported for a domain? (But I'm unsure why this should happen.)

I worked around this by getting two separate certificates: example.com, *.example.com with dns-01 validation, and otherdomain.com, www.otherdomain.com with http-01 validation.

Maybe this is related to this thread from the Let's Encrypt forum: https://community.letsencrypt.org/t/undocumented-challenge-hangs-for-dns-01-on-the-apex-domain-w-valid-http-01/106214/8

[chrostek]

Same here with a renew:

# acme.sh --renew-all
[Di 21. Jan 21:59:58 CET 2020] Renew: 'dom1.de'
[Di 21. Jan 21:59:59 CET 2020] Multi domain='dom1.de,dom2.de,DNS:*.dom1.de,DNS:*.dom2.de'
[Di 21. Jan 21:59:59 CET 2020] Getting domain auth token for each domain
[Di 21. Jan 22:00:03 CET 2020] Getting webroot for domain='dom1.de'
[Di 21. Jan 22:00:03 CET 2020] Getting webroot for domain='dom2.de'
[Di 21. Jan 22:00:03 CET 2020] Error, can not get domain token entry dom2.de
[Di 21. Jan 22:00:03 CET 2020] The supported validation types are: http-01 , but you specified: dns-01
[Di 21. Jan 22:00:03 CET 2020] Please check log file for more details: /root/.acme.sh/acme.sh.log
[Di 21. Jan 22:00:04 CET 2020] Error renew dom1.de.

worked before for month - nothing was changed.

[rajcz]

OK, next domains has this error. It is trouble for us. Any idea?

[Neilpang]

please paste your full command line, and output with --debug 2

[rajcz]

`

[root@ ~]# /root/.acme.sh/acme.sh -r -d domain.cz --force --debug 2
[Wed Jan 22 22:41:51 CET 2020] Lets find script dir.
[Wed Jan 22 22:41:51 CET 2020] SCRIPT='/root/.acme.sh/acme.sh'
[Wed Jan 22 22:41:51 CET 2020] _script='/root/.acme.sh/acme.sh'
[Wed Jan 22 22:41:51 CET 2020] _script_home='/root/.acme.sh'
[Wed Jan 22 22:41:51 CET 2020] Using default home:/root/.acme.sh
[Wed Jan 22 22:41:51 CET 2020] Using config home:/root/.acme.sh
[Wed Jan 22 22:41:51 CET 2020] LE_WORKING_DIR='/root/.acme.sh'
https://github.com/Neilpang/acme.sh
v2.8.1
[Wed Jan 22 22:41:51 CET 2020] Using config home:/root/.acme.sh
[Wed Jan 22 22:41:51 CET 2020] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Wed Jan 22 22:41:51 CET 2020] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
[Wed Jan 22 22:41:51 CET 2020] DOMAIN_PATH='/root/.acme.sh/domain.cz'
[Wed Jan 22 22:41:51 CET 2020] Renew: 'domain.cz'
[Wed Jan 22 22:41:51 CET 2020] Le_API
[Wed Jan 22 22:41:51 CET 2020] _main_domain='domain.cz'
[Wed Jan 22 22:41:51 CET 2020] _alt_domains='.domain.cz'
[Wed Jan 22 22:41:51 CET 2020] 'dns_giga' does not contain 'dns'
[Wed Jan 22 22:41:51 CET 2020] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
[Wed Jan 22 22:41:51 CET 2020] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Wed Jan 22 22:41:51 CET 2020] GET
[Wed Jan 22 22:41:51 CET 2020] url='https://acme-v02.api.letsencrypt.org/directory'
[Wed Jan 22 22:41:51 CET 2020] timeout=
[Wed Jan 22 22:41:51 CET 2020] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.caoXm2GacG -g '
[Wed Jan 22 22:41:52 CET 2020] ret='0'
[Wed Jan 22 22:41:52 CET 2020] response='{
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"oaSsWm45GiM": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}'
[Wed Jan 22 22:41:52 CET 2020] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
[Wed Jan 22 22:41:52 CET 2020] ACME_NEW_AUTHZ
[Wed Jan 22 22:41:52 CET 2020] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Wed Jan 22 22:41:52 CET 2020] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Wed Jan 22 22:41:52 CET 2020] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
[Wed Jan 22 22:41:52 CET 2020] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Wed Jan 22 22:41:52 CET 2020] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Wed Jan 22 22:41:52 CET 2020] ACME_VERSION='2'
[Wed Jan 22 22:41:52 CET 2020] Le_NextRenewTime='1584782674'
[Wed Jan 22 22:41:52 CET 2020] _on_before_issue
[Wed Jan 22 22:41:52 CET 2020] _chk_main_domain='domain.cz'
[Wed Jan 22 22:41:52 CET 2020] _chk_alt_domains='.domain.cz'
[Wed Jan 22 22:41:52 CET 2020] 'dns_giga' does not contain 'no'
[Wed Jan 22 22:41:52 CET 2020] Le_LocalAddress
[Wed Jan 22 22:41:52 CET 2020] d='domain.cz'
[Wed Jan 22 22:41:52 CET 2020] Check for domain='domain.cz'
[Wed Jan 22 22:41:52 CET 2020] _currentRoot='dns_giga'
[Wed Jan 22 22:41:52 CET 2020] d='.domain.cz'
[Wed Jan 22 22:41:52 CET 2020] Check for domain='.domain.cz'
[Wed Jan 22 22:41:52 CET 2020] _currentRoot='dns_giga'
[Wed Jan 22 22:41:52 CET 2020] d
[Wed Jan 22 22:41:52 CET 2020] 'dns_giga' does not contain 'apache'
[Wed Jan 22 22:41:52 CET 2020] _saved_account_key_hash='+zOmRo0oM='
[Wed Jan 22 22:41:52 CET 2020] _saved_account_key_hash is not changed, skip register account.
[Wed Jan 22 22:41:52 CET 2020] Read key length:
[Wed Jan 22 22:41:52 CET 2020] _createcsr
[Wed Jan 22 22:41:52 CET 2020] domain='domain.cz'
[Wed Jan 22 22:41:52 CET 2020] domainlist='.domain.cz'
[Wed Jan 22 22:41:52 CET 2020] csrkey='/root/.acme.sh/domain.cz/domain.cz.key'
[Wed Jan 22 22:41:52 CET 2020] csr='/root/.acme.sh/domain.cz/domain.cz.csr'
[Wed Jan 22 22:41:52 CET 2020] csrconf='/root/.acme.sh/domain.cz/domain.cz.csr.conf'
[Wed Jan 22 22:41:52 CET 2020] _is_idn_d='.domain.cz'
[Wed Jan 22 22:41:52 CET 2020] _idn_temp
[Wed Jan 22 22:41:52 CET 2020] domainlist='.domain.cz'
[Wed Jan 22 22:41:52 CET 2020] Multi domain='DNS:domain.cz,DNS:.domain.cz'
[Wed Jan 22 22:41:52 CET 2020] _is_idn_d='domain.cz'
[Wed Jan 22 22:41:52 CET 2020] _idn_temp
[Wed Jan 22 22:41:52 CET 2020] _csr_cn='domain.cz'
[Wed Jan 22 22:41:52 CET 2020] Getting domain auth token for each domain
[Wed Jan 22 22:41:52 CET 2020] d='.domain.cz'
[Wed Jan 22 22:41:52 CET 2020] d
[Wed Jan 22 22:41:52 CET 2020] _identifiers='{"type":"dns","value":"domain.cz"},{"type":"dns","value":".domain.cz"}'
[Wed Jan 22 22:41:52 CET 2020] url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Wed Jan 22 22:41:52 CET 2020] payload='{"identifiers": [{"type":"dns","value":"domain.cz"},{"type":"dns","value":".domain.cz"}]}'
[Wed Jan 22 22:41:52 CET 2020] RSA key
[Wed Jan 22 22:41:53 CET 2020] Get nonce with HEAD. ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Wed Jan 22 22:41:53 CET 2020] HEAD
[Wed Jan 22 22:41:53 CET 2020] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Wed Jan 22 22:41:53 CET 2020] body
[Wed Jan 22 22:41:53 CET 2020] _postContentType='application/jose+json'
[Wed Jan 22 22:41:53 CET 2020] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.O8rE9E3EkJ -g '
[Wed Jan 22 22:46:51 CET 2020] _ret='0'
[Wed Jan 22 22:46:51 CET 2020] _headers='HTTP/1.1 200 OK
Server: nginx
Date: Wed, 22 Jan 2020 21:41:53 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: -k3aSr100
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
'
[Wed Jan 22 22:46:51 CET 2020] _CACHED_NONCE='-k3aSr100'
[Wed Jan 22 22:46:51 CET 2020] nonce='-k3aSr100'
[Wed Jan 22 22:46:51 CET 2020] POST
[Wed Jan 22 22:46:51 CET 2020] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Wed Jan 22 22:46:51 CET 2020] body='{"protected": "", "payload": "", "signature": "-"}'
[Wed Jan 22 22:46:51 CET 2020] _postContentType='application/jose+json'
[Wed Jan 22 22:46:51 CET 2020] Http already initialized.
[Wed Jan 22 22:46:51 CET 2020] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.O8rE9E3EkJ -g '
[Wed Jan 22 22:46:52 CET 2020] _ret='0'
[Wed Jan 22 22:46:52 CET 2020] responseHeaders='HTTP/1.1 201 Created
Server: nginx
Date: Wed, 22 Jan 2020 21:46:52 GMT
Content-Type: application/json
Content-Length: 463
Connection: keep-alive
Boulder-Requester: 55317865
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/**/**
Replay-Nonce: *****
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
'
[Wed Jan 22 22:46:52 CET 2020] code='201'
[Wed Jan 22 22:46:52 CET 2020] original='{
"status": "pending",
"expires": "2020-01-29T11:09:39Z",
"identifiers": [
{
"type": "dns",
"value": ".domain.cz"
},
{
"type": "dns",
"value": "domain.cz"
}
],
"authorizations": [
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/",
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/"
],
"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/"
}'
[Wed Jan 22 22:46:52 CET 2020] response='{"status":"pending","expires":"2020-01-29T11:09:39Z","identifiers":[{"type":"dns","value":".domain.cz"},{"type":"dns","value":"domain.cz"}],"authorizations":["https://acme-v02.api.letsencrypt.org/acme/authz-v3/","https://acme-v02.api.letsencrypt.org/acme/authz-v3/"],"finalize":"https://acme-v02.api.letsencrypt.org/acme/finalize/**/***"}'
[Wed Jan 22 22:46:52 CET 2020] Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/'
[Wed Jan 22 22:46:52 CET 2020] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/****/'
[Wed Jan 22 22:46:52 CET 2020] _authorizations_seg='https://acme-v02.api.letsencrypt.org/acme/authz-v3/***,https://acme-v02.api.letsencrypt.org/acme/authz-v3/'
[Wed Jan 22 22:46:52 CET 2020] _authz_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/2413895279'
[Wed Jan 22 22:46:52 CET 2020] url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/2413895279'
[Wed Jan 22 22:46:52 CET 2020] payload
[Wed Jan 22 22:46:52 CET 2020] Use cached jwk for file: /root/.acme.sh/ca/acme-v02.api.letsencrypt.org/account.key
[Wed Jan 22 22:46:52 CET 2020] Use _CACHED_NONCE='0001OBKG-tA5GymWPgsJ_YSBzOD8H3zziI3whIpbcUchhek'
[Wed Jan 22 22:46:52 CET 2020] nonce='0001OBKG-tA5GymWPgsJ_YSBzOD8H3zziI3whIpbcUchhek'
[Wed Jan 22 22:46:52 CET 2020] POST
[Wed Jan 22 22:46:52 CET 2020] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/'
[Wed Jan 22 22:46:52 CET 2020] body='{"protected": ""}'
[Wed Jan 22 22:46:52 CET 2020] _postContentType='application/jose+json'
[Wed Jan 22 22:46:52 CET 2020] Http already initialized.
[Wed Jan 22 22:46:52 CET 2020] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.O8rE9E3EkJ -g '
[Wed Jan 22 22:46:53 CET 2020] _ret='0'
[Wed Jan 22 22:46:53 CET 2020] responseHeaders='HTTP/1.1 200 OK
Server: nginx
Date: Wed, 22 Jan 2020 21:46:53 GMT
Content-Type: application/json
Content-Length: 696
Connection: keep-alive
Boulder-Requester: 55317865
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: ****
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
'
[Wed Jan 22 22:46:53 CET 2020] code='200'
[Wed Jan 22 22:46:53 CET 2020] original='{
"identifier": {
"type": "dns",
"value": "domain.cz"
},
"status": "valid",
"expires": "2020-02-21T09:24:26Z",
"challenges": [
{
"type": "http-01",
"status": "valid",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/2****",
"token": "",
"validationRecord": [
{
"url": "http://domain.cz/.well-known/acme-challenge/",
"hostname": "domain.cz",
"port": "80",
"addressesResolved": [
"185.6**"
],
"addressUsed": "185."
}
]
}
]
}'
[Wed Jan 22 22:46:53 CET 2020] response='{"identifier":{"type":"dns","value":"domain.cz"},"status":"valid","expires":"2020-02-21T09:24:26Z","challenges":[{"type":"http-01","status":"valid","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/2413895279/y3CxHg","token":"","validationRecord":[{"url":"http://domain.cz/.well-known/acme-challenge/","hostname":"domain.cz","port":"80","addressesResolved":["185."],"addressUsed":"185."}]}]}'
[Wed Jan 22 22:46:53 CET 2020] response='{"identifier":{"type":"dns","value":"domain.cz"},"status":"valid","expires":"2020-02-21T09:24:26Z","challenges":[{"type":"http-01","status":"valid","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/2413895279/y3CxHg","token":"","validationRecord":[{"url":"http://domain.cz/.well-known/acme-challenge/","hostname":"domain.cz","port":"80","addressesResolved":["185."],"addressUsed":"185."}]}]}'
[Wed Jan 22 22:46:53 CET 2020] _d='domain.cz'
[Wed Jan 22 22:46:53 CET 2020] _authz_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/2415049546'
[Wed Jan 22 22:46:53 CET 2020] url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/2415049546'
[Wed Jan 22 22:46:53 CET 2020] payload
[Wed Jan 22 22:46:53 CET 2020] Use cached jwk for file: /root/.acme.sh/ca/acme-v02.api.letsencrypt.org/account.key
[Wed Jan 22 22:46:53 CET 2020] Use _CACHED_NONCE=''
[Wed Jan 22 22:46:53 CET 2020] nonce=''
[Wed Jan 22 22:46:53 CET 2020] POST
[Wed Jan 22 22:46:53 CET 2020] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/2415049546'
[Wed Jan 22 22:46:53 CET 2020] body='{"protected": "", "payload": "", "signature": "-"}'
[Wed Jan 22 22:46:53 CET 2020] _postContentType='application/jose+json'
[Wed Jan 22 22:46:53 CET 2020] Http already initialized.
[Wed Jan 22 22:46:53 CET 2020] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.O8rE9E3EkJ -g '
[Wed Jan 22 22:46:54 CET 2020] _ret='0'
[Wed Jan 22 22:46:54 CET 2020] responseHeaders='HTTP/1.1 200 OK
Server: nginx
Date: Wed, 22 Jan 2020 21:46:54 GMT
Content-Type: application/json
Content-Length: 382
Connection: keep-alive
Boulder-Requester: 55317865
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: P6v0sA2byDrU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
'
[Wed Jan 22 22:46:54 CET 2020] code='200'
[Wed Jan 22 22:46:54 CET 2020] original='{
"identifier": {
"type": "dns",
"value": "domain.cz"
},
"status": "pending",
"expires": "2020-01-29T11:09:39Z",
"challenges": [
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/2415049546/atPxgw",
"token": "-4vtgdrTctrkhOIkec"
}
],
"wildcard": true
}'
[Wed Jan 22 22:46:54 CET 2020] response='{"identifier":{"type":"dns","value":"domain.cz"},"status":"pending","expires":"2020-01-29T11:09:39Z","challenges":[{"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3//atPxgw","token":"-4vtgdrTctrkhOIkec"}],"wildcard": true}'
[Wed Jan 22 22:46:54 CET 2020] response='{"identifier":{"type":"dns","value":"domain.cz"},"status":"pending","expires":"2020-01-29T11:09:39Z","challenges":[{"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3//atPxgw","token":"-4vtgdrTctrkhOIkec"}],"wildcard": true}'
[Wed Jan 22 22:46:54 CET 2020] _d='.domain.cz'
[Wed Jan 22 22:46:54 CET 2020] _authorizations_map='.domain.cz,{"identifier":{"type":"dns","value":"domain.cz"},"status":"pending","expires":"2020-01-29T11:09:39Z","challenges":[{"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3//atPxgw","token":"-4vtgdrTctrkhOIkec"}],"wildcard": true}
domain.cz,{"identifier":{"type":"dns","value":"domain.cz"},"status":"valid","expires":"2020-02-21T09:24:26Z","challenges":[{"type":"http-01","status":"valid","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3//y3CxHg","token":"","validationRecord":[{"url":"http://domain.cz/.well-known/acme-challenge/","hostname":"domain.cz","port":"80","addressesResolved":["185."],"addressUsed":"185."}]}]}
'
[Wed Jan 22 22:46:54 CET 2020] d='domain.cz'
[Wed Jan 22 22:46:54 CET 2020] Getting webroot for domain='domain.cz'
[Wed Jan 22 22:46:54 CET 2020] _w='dns_giga'
[Wed Jan 22 22:46:54 CET 2020] _currentRoot='dns_giga'
[Wed Jan 22 22:46:54 CET 2020] response='{"identifier":{"type":"dns","value":"domain.cz"},"status":"valid","expires":"2020-02-21T09:24:26Z","challenges":[{"type":"http-01","status":"valid","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3//y3CxHg","token":"","validationRecord":[{"url":"http://domain.cz/.well-known/acme-challenge/","hostname":"domain.cz","port":"80","addressesResolved":["185."],"addressUsed":"185.*"}]}]}'
[Wed Jan 22 22:46:54 CET 2020] entry
[Wed Jan 22 22:46:54 CET 2020] Error, can not get domain token entry domain.cz
[Wed Jan 22 22:46:54 CET 2020] The supported validation types are: http-01 , but you specified: dns-01
[Wed Jan 22 22:46:54 CET 2020] pid
[Wed Jan 22 22:46:54 CET 2020] No need to restore nginx, skip.
[Wed Jan 22 22:46:54 CET 2020] _clearupdns
[Wed Jan 22 22:46:54 CET 2020] dns_entries
[Wed Jan 22 22:46:54 CET 2020] skip dns.
[Wed Jan 22 22:46:54 CET 2020] _on_issue_err
[Wed Jan 22 22:46:54 CET 2020] Please add '--debug' or '--log' to check more details.
[Wed Jan 22 22:46:54 CET 2020] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[Wed Jan 22 22:46:54 CET 2020] _chk_vlist
[Wed Jan 22 22:46:54 CET 2020] 'dns_giga' does not contain 'dns'
[Wed Jan 22 22:46:54 CET 2020] socat doesn't exists.
[Wed Jan 22 22:46:54 CET 2020] Diagnosis versions:
openssl:openssl
OpenSSL 1.0.2k-fips 26 Jan 2017
apache:
apache doesn't exists.
nginx:
nginx doesn't exists.
socat:

`

[rajcz]

Any idea please?

[dlt-]

Same issue here. If domain has been verified earlier with http authentication (domain.fi), we are unable to get dns validated certificate for domain.fi (but can get one for *.domain.fi)

This used to work last month, but something has changed. acme.sh is the latest version (also tried with 2.8.5 branch)

I guess this has something to do with the order of validation requests, maybe Letsencrypt prefers the first one that has been successfully validated earlier and acme.sh incorrectly uses it instead of new dns-01 request. Validation requests will expire eventually, and it is possible that after expiration dns-01 will succeed.

Anyway this makes switching from http to dns validation very hard for plain domain name without any subdomains.

[rajcz]

Post opened here too. https://community.letsencrypt.org/t/the-supported-validation-types-are-http-01-but-you-specified-dns-01/111561/4

Same issue here.

If you can write there too, we can do more :)

[Neilpang]

@rajcz I believe that this is caused by the Letsencrypt CA changes.

I'm fixing it now. wait a moment.

[dlt-]

Excellent! It's working now

Thanks a lot!

[Neilpang]

@dlt-
Just hold on, still testing.

[dlt-]

OK! But with that commit I got two different domains validated that caused errors earlier with 2.8.5 branch and 2.8.3.

[Neilpang]

@dlt-

Yes, you can do some testing on your side at the same time.

I'm also doing more testing before I'm sure to merge it.

[Neilpang]

Hi All,

It's fixed. please upgrade to the latest code and try again.

acme.sh --upgrade

[Neilpang]

Hi @cpu

I would appreciate it very much if you could drop a comment.

It seems that the challenges objects in the authorization url response has changed recently.

Before, the response always contained 3 challenge objects: dns-01, http-01 and tls-alpn-01.
some of which may be valid, and some may be pending status.

However, for now, it returns 3 objects only when none of them is valid. Once one of them is valid status, it will return only the valid one.

Here are more details:

when we first issue a cert with standalone method:

acme.sh --issue --test -d example.org  --standalone --debug 2

we got three challenge objects, all of which are pending.

{
  "identifier": {
    "type": "dns",
    "value": "example.org"
  },
  "status": "pending",
  "expires": "2020-02-03T15:44:19Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/35413462/DRfQJg",
      "token": "LwGOPYGzof8CZfGjUUCLAYpibp0RUWykplyLZ5Jl_d0"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/35413462/GBhlng",
      "token": "LwGOPYGzof8CZfGjUUCLAYpibp0RUWykplyLZ5Jl_d0"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/35413462/VE2JAA",
      "token": "LwGOPYGzof8CZfGjUUCLAYpibp0RUWykplyLZ5Jl_d0"
    }
  ]
}

We select the http-01 challenge to validate the domain. And everything is ok. We got the cert.

However, when we issue a new cert for the same domain with dns method,

acme.sh --issue --test  -d  example.org -d '*.example.org' --dns dns_cf  --debug 2

we got authorization urls:

{
  "status": "pending",
  "expires": "2020-02-03T15:47:47.959309587Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "*.example.org"
    },
    {
      "type": "dns",
      "value": "example.org"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/35413462",
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/35414055"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/12231866/72469605"
}

When we try the first authorization url https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/35413462 to get
the challenge objects, we got only one object returned:

{
  "identifier": {
    "type": "dns",
    "value": "example.org"
  },
  "status": "valid",
  "expires": "2020-02-26T15:44:25Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "valid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/35413462/DRfQJg",
      "token": "LwGOPYGzof8CZfGjUUCLAYpibp0RUWykplyLZ5Jl_d0",
      "validationRecord": [
        {
          "url": "http://example.org/.well-known/acme-challenge/LwGOPYGzof8CZfGjUUCLAYpibp0RUWykplyLZ5Jl_d0",
          "hostname": "example.org",
          "port": "80",
          "addressesResolved": [
            "104.24.116.182",
            "104.24.117.182",
            "2606:4700:3033::6818:74b6",
            "2606:4700:3037::6818:75b6"
          ],
          "addressUsed": "2606:4700:3033::6818:74b6"
        }
      ]
    }
  ]
}

It's http-01 type with valid status. But we want to validate it with dns-01 method.

Thanks in advance.

[chrostek]

The fix works for me. Thanks!

[mnordhoff]

@Neilpang Yes, that changed recently. See https://community.letsencrypt.org/t/acme-v1-v2-changing-challenges-returned-for-invalid-valid-authorizations/107661. Apparently the old behavior was against RFC 8555.

[Neilpang]

@mnordhoff Thank you.

[cpu]

@Neilpang I can confirm @mnordhoff's answer (thanks for posting!).

Pebble has been using this RFC 8555 compliant behaviour since ~April 2018. Have you considered adding integration testing against a Pebble CA to your CI?

[Neilpang]

@cpu

Thank you so much.
I will add Pebble soon.

Thanks.