starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-13 15:13:33 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

Suddenly "ERROR: Challenge is invalid!" #407

New Issue
Closed
opened 2025-12-29 01:24:33 +01:00 by adam · 1 comment
adam commented 2025-12-29 01:24:33 +01:00
Owner
Copy Link

Originally created by @jangrewe on GitHub (May 20, 2019).

Hi, i've been using dehydrated from the very beginning and never had any trouble with it, so huge thanks for that right upfront!
When wildcard certs came around, i switched to dns-01 and used the PowerDNS API to handle the validation records in my zones, which also worked like a charm.
But since a couple of days/weeks, i'm having big issues getting all certs for all domains renewed.
Sometimes it happens to cert with ~10 SANs, sometimes it happens to just the domain + wildcard. Then i retry some time later, or the next day, and suddenly that domain works, but there's another one failing then.

An example looks like this:

Processing jan.fm with alternative names: *.jan.fm
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Jun 15 22:02:11 2019 GMT Certificate will expire
(Less than 30 days). Renewing!
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 2 authorizations URLs from the CA
 + Handling authorization for jan.fm
 + Handling authorization for jan.fm
 + 2 pending challenge(s)
 + Deploying challenge tokens...
# INFO: Using additional config file /etc/letsencrypt/conf.d/pdns.sh
 + Responding to challenge for jan.fm authorization...
 + Challenge is valid!
 + Responding to challenge for jan.fm authorization...
 + Cleaning challenge tokens...
# INFO: Using additional config file /etc/letsencrypt/conf.d/pdns.sh
 + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "dns-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "Incorrect TXT record \"v=spf1 mx -all\" found at _acme-challenge.jan.fm",
    "status": 403
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/pKf5xsCABcSTs6XTp76RWIh5McGgy0FI4IpgzhbVaQU/16081324213",
  "token": "6k-SwHqTmePrdlo0TUFw7DDPVkuPlV2g4jRCmstNK54"
})
# INFO: Using additional config file /etc/letsencrypt/conf.d/pdns.sh

The only thing all domains have in common is that they always include the wildcard cert.
I also noticed that this happens pretty much always if the scripts also said:

 + X pending challenge(s)

Here's another example of a domain that failed a couple of minutes ago, but now worked flawlessly (and also saying that challenges are pending, but still working fine):

Processing faked.im with alternative names: *.faked.im
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Jun 15 22:03:00 2019 GMT Certificate will expire
(Less than 30 days). Renewing!
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 2 authorizations URLs from the CA
 + Handling authorization for faked.im
 + Found valid authorization for faked.im
 + Handling authorization for faked.im
 + 1 pending challenge(s)
 + Deploying challenge tokens...
# INFO: Using additional config file /etc/letsencrypt/conf.d/pdns.sh
 + Responding to challenge for faked.im authorization...
 + Challenge is valid!
 + Cleaning challenge tokens...
# INFO: Using additional config file /etc/letsencrypt/conf.d/pdns.sh
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + Done!

And another example where it seems to fail on exactly the "pending challenge" for which it didn't mention that it "Found valid authorization" for:

Processing jangrewe.com with alternative names: *.jangrewe.com jangrewe.name *.jangrewe.name jangrewe.me *.jangrewe.me jangrewe.name *.jangrewe.name jangrewe.net *.jangrewe.net jangrewe.org *.jangrewe.org
 + Checking domain name(s) of existing cert... changed!
 + Domain name(s) are not matching!
 + Names in old certificate: *.jangrewe.com jangrewe.com *.jangrewe.me jangrewe.me *.jangrewe.name jan.grewe.name jangrewe.name *.jangrewe.net jangrewe.net *.jangrewe.org jangrewe.org *.ngrewe.com ngrewe.com *.ngrewe.name ngrewe.name
 + Configured names: *.jangrewe.com jangrewe.com *.jangrewe.me jangrewe.me *.jangrewe.name jangrewe.name *.jangrewe.net jangrewe.net *.jangrewe.org jangrewe.org
 + Forcing renew.
 + Checking expire date of existing cert...
 + Valid till Jun 15 22:01:55 2019 GMT Certificate will expire
(Less than 30 days). Renewing!
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 10 authorizations URLs from the CA
 + Handling authorization for jangrewe.com
 + Found valid authorization for jangrewe.com
 + Handling authorization for jangrewe.me
 + Found valid authorization for jangrewe.me
 + Handling authorization for jangrewe.name
 + Found valid authorization for jangrewe.name
 + Handling authorization for jangrewe.net
 + Found valid authorization for jangrewe.net
 + Handling authorization for jangrewe.org
 + Found valid authorization for jangrewe.org
 + Handling authorization for jangrewe.me
 + Found valid authorization for jangrewe.me
 + Handling authorization for jangrewe.name
 + Found valid authorization for jangrewe.name
 + Handling authorization for jangrewe.net
 + Found valid authorization for jangrewe.net
 + Handling authorization for jangrewe.org
 + Handling authorization for jangrewe.com
 + 2 pending challenge(s)
 + Deploying challenge tokens...
# INFO: Using additional config file /etc/letsencrypt/conf.d/pdns.sh
 + Responding to challenge for jangrewe.org authorization...
 + Cleaning challenge tokens...
# INFO: Using additional config file /etc/letsencrypt/conf.d/pdns.sh
 + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "dns-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "Incorrect TXT record \"v=spf1 mx -all\" found at _acme-challenge.jangrewe.org",
    "status": 403
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/a33xa0QPlIqpiccMD6lDnCUbxHnZEn31qzc9a2QEk98/16081585754",
  "token": "tB-T1GYNhDO5uhA7hnia1GCYbCi_Ujl91PF3DZpH90Q"
})
# INFO: Using additional config file /etc/letsencrypt/conf.d/pdns.sh
Originally created by @jangrewe on GitHub (May 20, 2019). Hi, i've been using `dehydrated` from the very beginning and never had any trouble with it, so huge thanks for that right upfront! When wildcard certs came around, i switched to `dns-01` and used the PowerDNS API to handle the validation records in my zones, which also worked like a charm. But since a couple of days/weeks, i'm having big issues getting all certs for all domains renewed. Sometimes it happens to cert with ~10 SANs, sometimes it happens to just the domain + wildcard. Then i retry some time later, or the next day, and suddenly that domain works, but there's another one failing then. An example looks like this: ``` Processing jan.fm with alternative names: *.jan.fm + Checking domain name(s) of existing cert... unchanged. + Checking expire date of existing cert... + Valid till Jun 15 22:02:11 2019 GMT Certificate will expire (Less than 30 days). Renewing! + Signing domains... + Generating private key... + Generating signing request... + Requesting new certificate order from CA... + Received 2 authorizations URLs from the CA + Handling authorization for jan.fm + Handling authorization for jan.fm + 2 pending challenge(s) + Deploying challenge tokens... # INFO: Using additional config file /etc/letsencrypt/conf.d/pdns.sh + Responding to challenge for jan.fm authorization... + Challenge is valid! + Responding to challenge for jan.fm authorization... + Cleaning challenge tokens... # INFO: Using additional config file /etc/letsencrypt/conf.d/pdns.sh + Challenge validation has failed :( ERROR: Challenge is invalid! (returned: invalid) (result: { "type": "dns-01", "status": "invalid", "error": { "type": "urn:ietf:params:acme:error:unauthorized", "detail": "Incorrect TXT record \"v=spf1 mx -all\" found at _acme-challenge.jan.fm", "status": 403 }, "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/pKf5xsCABcSTs6XTp76RWIh5McGgy0FI4IpgzhbVaQU/16081324213", "token": "6k-SwHqTmePrdlo0TUFw7DDPVkuPlV2g4jRCmstNK54" }) # INFO: Using additional config file /etc/letsencrypt/conf.d/pdns.sh ``` The only thing all domains have in common is that they always include the wildcard cert. I also noticed that this happens pretty much always if the scripts also said: ``` + X pending challenge(s) ``` Here's another example of a domain that failed a couple of minutes ago, but now worked flawlessly (and also saying that challenges are pending, but still working fine): ``` Processing faked.im with alternative names: *.faked.im + Checking domain name(s) of existing cert... unchanged. + Checking expire date of existing cert... + Valid till Jun 15 22:03:00 2019 GMT Certificate will expire (Less than 30 days). Renewing! + Signing domains... + Generating private key... + Generating signing request... + Requesting new certificate order from CA... + Received 2 authorizations URLs from the CA + Handling authorization for faked.im + Found valid authorization for faked.im + Handling authorization for faked.im + 1 pending challenge(s) + Deploying challenge tokens... # INFO: Using additional config file /etc/letsencrypt/conf.d/pdns.sh + Responding to challenge for faked.im authorization... + Challenge is valid! + Cleaning challenge tokens... # INFO: Using additional config file /etc/letsencrypt/conf.d/pdns.sh + Requesting certificate... + Checking certificate... + Done! + Creating fullchain.pem... + Done! ``` And another example where it seems to fail on exactly the "pending challenge" for which it didn't mention that it "Found valid authorization" for: ``` Processing jangrewe.com with alternative names: *.jangrewe.com jangrewe.name *.jangrewe.name jangrewe.me *.jangrewe.me jangrewe.name *.jangrewe.name jangrewe.net *.jangrewe.net jangrewe.org *.jangrewe.org + Checking domain name(s) of existing cert... changed! + Domain name(s) are not matching! + Names in old certificate: *.jangrewe.com jangrewe.com *.jangrewe.me jangrewe.me *.jangrewe.name jan.grewe.name jangrewe.name *.jangrewe.net jangrewe.net *.jangrewe.org jangrewe.org *.ngrewe.com ngrewe.com *.ngrewe.name ngrewe.name + Configured names: *.jangrewe.com jangrewe.com *.jangrewe.me jangrewe.me *.jangrewe.name jangrewe.name *.jangrewe.net jangrewe.net *.jangrewe.org jangrewe.org + Forcing renew. + Checking expire date of existing cert... + Valid till Jun 15 22:01:55 2019 GMT Certificate will expire (Less than 30 days). Renewing! + Signing domains... + Generating private key... + Generating signing request... + Requesting new certificate order from CA... + Received 10 authorizations URLs from the CA + Handling authorization for jangrewe.com + Found valid authorization for jangrewe.com + Handling authorization for jangrewe.me + Found valid authorization for jangrewe.me + Handling authorization for jangrewe.name + Found valid authorization for jangrewe.name + Handling authorization for jangrewe.net + Found valid authorization for jangrewe.net + Handling authorization for jangrewe.org + Found valid authorization for jangrewe.org + Handling authorization for jangrewe.me + Found valid authorization for jangrewe.me + Handling authorization for jangrewe.name + Found valid authorization for jangrewe.name + Handling authorization for jangrewe.net + Found valid authorization for jangrewe.net + Handling authorization for jangrewe.org + Handling authorization for jangrewe.com + 2 pending challenge(s) + Deploying challenge tokens... # INFO: Using additional config file /etc/letsencrypt/conf.d/pdns.sh + Responding to challenge for jangrewe.org authorization... + Cleaning challenge tokens... # INFO: Using additional config file /etc/letsencrypt/conf.d/pdns.sh + Challenge validation has failed :( ERROR: Challenge is invalid! (returned: invalid) (result: { "type": "dns-01", "status": "invalid", "error": { "type": "urn:ietf:params:acme:error:unauthorized", "detail": "Incorrect TXT record \"v=spf1 mx -all\" found at _acme-challenge.jangrewe.org", "status": 403 }, "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/a33xa0QPlIqpiccMD6lDnCUbxHnZEn31qzc9a2QEk98/16081585754", "token": "tB-T1GYNhDO5uhA7hnia1GCYbCi_Ujl91PF3DZpH90Q" }) # INFO: Using additional config file /etc/letsencrypt/conf.d/pdns.sh ```
adam closed this issue 2025-12-29 01:24:33 +01:00
adam commented 2025-12-29 01:24:33 +01:00
Author
Owner
Copy Link

@lukas2511 commented on GitHub (May 25, 2019):

This is not an issue with dehydrated, but rather with your DNS zone.

The ACME server can't finde the challenges DNS record on the _acme-challenge subdomain, only an spf record, and it clearly gives you an error message containing the spf string.

On that subdomain there should not be any spf record. Maybe it can work with it present, in that case it's probably an issue with the real record not being provisioned when the ACME server does its lookup. You may want to check your hook scripts for provisioning the zone correctly, and maybe erase the spf record from the subdomain if possible.

@lukas2511 commented on GitHub (May 25, 2019): This is not an issue with dehydrated, but rather with your DNS zone. The ACME server can't finde the challenges DNS record on the _acme-challenge subdomain, only an spf record, and it clearly gives you an error message containing the spf string. On that subdomain there should not be any spf record. Maybe it can work with it present, in that case it's probably an issue with the real record not being provisioned when the ACME server does its lookup. You may want to check your hook scripts for provisioning the zone correctly, and maybe erase the spf record from the subdomain if possible.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#407
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?