starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-11 22:30:44 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

Validating this certificate is not possible using dns-01. Possible validation methods are: http-01 #464

New Issue
Closed
opened 2025-12-29 01:25:43 +01:00 by adam · 9 comments
adam commented 2025-12-29 01:25:43 +01:00
Owner
Copy Link

Originally created by @it-can on GitHub (Mar 11, 2020).

I have a certificate requested through http-01, but want to convert it to dns-01 (wildcard). Dehydrated/letsencrypt gives me this error:

Validating this certificate is not possible using dns-01. Possible validation methods are: http-01

Other wildcard domains are working on my system... is there something I am missing?

Originally created by @it-can on GitHub (Mar 11, 2020). I have a certificate requested through http-01, but want to convert it to dns-01 (wildcard). Dehydrated/letsencrypt gives me this error: ``` Validating this certificate is not possible using dns-01. Possible validation methods are: http-01 ``` Other wildcard domains are working on my system... is there something I am missing?
adam closed this issue 2025-12-29 01:25:43 +01:00
adam commented 2025-12-29 01:25:43 +01:00
Author
Owner
Copy Link

@txr13 commented on GitHub (Mar 11, 2020):

Are you using the --force option on your renewal?

If you have already authorized a domain (and the authorization is still valid), then you are not allowed to change the validation method. (See https://github.com/win-acme/win-acme/issues/1399#issuecomment-587485998)

You could wait until the authorization expires (for Let's Encrypt, this will take 30 days), or you might try forcing the renewal, which I think will force a new authorization, which would allow your choice of validation type.

@txr13 commented on GitHub (Mar 11, 2020): Are you using the `--force` option on your renewal? If you have already authorized a domain (and the authorization is still valid), then you are not allowed to change the validation method. (See https://github.com/win-acme/win-acme/issues/1399#issuecomment-587485998) You could wait until the authorization expires (for Let's Encrypt, this will take 30 days), or you might try forcing the renewal, which I __think__ will force a new authorization, which would allow your choice of validation type.
adam commented 2025-12-29 01:25:44 +01:00
Author
Owner
Copy Link

@it-can commented on GitHub (Mar 11, 2020):

Are you using the --force option on your renewal?

If you have already authorized a domain (and the authorization is still valid), then you are not allowed to change the validation method. (See win-acme/win-acme#1399 (comment))

You could wait until the authorization expires (for Let's Encrypt, this will take 30 days), or you might try forcing the renewal, which I think will force a new authorization, which would allow your choice of validation type.

Yeah force is also giving same result. Maybe revoke the cert first?

@it-can commented on GitHub (Mar 11, 2020): > Are you using the `--force` option on your renewal? > > If you have already authorized a domain (and the authorization is still valid), then you are not allowed to change the validation method. (See [win-acme/win-acme#1399 (comment)](https://github.com/win-acme/win-acme/issues/1399#issuecomment-587485998)) > > You could wait until the authorization expires (for Let's Encrypt, this will take 30 days), or you might try forcing the renewal, which I **think** will force a new authorization, which would allow your choice of validation type. Yeah force is also giving same result. Maybe revoke the cert first?
adam commented 2025-12-29 01:25:44 +01:00
Author
Owner
Copy Link

@txr13 commented on GitHub (Mar 11, 2020):

I don't think revoking it is going to be a good idea--that would revoke the certificate, not the authorization...

@lukas2511 This might require a look?

@txr13 commented on GitHub (Mar 11, 2020): I don't think revoking it is going to be a good idea--that would revoke the certificate, not the authorization... @lukas2511 This might require a look?
adam commented 2025-12-29 01:25:44 +01:00
Author
Owner
Copy Link

@jobe1986 commented on GitHub (Mar 11, 2020):

Given that authorisations are attached to accounts, although it may not be an ideal solution, you could try deleting the existing account data, and creating a new account with ./dehydrated --register and then proceeding from there.

@jobe1986 commented on GitHub (Mar 11, 2020): Given that authorisations are attached to accounts, although it may not be an ideal solution, you could try deleting the existing account data, and creating a new account with ./dehydrated --register and then proceeding from there.
adam commented 2025-12-29 01:25:45 +01:00
Author
Owner
Copy Link

@it-can commented on GitHub (Mar 11, 2020):

I added a new unused domain to my dehydrated setup with wildcard. In the certs directory I added a config file with this:

dehydrated/certs/example_nl/rsa/config

CHALLENGETYPE="dns-01"
HOOK="${BASEDIR}/hook_dns.sh"
KEY_ALGO=rsa

My domains.txt is this

example.nl *.example.nl > example_nl

But when running dehydrated I get this error:

dehydrated -c -g

Processing example.nl with alternative names: *.example.nl
 + Using certificate specific config file!
   + CHALLENGETYPE = dns-01
   + HOOK = /etc/dehydrated/hook_dns.sh
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 2 authorizations URLs from the CA
 + Handling authorization for example.nl
 + Handling authorization for example.nl
 + 2 pending challenge(s)
 + Deploying challenge tokens...

Error opening Certificate /etc/dehydrated/certs/example_nl/rsa/cert.pem
140029208692624:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/dehydrated/certs/example_nl/rsa/cert.pem','r')
140029208692624:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
unable to load certificate
@it-can commented on GitHub (Mar 11, 2020): I added a new unused domain to my dehydrated setup with wildcard. In the certs directory I added a config file with this: dehydrated/certs/example_nl/rsa/config ``` CHALLENGETYPE="dns-01" HOOK="${BASEDIR}/hook_dns.sh" KEY_ALGO=rsa ``` My domains.txt is this ``` example.nl *.example.nl > example_nl ``` But when running dehydrated I get this error: ``` dehydrated -c -g Processing example.nl with alternative names: *.example.nl + Using certificate specific config file! + CHALLENGETYPE = dns-01 + HOOK = /etc/dehydrated/hook_dns.sh + Signing domains... + Generating private key... + Generating signing request... + Requesting new certificate order from CA... + Received 2 authorizations URLs from the CA + Handling authorization for example.nl + Handling authorization for example.nl + 2 pending challenge(s) + Deploying challenge tokens... Error opening Certificate /etc/dehydrated/certs/example_nl/rsa/cert.pem 140029208692624:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/dehydrated/certs/example_nl/rsa/cert.pem','r') 140029208692624:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404: unable to load certificate ```
adam commented 2025-12-29 01:25:45 +01:00
Author
Owner
Copy Link

@txr13 commented on GitHub (Mar 11, 2020):

@it-can That looks like an error in your hook script, to me. Which should probably be handled as a separate issue.

@txr13 commented on GitHub (Mar 11, 2020): @it-can That looks like an error in your hook script, to me. Which should probably be handled as a separate issue.
adam commented 2025-12-29 01:25:45 +01:00
Author
Owner
Copy Link

@it-can commented on GitHub (Mar 11, 2020):

@it-can That looks like an error in your hook script, to me. Which should probably be handled as a separate issue.

maybe you're right... I'll the my dns script

@it-can commented on GitHub (Mar 11, 2020): > @it-can That looks like an error in your hook script, to me. Which should probably be handled as a separate issue. maybe you're right... I'll the my dns script
adam commented 2025-12-29 01:25:45 +01:00
Author
Owner
Copy Link

@it-can commented on GitHub (Mar 11, 2020):

my dns script had a bug... maybe my dns problem is now also fixed

@it-can commented on GitHub (Mar 11, 2020): my dns script had a bug... maybe my dns problem is now also fixed
adam commented 2025-12-29 01:25:45 +01:00
Author
Owner
Copy Link

@it-can commented on GitHub (Mar 11, 2020):

my dns problem is also fixed now....

@it-can commented on GitHub (Mar 11, 2020): my dns problem is also fixed now....
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#464
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?