dns auth attempt returns "ERROR: Challenge is invalid! (returned: invalid)" ? #91

New Issue

adam · 2025-12-29T00:24:37+01:00

adam commented

2025-12-29 00:24:37 +01:00

Originally created by @ghost on GitHub (May 6, 2016).

I'm working on DNS auth with latest letsenctypt.sh git src,

git log | head
    commit a7c6af689538719fbe23c5a18a1cc974ccd03bb2
    Author: Lukas Schauer <lukas@schauer.so>
    Date:   Wed Apr 27 23:24:45 2016 +0200

        removed donation button

    commit 1ad2f8743dbbbc1ab75eb6b81b487cbf88dc4862
    Merge: adef407 c9c430b
    Author: Lukas Schauer <lukas2511@users.noreply.github.com>
    Date:   Tue Apr 26 22:02:43 2016 +0200

I exec the script

letsencrypt.sh -c \
--config ./config.sh \
--challenge dns-01 \
--algo prime256v1 \
--hook ./hook.sh \
--domain "example.com"

which returns

...
+ Responding to challenge for example.com...
ERROR: Challenge is invalid! (returned: invalid) (result: {"type":"dns-01","status":"invalid","error":{"type":"urn:acme:error:unauthorized","detail":"Correct value not found for DNS challenge"},"uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/EY0...llU/5505446","token":"g2r...avQ","keyAuthorization":"g2r...avQ.Ytm...EUY"})

My hook script adds/updates the appropriate TXT record to my local/hidden primary DNS during the script exec, which in-turn notifies the secondary, and then in ~ 1-3 minutes, it propagates out to the main public servers. E.g., aftere ~ 3 mins

dig TXT _acme-challenge.example.com @8.8.8.8 | grep ANSWER -A1
    ;; ANSWER SECTION:
    _acme-challenge.example.com. 4   IN      TXT     "b-M...MYY"

The le.sh dns doc says

...
That could be done manually (as most providers don't have a DNS API), by having your hook script echo $1, $2 and $4 and then wait (read -s -r -e < /dev/tty) - give it a little time to get into their DNS system. Usually providers give you a boxes to put "_acme-challenge.my" and the token value in, and a dropdown to choose the record type, TXT. 
...

If the problem here^ is a timing issue, I'm unclear on what's watched,

" ... then wait (read -s -r -e < /dev/tty) - give it a little time to get into their DNS system ..."

IS the prob here that I need to 'wait'? Or is there a prob in the code itself? I'm guessing PEBKAC; would appreciate any hints.

Originally created by @ghost on GitHub (May 6, 2016). I'm working on DNS auth with latest letsenctypt.sh git src, ``` git log | head commit a7c6af689538719fbe23c5a18a1cc974ccd03bb2 Author: Lukas Schauer <lukas@schauer.so> Date: Wed Apr 27 23:24:45 2016 +0200 removed donation button commit 1ad2f8743dbbbc1ab75eb6b81b487cbf88dc4862 Merge: adef407 c9c430b Author: Lukas Schauer <lukas2511@users.noreply.github.com> Date: Tue Apr 26 22:02:43 2016 +0200 ``` I exec the script ``` letsencrypt.sh -c \ --config ./config.sh \ --challenge dns-01 \ --algo prime256v1 \ --hook ./hook.sh \ --domain "example.com" ``` which returns ``` ... + Responding to challenge for example.com... ERROR: Challenge is invalid! (returned: invalid) (result: {"type":"dns-01","status":"invalid","error":{"type":"urn:acme:error:unauthorized","detail":"Correct value not found for DNS challenge"},"uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/EY0...llU/5505446","token":"g2r...avQ","keyAuthorization":"g2r...avQ.Ytm...EUY"}) ``` My hook script adds/updates the appropriate TXT record to my local/hidden primary DNS during the script exec, which in-turn notifies the secondary, and then in ~ 1-3 minutes, it propagates out to the main public servers. E.g., aftere ~ 3 mins ``` dig TXT _acme-challenge.example.com @8.8.8.8 | grep ANSWER -A1 ;; ANSWER SECTION: _acme-challenge.example.com. 4 IN TXT "b-M...MYY" ``` The le.sh dns doc says ``` ... That could be done manually (as most providers don't have a DNS API), by having your hook script echo $1, $2 and $4 and then wait (read -s -r -e < /dev/tty) - give it a little time to get into their DNS system. Usually providers give you a boxes to put "_acme-challenge.my" and the token value in, and a dropdown to choose the record type, TXT. ... ``` If the problem here^ is a timing issue, I'm unclear on what's watched, ``` " ... then wait (read -s -r -e < /dev/tty) - give it a little time to get into their DNS system ..." ``` _IS_ the prob here that I need to 'wait'? Or is there a prob in the code itself? I'm guessing PEBKAC; would appreciate any hints.

adam closed this issue

2025-12-29 00:24:37 +01:00

adam commented

2025-12-29 00:24:38 +01:00

@lukas2511 commented on GitHub (May 6, 2016):

Hey. First: Please don't call my script le.sh, that is the name of a completely different script.

This probably is a timing issue. Shortly after sending the dns update the dns server might not yet deliver the response, there can be a short window with invalid or no response, especially if you use the dns api of some dns provider.

The read -s -r -e < /dev/tty command is meant to pause your hook until manual confirmation on terminal is given that the dns record is actually set. It's kinda ugly...

Other ways to do this would just be a sleep $time command, or to actually add some logic that queries the dns servers you are using until the record can be seen.

@lukas2511 commented on GitHub (May 6, 2016): Hey. First: Please don't call my script le.sh, that is the name of a completely different script. This probably is a timing issue. Shortly after sending the dns update the dns server might not yet deliver the response, there can be a short window with invalid or no response, especially if you use the dns api of some dns provider. The `read -s -r -e < /dev/tty` command is meant to pause your hook until manual confirmation on terminal is given that the dns record is actually set. It's kinda ugly... Other ways to do this would just be a `sleep $time` command, or to actually add some logic that queries the dns servers you are using until the record can be seen.

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/dehydrated#91