From: "Lewis G Rosenthal" <ecs-isp@2rosenthals.com>
Received: from [192.168.100.201] (account lgrosenthal@2rosenthals.com HELO [192.168.100.26])
  by 2rosenthals.com (CommuniGate Pro SMTP 5.4.10)
  with ESMTPSA id 10610549 for ecs-isp@2rosenthals.com; Fri, 16 Aug 2024 14:57:25 -0400
Subject: uacme and DNS challenge/response (was: Re: [eCS-ISP] Apache HTTPS)
To: eCS ISP Mailing List <ecs-isp@2rosenthals.com>
References: <list-10610493@2rosenthals.com>
Organization: Rosenthal & Rosenthal, LLC
Message-ID: <66BFA113.7030600@2rosenthals.com>
Date: Fri, 16 Aug 2024 14:57:23 -0400
User-Agent: Mozilla/5.0 (OS/2; Warp 4.5; rv:38.0) Gecko/20100101 Firefox/38.0
 SeaMonkey/2.35
MIME-Version: 1.0
In-Reply-To: <list-10610493@2rosenthals.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

PMFJI (again)...

On 08/16/24 01:59 pm, Dan Napier, MS, CIH, CAC wrote:
> Steven
>
> Here is as far as I get,  I is asking for a TXT line in the dns server?
> uacme.exe: challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/38943333
> 6946/-1Wx1w failed with status invalid
> uacme.exe: the server reported the following error:
> {
>      "type": "urn:ietf:params:acme:error:dns",
>      "detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.ns1.dnac
> ih.com - check that a DNS record exists for this domain",
>      "status": 400
> }
> uacme.exe: failed to authorize order at https://acme-v02.api.letsencrypt.org/acm
> e/order/1887586636/295703974986
>

Dan, do you indeed have a TXT record defined as "_acme-challenge" under the 
domain you are querying (ns1.dnacih.com looks suspiciously like a 
host.domain name)? According to RFC8555, the TXT record should contain the 
digest value (SHA-256) of the key authorization.

Apparently, this lookup is not always required (a quick scan of the net 
indicates that for LE certs, the challenge is only used for wildcard certs).

Thus, uacme is not looking for a "TXT line" but a "TXT record" identified as 
"_acme-challenge" which does not seem to exist for the domain (according to 
dig).

A good reference:

https://www.rfc-editor.org/rfc/rfc8555.html#section-8.4

HTH

<snip>

-- 
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS, EA
Rosenthal & Rosenthal, LLC                www.2rosenthals.com
visit my IT blog                www.2rosenthals.net/wordpress
-------------------------------------------------------------