Giters

skoerfgen / ACMECert

PHP client library for Let's Encrypt and other ACME v2 - RFC 8555 compatible Certificate Authorities

Home Page:https://github.com/skoerfgen/ACMECert

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Google Trust Services dns-01 issue

mhmtyylc opened this issue · comments

commented

Google Trust Services dns-01 verification method constantly says invalid as an answer and cannot verify. I would be glad if you could check it.

commented

It seems to work fine (just tested it):

Getting account info
Initializing ACME v2 environment: https://dv.acme-v02.test-api.pki.goog/directory
Using cURL
  https://dv.acme-v02.test-api.pki.goog/directory [200] (0.64s)
Initialized
  https://dv.acme-v02.test-api.pki.goog/new-account [200] (0.3s)
AccountID: https://dv.acme-v02.test-api.pki.goog/account/xxxxxxxx
Account info retrieved
Creating Order
  https://dv.acme-v02.test-api.pki.goog/new-order [201] (0.67s)
Order created: https://dv.acme-v02.test-api.pki.goog/order/xxxxxxxx
Fetching authorization 1 of 1
  https://dv.acme-v02.test-api.pki.goog/authz/xxxxxxxx [200] (0.28s)
Triggering challenge callback for *.example.com using dns-01
DNS_SET: _acme-challenge.example.com
Notifying server for validation of *.example.com
Delaying 4s (rate limit)
  https://dv.acme-v02.test-api.pki.goog/challenge/xxxxxxxx [200] (0.38s)
Waiting for server challenge validation
  https://dv.acme-v02.test-api.pki.goog/authz/xxxxxxxx [200] (0.28s)
Validation successful: *.example.com
Triggering remove callback for *.example.com
DNS_REM: _acme-challenge.example.com
Generating CSR
Finalizing Order
  https://dv.acme-v02.test-api.pki.goog/order/xxxxxxxx/finalize [200] (0.81s)
  https://dv.acme-v02.test-api.pki.goog/order/xxxxxxxx [200] (0.34s)
Retrying in 1s
Delaying 4s (rate limit)
  https://dv.acme-v02.test-api.pki.goog/order/xxxxxxxx [200] (0.32s)
Requesting default certificate-chain
  https://dv.acme-v02.test-api.pki.goog/cert/xxxxxxxx [200] (0.27s)
Default certificate-chain retrieved: [Test GTS Root] -> [Test GTS Root] -> [Test Pre GTS CA 1P5]
Received 1 chain(s): Test GTS Root

Maybe it takes some time for the DNS-Record to become active on the authoritative name server(s).

Does it help if you use a delay like this?:

$handler=function($opts) use ($ac){
  switch($opts['config']['challenge']){
    case 'dns-01':
      
      // set dns record here
			
      sleep(120); // wait some time to allow the dns server(s) to update
			
      return function($opts){
        // remove dns record here
      };
    break;
  }
};

Does it say something like "Challenge validation failed: The TXT record retrieved from xxxxx at the time the challenge was validated did not contain..." (urn:ietf:params:acme:error:incorrectResponse) or is it another message/error?

commented

It says "Challenge validation failed: The TXT record retrieved from xxxxx at the time the challenge was validated did not contain..."

commented

And using a delay does not help?

commented

Delay fixed the problem. Thank you very much.