2

I've tried getting a certificate using certbot, caddy, and lego. They've all returned similar errors with this domain.

I used the DNS-01 challenge. Here's output from the lego client:

ananth@wopr ~> lego -a -m "my@email.com" -d subhamho.me -d "*.subhamho.me" --dns gandiv5 --path ./lego run
2021/05/14 00:20:13 [INFO] [subhamho.me, *.subhamho.me] acme: Obtaining bundled SAN certificate
2021/05/14 00:20:15 [INFO] [*.subhamho.me] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/13090317014
2021/05/14 00:20:15 [INFO] [subhamho.me] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/13090317037                                       2021/05/14 00:20:15 [INFO] [*.subhamho.me] acme: use dns-01 solver
2021/05/14 00:20:15 [INFO] [subhamho.me] acme: Could not find solver for: tls-alpn-01                                                                  2021/05/14 00:20:15 [INFO] [subhamho.me] acme: Could not find solver for: http-01
2021/05/14 00:20:15 [INFO] [subhamho.me] acme: use dns-01 solver
2021/05/14 00:20:15 [INFO] [*.subhamho.me] acme: Preparing to solve DNS-01
2021/05/14 00:20:15 [INFO] [subhamho.me] acme: Preparing to solve DNS-01
2021/05/14 00:20:15 [INFO] [*.subhamho.me] acme: Cleaning DNS-01 challenge
2021/05/14 00:20:15 [INFO] [subhamho.me] acme: Cleaning DNS-01 challenge
2021/05/14 00:20:15 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/13090317014
2021/05/14 00:20:16 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/13090317037
2021/05/14 00:20:16 Could not obtain certificates:
        error: one or more domains had a problem:
[*.subhamho.me] [*.subhamho.me] acme: error presenting token: gandiv5: findZoneByFqdn failure: unexpected response code 'FORMERR' for _acme-challenge.subhamho.me.
[subhamho.me] [subhamho.me] acme: error presenting token: gandiv5: findZoneByFqdn failure: unexpected response code 'FORMERR' for _acme-challenge.subhamho.me.

The other two clients: certbot, and caddy also had FORMERR in their error messages.

Ananth
  • 51
  • 1
  • 9

2 Answers2

2

I tried specifying a different resolver to lego using the --dns.resolvers option. It appears that systemd-resolved is having trouble resolving this TXT record correctly. It seems to think that its format is invalid. The domain resolved correctly using a dnsmasq server that I run.

Ananth
  • 51
  • 1
  • 9
1

When requesting a wildcard certificate from Let's Encrypt you have to set a TXT record in your DNS zone file (or in the backend of your provider gandi.net) under the name _acme-challenge.subhamho.me containing the token that you get when when issuing the command

certbot certonly --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory --manual-public-ip-logging-ok -d '*.subhamho.me' -d subhamho.me

The output of the above command would be

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for subhamho.me

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.subhamho.me with the following value:

<acme-challenge-value>

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

where the token is the value of <acme-challenge-value>. After setting the TXT record press Enter and you should get the wildcard certificate.

At the moment there is no such token. You can check this with

dig TXT +short subhamho.me

Thus you are getting the error

[*.subhamho.me] [*.subhamho.me] acme: error presenting token: gandiv5: findZoneByFqdn failure: unexpected response code 'FORMERR' for _acme-challenge.subhamho.me.
[subhamho.me] [subhamho.me] acme: error presenting token: gandiv5: findZoneByFqdn failure: unexpected response code 'FORMERR' for _acme-challenge.subhamho.me.

Keep in mind that you have to renew the TXT record on any renewal of the certificate, which is after 90 days.

digijay
  • 1,155
  • 3
  • 11
  • 22
  • Yes I am aware that the ACME server expects a DNS TXT record containing the challenge response token. The ACME client I'm using, lego, can talk to the gandi.net API to set the DNS record by itself. It seems that its unable to create the record because of some DNS server issue. It's my first time using the .me TLD, so I'm thinking that may be causing some issues. I strongly suspect the issue is with gandi's nameservers or API. I'm looking for someone familiar with lego/ACME/gandi API to tell me what the FORMERR means. Is it an actual problem, or is it a red-herring? – Ananth May 14 '21 at 11:38