Answer these questions to help the Community help you with Security questions.
What is the domain name?
Have you searched for an answer?
Please share your search results url:
LetsEncrypt ACME Challenge Issue###
We use LetsEncrypt on our server and as you’re probably aware the way in which it validates that you have access to the domain is via a challenge either via DNS-01, HTTP-01 or TLS-ALPN-01.
We use the standard HTTP-01 which works by the servers ACME client uploading an access token to /.well-known/acme-challenge/<TOKEN>
The ACME client then notifies LetsEncrypt that the file is ready, LetsEncrypt tries to retrieves it (multiple times if need be) by accessing…
When you tested your domain, what were the results?
Server has existing cert √
Describe the issue you are having:
Unable to renew cert using acme client
Another Server with different subdomain is working fine
What error message or number are you receiving?
2023/11/13 15:53:46 [INFO] [media.connor.asia] acme: Trying renewal with 296 hours remaining
2023/11/13 15:53:46 [INFO] [media.connor.asia] acme: Obtaining bundled SAN certificate
2023/11/13 15:53:47 [INFO] [media.connor.asia] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/283303261396
2023/11/13 15:53:47 [INFO] [media.connor.asia] acme: Could not find solver for: tls-alpn-01
2023/11/13 15:53:47 [INFO] [media.connor.asia] acme: Could not find solver for: http-01
2023/11/13 15:53:47 [INFO] [media.connor.asia] acme: use dns-01 solver
2023/11/13 15:53:47 [INFO] [media.connor.asia] acme: Preparing to solve DNS-01
2023/11/13 15:53:47 [INFO] [media.connor.asia] acme: Cleaning DNS-01 challenge
2023/11/13 15:53:47 [WARN] [media.connor.asia] acme: cleaning up failed: cloudflare: unexpected response code ‘REFUSED’ for _acme-challenge.media.connor.asia.
2023/11/13 15:53:47 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/283303261396
2023/11/13 15:53:47 error: one or more domains had a problem:
[media.connor.asia] [media.connor.asia] acme: error presenting token: cloudflare: unexpected response code ‘REFUSED’ for _acme-challenge.media.connor.asia.
What steps have you taken to resolve the issue?
renewed token, verified token
deleted API setup including token and set up from scratch
Was the site working with SSL prior to adding it to Cloudflare?
What are the steps to reproduce the error:
run /usr/local/bin/synology-letsencrypt.sh = error
lego --email --dns cloudflare --domains media.connor.asia run = error tried a bunch of other stuff as well
Have you tried from another browser and/or incognito mode?
Please attach a screenshot of the error:
ok this isn’t getting much traction, so maybe I can make it simpler-
What does this error message mean, or can I get more verbosity to explain it?
It’s a DNS Status Code, generally used when the nameserver cannot/refuses to perform the specific operation. Like if that nameserver can’t answer that query because it doesn’t know about the domain, for example you get refused if you ask Cloudflare Authoritive Nameservers about
There’s a few other cases:
If you are using a DNS Resolver that supports Extended DNS Errors (EDE) and the DNS Client you are using can read and display those, maybe:
Dig through SERVFAILs with EDE
This seems more related to Traefik/Lego then Cloudflare though. This has already been talked about before on the forum as well:
I’m trying to install Traefik with a wildcard certificate against my Cloudflare domain - but it keeps failing with this error:
time=“2021-12-26T23:29:17Z” level=error msg=“Unable to obtain ACME certificate for domains ".deprez.biz" : unable to generate a certificate for the domains [.deprez.biz]: error: one or more domains had a problem:\n[*.deprez.biz] time limit exceeded: last error: NS
angela.ns.cloudflare.com. returned REFUSED for _acme-challenge.deprez.biz.\n” providerName=Cloudfl…
It looks like there’s an option to disable that check entirely:
or disable it and force a delay like this user did:
I’m guessing something is going wrong with the check (default dns block, etc). Cloudflare propogates DNS changes so quickly anyway (like ~1-2s globally excluding local/resolver dns cache, which Let’s Encrypt bypasses) that just waiting a static amount of time works.
That error specifically is thrown by here:
Part of the pre-checks for DNS Propogation, which can be disabled as described above
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.