Multiple _acme-challenge

What is the name of the domain?

americanbar.org

What is the issue you’re encountering

multiple e-mails with different _acme-challenge

What steps have you taken to resolve the issue?

Put the first one in DNS for americanbar.org , for several other domains I have had to eventually turn off then turn on Universal SSL.
This is not an option here - need to get the correct _acme-challenge and prevent the multiple versions in the futhre.

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Off

What are the steps to reproduce the issue?

Using the dashboard I noticed this behavior on several other domains ( have 100+ ) ,
for americanbar.org
e-mail @6:43
Create a DNS record _acme-challenge.americanbar.org TXT IF6xiWAO82Vx_ApQ4RvlhkUX4jU3uCZw35eOyISd1Sw
Create a DNS record _acme-challenge.americanbar.org TXT hXXQr96OxzjQJR8yivTkc7rWPCdo-9UavJeTj7vctW0
e-mail @7:48
Create a DNS record _acme-challenge.americanbar.org TXT hXXQr96OxzjQJR8yivTkc7rWPCdo-9UavJeTj7vctW0
Create a DNS record _acme-challenge.americanbar.org TXT kxPqZArZ_MvWH9tnuc4N6XqziZFZQW9w1M5ccg8QVK0
e-mail @05:08
Create a DNS record _acme-challenge.americanbar.org TXT IF6xiWAO82Vx_ApQ4RvlhkUX4jU3uCZw35eOyISd1Sw
Create a DNS record _acme-challenge.americanbar.org TXT hXXQr96OxzjQJR8yivTkc7rWPCdo-9UavJeTj7vctW0

Your _acme-challenge TXT records should be ephemeral. This means that there will never be one permanent “correct” value. The ACME client that creates the record should remove it after it completes the challenge. Do you know if they are your DNS-01 challenges that are lingering longer than desired?

1 Like

Yes the challenges are lingering longer than desired on dns01 - our internal DNS box. I would expect this. ( now that you pointed it out ).

Still not sure why I am getting multiple _acme-challenge values - could more than one universals cert ( eg dev.americanbar.org and americanbar.org ) cause multiple _acme-challenge req for _acme-challenge.americanbar.org ?

Let’s Encrypt has a good explanation of the DNS-01 challenge.

Still reciveing the e-mail , added the _acme-challenge.americanbar.org hours ago, and verified.

[root@dns01 ~]# nslookup -q=txt _acme-challenge.americanbar.org 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
_acme-challenge.americanbar.org text = “hXXQr96OxzjQJR8yivTkc7rWPCdo-9UavJeTj7vctW0”
_acme-challenge.americanbar.org text = “IF6xiWAO82Vx_ApQ4RvlhkUX4jU3uCZw35eOyISd1Sw”
_acme-challenge.americanbar.org text = “kxPqZArZ_MvWH9tnuc4N6XqziZFZQW9w1M5ccg8QVK0”

Authoritative answers can be found from:

[root@dns01 ~]#

Can you explain the email? Who is it from? What is it communicating?

Are you manually creating TXT records for DNS-01 challenges?

Yes entering the _acme-challenge TXT records in my bind server.


From
[email protected]

Hello,

Domain Control Validation (DCV) has failed for the certificate with the ID cb64aed5-3b93-442c-ae0c-c19e090ec1b9 belonging to Zone ID c8687a3cxxxxxxxxxxx0e55. The DCV method is currently set to txt.

Since the DCV method is set to TXT, please be sure to update your zone’s nameservers at the registrar to the nameservers assigned to your zone in the Cloudflare Dashboard, or manually add a DNS TXT record to your authoritative DNS provider. For more help with changing nameservers, refer to https://developers.cloudflare.com/dns/zone-setups/full-setup/setup/.

Create a DNS record _acme-challenge.americanbar.org TXT hXXQr96OxzjQJR8yivTkc7rWPCdo-9UavJeTj7vctW0

Create a DNS record _acme-challenge.americanbar.org TXT kxPqZArZ_MvWH9tnuc4N6XqziZFZQW9w1M5ccg8QVK0

You should also ensure that traffic to this hostname resolves to Cloudflare’s edge and that no Cloudflare firewall rules or page rules modify requests to the HTTP .txt file’s URL. For more help, visit https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/troubleshooting/.

If you want to change the current DCV method, follow the steps listed here: https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/

For any additional questions, visit our Support portal.

Thanks,
The Cloudflare Team

after another round of notifications the _acme-challenge was read, and the [Advanced] certificate is active.

Is there a way to clean out the old - now uneeded certs ?

1 Like

According to this documentation, they can be deleted via the dashboard or API. I’ve not needed to do that, so I don’t have a firsthand experience to add any additional detail.

Further investigation on the delete ( not apparent from dashboard ), but for the thread topic…
published all 3 _acme-challenges - then waited for a few hours, and one more set of reminders.

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.