Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-9369

ACME enrollment with certbot and DNS validation fails

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: EJBCA 7.4.1
    • Fix Version/s: None
    • Component/s: None
    • Labels:

      Description

      Testing ACME enrollment with certbot client DNS validation fails. Bind DNS 9.14.8_xx is used.

      Steps to reproduce are:

      1. Configure ACME alias and configure DNS server.  Disable DNSSEC checkbox
      2. Use certbot to enroll:
        certbot-auto certonly --server https://enroll.solitude.skyrim/ejbca/acme/directory --manual --preferred-challenges=dns -d test3-1.solitude.skyrim --agree-tos --email sven.rajala@primekey.com --no-eff-email
      3. Accept yes to log IP address
      4. Take the validation string add that to DNS
      5. From the RA or CA check the DNS record:
        dig txt _acme-challenge.test3-1.solitude.skyrim
      6. Enrollment fails with validation failed to verify

      The DNS server logs show EJBCA never queries the DNS record at all.  It just throws the 2020-08-26 12:18:56,580 DEBUG [org.ejbca.ui.web.protocol.acme.logic.AcmeExternalValidationSessionBean] (default task-2) TXT records from DNS query is empty or null!

      and

      2020-08-26 12:18:56,580 INFO [org.ejbca.ui.web.protocol.acme.web.AcmeProblemExceptionMapper] (default task-2) Responding to request with problem report of type urn:ietf:params:acme:error:incorrectResponse and detail 'Response received didn't match the challenge's requirements'.

       

      Result is the same when testing directly with CA or using RA peer.

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            svenr Sven Rajala
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: