Namecheap issue with verifying DNS challenge

[huzhasan]

Let‘s Encrypt somehow cannot verify the creation of the challenge TXT record, even though it is plainly available using nslookup.exe -type=TXT _acme-challenge.domain.com

The server returns DNS problem: NXDOMAIN looking up TXT for _acme-challenge.domain.com - check that a DNS record exists for this domain

All goes good and the Namecheap plugin even creates the needed TXT records (plural because it creates 2 challenges, is it because I am requesting a SAN on *.domain.com with domain.com?) and they get propagated just fine, but somehow the lookup fails.

Since the failure is server-side, I dunno how to start fixing this error ... forgot to mention that the certificate gets generated just fine using other tools like wacs.exe and lego.exe

[rmbolger]

Hi @huzhasan, thanks for reaching out. This might just be a matter of not waiting long enough for the change to be live on all of the authoritative Namecheap nameservers. I believe Namecheap uses geographically dispersed anycast servers for DNS. So even if you can resolve the record from your location, it might not yet be available from another location that's hitting a different backend nameserver. It's hard to say without an actual domain name to check against though.

Assuming you see the records the plugin is creating in the Namecheap DNS control panel, I'd try doubling the default DNS sleep time from 2 min to 4 min and see if that helps. You should be able to do this by adding -DnsSleep 240 to your New-PACertificate or New-PAOrder command.

[huzhasan]

Hello @rmbolger, thanks for your reply and sorry for the delay on my side, was caught up a bit.

I increased DnsSleep=300 just to be on the safe side. After waiting for ages for the script, I got (stack trace reformatted for brevity and clarity):

D:\Server\Repos\Powershell\SSL\Posh-ACME\Private\New-Csr.ps1:78
$subject = New-Object Org.BouncyCastle.Asn1.X509.X509Name($Order.Sub …
Exception calling ".ctor" with "1" argument(s): "badly formated directory string"

D:\Server\Repos\Powershell\SSL\Posh-ACME\Private\New-Csr.ps1:133
$req = New-Object Org.BouncyCastle.Pkcs.Pkcs10CertificationReques …
Exception calling ".ctor" with "5" argument(s): "Value cannot be null. (Parameter 'subject')"

D:\Server\Repos\Powershell\SSL\Posh-ACME\Private\New-Csr.ps1:136
Export-Pem $req $reqFile
Cannot bind argument to parameter 'InputObject' because it is null.

D:\Server\Repos\Powershell\SSL\Posh-ACME\Private\New-Csr.ps1:139
return (ConvertTo-Base64Url $req.GetEncoded())
You cannot call a method on a null-valued expression.

D:\Server\Repos\Powershell\SSL\Posh-ACME\Private\Invoke-ACME.ps1:174
throw [AcmeException]::new($acmeError.detail,$acmeError)
Error parsing certificate request: asn1: syntax error: sequence truncated

I tried the above on various domains and settings, but can't get any other output. I get it quicker when using LE_STAGE rather than LE_PROD. (since it goes through all the actual hoops of making the certificate)

Using .NET 7.0.5, Powershell (x64) 7.3.4 and v2.2.5.1538 (x64, ReleaseTrimmed) of POSH-Acme on a Windows 11 machine.

[rmbolger]

Out of curiosity, how are you installing and importing the module? The path listed for the errors isn't a standard PowerShell module path.

In any case, the first error creating the $subject variable cascaded into the rest of the errors. That subject error implies that the provided Subject param was invalid. Did you actually specify an explicit -Subject blah parameter in your call? It shouldn't be necessary under normal circumstances.

To dig in further, I'll need the details of the commands you were using. Even better if you run with the -Verbose switch provide a (sanitized if necessary) copy of the output.