Solved: Re: Expressway - ACME - Let's Encrypt - Operation Failed

RicardoGodinho10240 · ‎03-27-2020

Hi all,

I'm trying to use the ACME Certificate Service, with Let's encrypt. When trying to sign the CSR, I'm getting the following error:

"There was a problem with a DNS query during identifier validation, Domain A-Record lookup failed"

What am I missing here? Should the NAT IP Public address be added to the customer DNS?

Help would be really appreciated!

Thanks!

RicardoGodinho10240 · ‎04-14-2020

The issue was on the SAN I was using, so the validation was going not to the Expressway but to the domain itself. I've changed the alternative name to make it exaclty the same as the dns public name for the expe and everything is ok now.

View solution in original post

Francesco Molino · ‎03-27-2020

Hi

To enroll a certificate with Let's Encrypt, there're 3 options:
- web server accessible on port 80 for automatic enrollment
- using FTP with file to upload
- add a TXT record to your public dns

Here a website showing these 3 possibilities and explaining all of them:
https://www.sslforfree.com/

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

RicardoGodinho10240 · ‎03-28-2020

Sorry Francesco but I couldn't find any of the 3 options in the mentioned site. I want to know more about the automatic enrollment. Thank you!

Francesco Molino · ‎03-29-2020

I don't know expressway itself but I use a ubuntu machine to generate and renew my public certificate (including a wildcard).
You can achieve this using the link: https://certbot.eff.org/lets-encrypt/ubuntubionic-nginx

Using the link I forwarded is to do manual enrolment. Once you typed in your domain name or fqdn (for specific fqdn) the page below appears and let you choose one of the 3 options I talked about.

Anyways with Ubuntu machine it works fine and then you need to export it and upload it into your Expressway, unless your expressway allows you to install these packages.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

RicardoGodinho10240 · ‎03-30-2020

I'm facing the following issue when using the ACME. Any idea?

Sign Alarm: The client lacks sufficient authorization, There was an invalid response from <domain>

Thanks

RicardoGodinho10240 · ‎03-30-2020

I'm facing the following issue when using the ACME. Any idea?

Sign Alarm: The client lacks sufficient authorization, There was an invalid response from <domain>

Thanks

Francesco Molino · ‎03-30-2020

usually this is bad config of your webroot as far as I remember. I got it once. You can post a message on letsencrypt forum.
I can try to do some research.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

RicardoGodinho10240 · ‎04-14-2020

The issue was on the SAN I was using, so the validation was going not to the Expressway but to the domain itself. I've changed the alternative name to make it exaclty the same as the dns public name for the expe and everything is ok now.