Requesting SSL certificate, updated DNS records not found for ACME challenge

brainchild

Autorenewal of SSL certificates, through Let's Encrypt, stopped working for a web site operating under aaPanel.

According to one source, a recent software change in aaPanel leads to a problem, that requires old certificates to be removed, and new ones requested.

I removed SSL from the web site, and then requested a new certificate, through the ACME client, from Let's Encrypt.

I am using DNS verification, with manual record entry, and automatic combination of "pan-domain names".

I updated records on the name server three days ago. Now, every host, including the local host running aaPanel, is now receiving the new value, in answers to queries, for the subdomain _acme-challenge.

Yet, attempting to request a new certificate in aaPanel, invoking the ACME client, the following messages is displayed:

"A wrong TXT record was found on ['_acme-challenge.<mydomain>']: ['<old_challenge>'], please check whether the TXT resolution is correct, if it is applied by DNSAPI, please try again in 10 minutes! "

The message is embedded into a larger JSON-encoded data structure. The structure has fields both for the new and old values, of the challenge string, and it shows the old value as still being retrieved, from the queries to the name server, even though actual queries are now answered always with the new value.

Again, the updates in the records on the name server were completed three days ago, and all hosts, even the one running aaPanel, is retrieving the new value, for example, when tested with dig.

How can aaPanel be forced to recognize the new, updated value, already definitely propagated across the name servers?

aaPanel_Kern

Hello,
Is there any TXT record added for verification? Currently, if the Let's Encrypt order is not completed, the old order will be automatically used

brainchild

aaPanel_Kern

When I initiate the process for requesting a certificate, the interface shows me the records I must set.

I have set both the required and optional records. The required record is type TXT, for domain _acme-challenge.<mydomain>. I confirm that the value returned in answers to actual queries is the new value, currently being shown in the interface.

However, the error message claims that the value returned is an old value, which has not been propagated in over three days, and is not being shown in any answers to actual queries performed as tests.

aaPanel_Kern

Hi, can you give us your aapanel information? The server makes a snapshot backup first, if possible, please send it to kern@aapanel.com.
It is recommended to fill in the following
Post link:
SSH IP address, account password and port:
aapanel login link address and account password:
Detailed problem description:

No post link will not be able to know which user's information is, and the problem will not be processed

brainchild

aaPanel_Kern

Would you please clarify your request?

I cannot give anyone access to the host.

aaPanel_Kern

Hello,
Where are the TXT records added? Will they take effect?

https://dnschecker.org/all-dns-records-of-domain.php

brainchild

aaPanel_Kern

I have verified that records have been propagated.

aaPanel_Kern

Hello,
Try to add a subdomain of the same domain on this site such as: aa.xxx.com and select "pan-domain names". Is it normal to apply for SSL in the end?

brainchild

aaPanel_Kern

The domain purchased from the registrar is set to resolve to a different host. The host resolved for this main domain is not depending on an ACME client to be issued a certificate.

The host running aaPanel is resolved for several different subdomains of the same main domain purchased from the registrar.

Since the pan-domain feature is enabled, all the subdomains are sharing the same certificate. However, the certificate has expired, because it was not properly renewed automatically.

I have removed the certificate from one of the subdomains, within aaPanel, and am trying to install a new certificate, which should be issued successfully, now that the new challenge key has bee propagated in the name server.

brainchild

aaPanel_Kern

Do you have any other recommendation?

It would seem awkward to create a further subdomain to the domain that is already a subdomain.

Should I remove the certificate for the other subdomains served by the same instance of aaPanel? Is it possible that the old certificate is interfering with requesting a new certificate (even though the error message is not appropriate for the actual scenario)?

aaPanel_Kern

Hello,
Is it okay to add a new subdomain, a subdomain under the same domain, and then apply? Is the new TXT record displayed?

brainchild

aaPanel_Kern

Would the "new subdomain" be at the same level as the current subdomain (for which the certificate request is failing), or one level down?

aaPanel_Kern

brainchild
It is recommended that you provide screenshots, and there is no key information that cannot be judged.
If you are *.xxx.com, use dd.xxx.com

brainchild

aaPanel_Kern

If the domain with the problems is www.mydomain.com, should the new domain for testing be test.mydomain.com, or test.www.mydomain.com?

Presently, the website is provisioned for domain www.mydomain.com. The same configuration previously was attached both to domains www.mydomain.com and mydomain.com, but the latter, the main domain, was removed from the configuration and moved to a different host. Could this modification be the cause of problems?

aaPanel_Kern

test.mydomain.com
New orders will take effect as long as the domain name is different

brainchild