AcmeClient domain validation failed (dns01)

[bulmaro]

Good day,
Dear friends, does anyone have a reference to the error when renewing the certificate that can guide me where the problem is? My domain is in Azure and it sends me the following error.

Code Select Expand

config AcmeClient: validation for certificate failed: app.divitsa.org
config AcmeClient: domain validation failed (dns01)
config AcmeClient: AcmeClient: The shell command returned exit code '1': '/usr/local/sbin/acme.sh --issue --syslog 9 --debug 3 --server 'letsencrypt' --dns 'dns_azure' --dnssleep '900' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/67853b84971958.81603023' --certpath '/var/etc/acme-client/certs/67853b84971958.81603023/cert.pem' --keypath '/var/etc/acme-client/keys/67853b84971958.81603023/private.key' --capath '/var/etc/acme-client/certs/67853b84971958.81603023/chain.pem' --fullchainpath '/var/etc/acme-client/certs/67853b84971958.81603023/fullchain.pem' --domain 'app.divitsa.org' --days '1' --keylength '4096' --accountconf '/var/etc/acme-client/accounts/6331cb79e2fe77.05571626_prod/account.conf''
2025-01-16T00:00:05-06:00 config AcmeClient: running acme.sh command: /usr/local/sbin/acme.sh --issue --syslog 9 --debug 3 --server 'letsencrypt' --dns 'dns_azure' --dnssleep '900' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/67853b84971958.81603023' --certpath '/var/etc/acme-client/certs/67853b84971958.81603023/cert.pem' --keypath '/var/etc/acme-client/keys/67853b84971958.81603023/private.key' --capath '/var/etc/acme-client/certs/67853b84971958.81603023/chain.pem' --fullchainpath '/var/etc/acme-client/certs/67853b84971958.81603023/fullchain.pem' --domain 'app.divitsa.org' --days '1' --keylength '4096' --accountconf '/var/etc/acme-client/accounts/6331cb79e2fe77.05571626_prod/account.conf'
config AcmeClient: using challenge type: app.divitsa.org
config AcmeClient: account is registered: app.divitsa.org
config AcmeClient: using CA: letsencrypt
config AcmeClient: issue certificate: app.divitsa.org
config AcmeClient: certificate must be issued/renewed: app.divitsa.org

I appreciate your attention and your valuable comments.

[viragomann]

Enhance the log level to get more details. The first debug level should be sufficient.

[bulmaro]

With pleasure, I attach the log

Code Select Expand

Process Line
acme.sh [Thu Jan 16 09:58:16 CST 2025] Skipping dns.
acme.sh [Thu Jan 16 09:58:16 CST 2025] dns_entries
acme.sh [Thu Jan 16 09:58:16 CST 2025] _clearupdns
acme.sh [Thu Jan 16 09:58:16 CST 2025] No need to restore nginx config, skipping.
acme.sh [Thu Jan 16 09:58:16 CST 2025] pid
#define WITH_DEFAULT_IPV 4
#define WITH_MSGLEVEL 0 /*debug*/
#undef WITH_DEVTESTS
#define WITH_RETRY 1
#define WITH_FILAN 1
#define WITH_SYCLS 1
#define WITH_LIBWRAP 1
#undef WITH_FIPS
#define WITH_OPENSSL 1
#define WITH_PTY 1
#undef WITH_TUN
#undef WITH_READLINE
#define WITH_EXEC 1
#define WITH_SHELL 1
#define WITH_SYSTEM 1
#define WITH_PROXY 1
#undef WITH_NAMESPACES
#undef WITH_VSOCK
#define WITH_SOCKS5 1
#define WITH_SOCKS4A 1
#define WITH_SOCKS4 1
#undef WITH_POSIXMQ
#define WITH_LISTEN 1
#define WITH_UDPLITE 1
#define WITH_DCCP 1
#define WITH_SCTP 1
#define WITH_UDP 1
#define WITH_TCP 1
#undef WITH_INTERFACE
#define WITH_GENERICSOCKET 1
#define WITH_RAWIP 1
#define WITH_IP6 1
#define WITH_IP4 1
#undef WITH_ABSTRACT_UNIXSOCKET
#define WITH_UNIX 1
#define WITH_SOCKETPAIR 1
#define WITH_PIPE 1
#define WITH_TERMIOS 1
#define WITH_GOPEN 1
#define WITH_CREAT 1
#define WITH_FILE 1
#define WITH_FDNUM 1
#define WITH_STDIO 1
#define WITH_STATS 1
#define WITH_HELP 1
features:
running on FreeBSD version FreeBSD 14.1-RELEASE-p6 stable/24.7-n267992-a8a728bd015 SMP, release 14.1-RELEASE-p6, machine amd64
socat version 1.8.0.2 on Jan 14 2025 04:21:34
socat by Gerhard Rieger and contributors - see www.dest-unreach.org
socat:
nginx doesn't exist.
nginx:
Apache doesn't exist.
Apache:
OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
openssl:openssl
acme.sh [Thu Jan 16 09:58:16 CST 2025] Diagnosis versions:
acme.sh [Thu Jan 16 09:58:16 CST 2025] code='200'
acme.sh [Thu Jan 16 09:58:16 CST 2025] _ret='0'
acme.sh [Thu Jan 16 09:58:16 CST 2025] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.O1MuR91naF -g '
acme.sh [Thu Jan 16 09:58:16 CST 2025] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall/749077297/461580502235/HxpFMQ'
acme.sh [Thu Jan 16 09:58:16 CST 2025] POST
acme.sh [Thu Jan 16 09:58:16 CST 2025] payload='{}'
acme.sh [Thu Jan 16 09:58:16 CST 2025] url='https://acme-v02.api.letsencrypt.org/acme/chall/749077297/461580502235/HxpFMQ'
acme.sh [Thu Jan 16 09:58:16 CST 2025] =======Sending Signed Request=======
acme.sh [Thu Jan 16 09:58:16 CST 2025] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
acme.sh [Thu Jan 16 09:58:16 CST 2025] Please add '--debug' or '--log' to see more information.
acme.sh [Thu Jan 16 09:58:16 CST 2025] _on_issue_err
acme.sh [Thu Jan 16 09:58:16 CST 2025] Error adding TXT record to domain: _acme-challenge.app.divitsa.org
acme.sh [Thu Jan 16 09:58:16 CST 2025] invalid domain
acme.sh [Thu Jan 16 09:58:16 CST 2025] Invalid domain
acme.sh [Thu Jan 16 09:58:16 CST 2025] Access denied. Invalid access token. Make sure your Azure settings are correct. See: https://github.com/acmesh-official/acme.sh/wiki/How-to-use-Azure-DNS
acme.sh [Thu Jan 16 09:58:16 CST 2025] http response code 401
acme.sh [Thu Jan 16 09:58:16 CST 2025] ret='0'
acme.sh [Thu Jan 16 09:58:16 CST 2025] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.O1MuR91naF -g '
acme.sh [Thu Jan 16 09:58:16 CST 2025] timeout=
acme.sh [Thu Jan 16 09:58:16 CST 2025] url='https://management.azure.com/subscriptions/7de7dace-98f9-40fe-82f1-3973906af976/providers/Microsoft.Network/dnszones?$top=500&api-version=2017-09-01'
acme.sh [Thu Jan 16 09:58:16 CST 2025] GET
acme.sh [Thu Jan 16 09:58:16 CST 2025] https://management.azure.com/subscriptions/7de7dace-98f9-40fe-82f1-3973906af976/providers/Microsoft.Network/dnszones?$top=500&api-version=2017-09-01
acme.sh [Thu Jan 16 09:58:16 CST 2025] Using provided bearer token
acme.sh [Thu Jan 16 09:58:16 CST 2025] You didn't ask to use Azure managed identity, checking service principal credentials or provided bearer token
acme.sh [Thu Jan 16 09:58:16 CST 2025] Adding TXT value: oTGm7zYcg0nkrUmEBDQcKItKYRFPEiGNC840ZueR0oM for domain: _acme-challenge.app.divitsa.org
acme.sh [Thu Jan 16 09:58:16 CST 2025] Found domain API file: /usr/local/share/examples/acme.sh/dnsapi/dns_azure.sh
acme.sh [Thu Jan 16 09:58:16 CST 2025] d_api='/usr/local/share/examples/acme.sh/dnsapi/dns_azure.sh'
acme.sh [Thu Jan 16 09:58:16 CST 2025] txt='oTGm7zYcg0nkrUmEBDQcKItKYRFPEiGNC840ZueR0oM'
acme.sh [Thu Jan 16 09:58:16 CST 2025] txtdomain='_acme-challenge.app.divitsa.org'
acme.sh [Thu Jan 16 09:58:16 CST 2025] _d_alias
acme.sh [Thu Jan 16 09:58:16 CST 2025] d='app.divitsa.org'
acme.sh [Thu Jan 16 09:58:16 CST 2025] vlist='app.divitsa.org#ILsVJJkTe4HmNiCpE3U5fOsZ7nNALUvcVfz8baaRx3A.jvp-YTkTNLAG5bwD7XAediXLYq-f13aP8pmZUWKp0u0#https://acme-v02.api.letsencrypt.org/acme/chall/749077297/461580502235/HxpFMQ#dns-01#dns_azure#https://acme-v02.api.letsencrypt.org/acme/authz/749077297/461580502235,'
acme.sh [Thu Jan 16 09:58:16 CST 2025] d
acme.sh [Thu Jan 16 09:58:16 CST 2025] dvlist='app.divitsa.org#ILsVJJkTe4HmNiCpE3U5fOsZ7nNALUvcVfz8baaRx3A.jvp-YTkTNLAG5bwD7XAediXLYq-f13aP8pmZUWKp0u0#https://acme-v02.api.letsencrypt.org/acme/chall/749077297/461580502235/HxpFMQ#dns-01#dns_azure#https://acme-v02.api.letsencrypt.org/acme/authz/749077297/461580502235'
acme.sh [Thu Jan 16 09:58:16 CST 2025] keyauthorization='ILsVJJkTe4HmNiCpE3U5fOsZ7nNALUvcVfz8baaRx3A.jvp-YTkTNLAG5bwD7XAediXLYq-f13aP8pmZUWKp0u0'
acme.sh [Thu Jan 16 09:58:16 CST 2025] uri='https://acme-v02.api.letsencrypt.org/acme/chall/749077297/461580502235/HxpFMQ'
acme.sh [Thu Jan 16 09:58:16 CST 2025] token='ILsVJJkTe4HmNiCpE3U5fOsZ7nNALUvcVfz8baaRx3A'
acme.sh [Thu Jan 16 09:58:16 CST 2025] entry='"type":"dns-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/749077297/461580502235/HxpFMQ","status":"pending","token":"ILsVJJkTe4HmNiCpE3U5fOsZ7nNALUvcVfz8baaRx3A"'
acme.sh [Thu Jan 16 09:58:16 CST 2025] _authz_url='https://acme-v02.api.letsencrypt.org/acme/authz/749077297/461580502235'
acme.sh [Thu Jan 16 09:58:16 CST 2025] _currentRoot='dns_azure'
acme.sh [Thu Jan 16 09:58:16 CST 2025] _w='dns_azure'
acme.sh [Thu Jan 16 09:58:16 CST 2025] Getting webroot for domain='app.divitsa.org'
acme.sh [Thu Jan 16 09:58:16 CST 2025] d='app.divitsa.org'
acme.sh [Thu Jan 16 09:58:16 CST 2025] code='200'
acme.sh [Thu Jan 16 09:58:16 CST 2025] _ret='0'
acme.sh [Thu Jan 16 09:58:16 CST 2025] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.O1MuR91naF -g '
acme.sh [Thu Jan 16 09:58:16 CST 2025] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz/749077297/461580502235'
acme.sh [Thu Jan 16 09:58:16 CST 2025] POST
acme.sh [Thu Jan 16 09:58:16 CST 2025] payload
acme.sh [Thu Jan 16 09:58:16 CST 2025] url='https://acme-v02.api.letsencrypt.org/acme/authz/749077297/461580502235'
acme.sh [Thu Jan 16 09:58:16 CST 2025] =======Sending Signed Request=======
acme.sh [Thu Jan 16 09:58:16 CST 2025] STEP 2, Get the authorizations of each domain
acme.sh [Thu Jan 16 09:58:15 CST 2025] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/749077297/344993387015'
acme.sh [Thu Jan 16 09:58:15 CST 2025] Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/749077297/344993387015'
acme.sh [Thu Jan 16 09:58:15 CST 2025] code='201'
acme.sh [Thu Jan 16 09:58:15 CST 2025] _ret='0'
acme.sh [Thu Jan 16 09:58:15 CST 2025] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.O1MuR91naF -g '
acme.sh [Thu Jan 16 09:58:15 CST 2025] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
acme.sh [Thu Jan 16 09:58:15 CST 2025] POST
acme.sh [Thu Jan 16 09:58:15 CST 2025] _ret='0'
acme.sh [Thu Jan 16 09:58:15 CST 2025] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.O1MuR91naF -g -I '
acme.sh [Thu Jan 16 09:58:15 CST 2025] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
acme.sh [Thu Jan 16 09:58:15 CST 2025] HEAD
acme.sh [Thu Jan 16 09:58:15 CST 2025] RSA key
acme.sh [Thu Jan 16 09:58:15 CST 2025] payload='{"identifiers": [{"type":"dns","value":"app.divitsa.org"}]}'
acme.sh [Thu Jan 16 09:58:15 CST 2025] url='https://acme-v02.api.letsencrypt.org/acme/new-order'
acme.sh [Thu Jan 16 09:58:15 CST 2025] =======Sending Signed Request=======
acme.sh [Thu Jan 16 09:58:15 CST 2025] STEP 1, Ordering a Certificate
acme.sh [Thu Jan 16 09:58:15 CST 2025] d
acme.sh [Thu Jan 16 09:58:15 CST 2025] Getting domain auth token for each domain
acme.sh [Thu Jan 16 09:58:14 CST 2025] Single domain='app.divitsa.org'
acme.sh [Thu Jan 16 09:58:14 CST 2025] _createcsr
acme.sh [Thu Jan 16 09:58:14 CST 2025] Read key length: 4096
acme.sh [Thu Jan 16 09:58:14 CST 2025] _saved_account_key_hash was not changed, skipping account registration.
acme.sh [Thu Jan 16 09:58:14 CST 2025] d
acme.sh [Thu Jan 16 09:58:14 CST 2025] _currentRoot='dns_azure'
acme.sh [Thu Jan 16 09:58:14 CST 2025] Checking for domain='app.divitsa.org'
acme.sh [Thu Jan 16 09:58:14 CST 2025] d='app.divitsa.org'
acme.sh [Thu Jan 16 09:58:14 CST 2025] Le_LocalAddress
acme.sh [Thu Jan 16 09:58:14 CST 2025] _chk_alt_domains
acme.sh [Thu Jan 16 09:58:14 CST 2025] _chk_main_domain='app.divitsa.org'
acme.sh [Thu Jan 16 09:58:14 CST 2025] _on_before_issue
acme.sh [Thu Jan 16 09:58:14 CST 2025] Using CA: https://acme-v02.api.letsencrypt.org/directory
acme.sh [Thu Jan 16 09:58:14 CST 2025] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
acme.sh [Thu Jan 16 09:58:14 CST 2025] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf'
acme.sh [Thu Jan 16 09:58:14 CST 2025] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
acme.sh [Thu Jan 16 09:58:14 CST 2025] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
acme.sh [Thu Jan 16 09:58:14 CST 2025] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
acme.sh [Thu Jan 16 09:58:14 CST 2025] ACME_NEW_AUTHZ
acme.sh [Thu Jan 16 09:58:14 CST 2025] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
acme.sh [Thu Jan 16 09:58:14 CST 2025] ret='0'
acme.sh [Thu Jan 16 09:58:14 CST 2025] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.EDqdI6w5Hq -g '
acme.sh [Thu Jan 16 09:58:14 CST 2025] timeout=
acme.sh [Thu Jan 16 09:58:14 CST 2025] url='https://acme-v02.api.letsencrypt.org/directory'
acme.sh [Thu Jan 16 09:58:14 CST 2025] GET
acme.sh [Thu Jan 16 09:58:14 CST 2025] _init API for server: https://acme-v02.api.letsencrypt.org/directory
acme.sh [Thu Jan 16 09:58:14 CST 2025] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
acme.sh [Thu Jan 16 09:58:14 CST 2025] Le_NextRenewTime
acme.sh [Thu Jan 16 09:58:14 CST 2025] DOMAIN_PATH='/var/etc/acme-client/cert-home/67853b84971958.81603023/app.divitsa.org'
acme.sh [Thu Jan 16 09:58:14 CST 2025] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
acme.sh [Thu Jan 16 09:58:14 CST 2025] Using config home: /var/etc/acme-client/home
acme.sh [Thu Jan 16 09:58:14 CST 2025] _alt_domains='no'
acme.sh [Thu Jan 16 09:58:14 CST 2025] _main_domain='app.divitsa.org'
acme.sh [Thu Jan 16 09:58:14 CST 2025] Running cmd: issue
acme.sh [Thu Jan 16 09:58:14 CST 2025] Using server: https://acme-v02.api.letsencrypt.org/directory


[cookiemonster]

Some authentication problem it seems:

acme.sh    [Thu Jan 16 09:58:16 CST 2025] Error adding TXT record to domain: _acme-challenge.app.divitsa.org
acme.sh    [Thu Jan 16 09:58:16 CST 2025] invalid domain
acme.sh    [Thu Jan 16 09:58:16 CST 2025] Invalid domain
acme.sh    [Thu Jan 16 09:58:16 CST 2025] Access denied. Invalid access token. Make sure your Azure settings are correct. See: https://github.com/acmesh-official/acme.sh/wiki/How-to-use-Azure-DNS
acme.sh    [Thu Jan 16 09:58:16 CST 2025] http response code 401

[bulmaro]

Thanks for the comment. I tried a different way, deleting the access account and recreating a new one in the Azure portal, but I was unsuccessful. Any further guidance you can give me on this problem would be welcome.

[viragomann]

The ACME client complains that the API token is invalid.

So go to the Azure portal and verify the API key. Possibly it's limited to a certain source IP? Or it's expired.

Or just generate a new API key and update the ACME challenge with it.