Troubleshooting

Troubleshooting

This is a very preliminary document, but hopefully will help address some common problems that have been seen in tickets for ACMESharp and the related simple client.

1. Domain validation fails using the HTTP (or DVSNI in the future) methods. Make sure your you have your local firewall ports opened up, port 80 for HTTP and 443 for SSL (DVSNI) to the outside world. Also make sure that perimeter security is opened up as well, such as Security Groups in AWS or Azure. Finally, the MIME type that is returned as part of the response challenge is very important for the challenge to be satisfied, and must either be completely absent or be equal to the type text/json. Related tickets: #64

   • Submitting Challenge Reponse returns "Unexepcted Error" or some other error.** Please see above.

2. Domain validation fails using the DNS method. The mechanics of the DNS challenge method have evolved in the ACME specification and because of that, the earlier (legacy) support for DNS was taken out of the Let's Encrypt STAGING and BETA/PROD services until it could be updated to match the latest ACME specification changes. Related tickets: #67

3. Getting an error such as "Retrieving the COM class factory for component with CLSID..." This is can happen when using the OpenSSL library PKI provider to manage certs and using the wrong library version for your system architecture (32-bit vs 64-bit). Make sure to use the latest version of the library/client and this should not happen any more.

4. Unable to resubmit challenge that has failed. This is by design with the ACME protocol that governs how clients talk to servers (e.g. the Let's Encrypt CA). Once a Challenge Response is submitted, the Challenge status is permanently transitioned to either valid or invalid and cannot be repeated. Instead create a new Identifier Authorization request for the same DNS name and complete the process anew.

---

A useful tool to help troubleshoot DNS challenges: https://unboundtest.com/