buypass dns01: incorrectResponse : Response received didn't match the challenge's requirements

[lukastribus]

Buypass delegated DNS01 challenge is failing for us (it worked fine before), so here is a reproducer:

Regular DNS01 challenge works fine.

Steps to reproduce

On a fresh Ubuntu 22.04 install:

apt install socat

curl https://get.acme.sh | sh -s [email protected]

cd .acme.sh/

./acme.sh --upgrade

./acme.sh --server https://api.buypass.com/acme/directory \
        --register-account  --accountemail [email protected]

export HE_Username='heusername'
export HE_Password='helongsecretpw'

./acme.sh --server buypass --issue --days 150 \
-d haveaniceday.example.org \
--challenge-alias ext-acme.example.net --dns dns_he --debug 2

Debug log

Too big to paste, Github limitation, posting on pastebin:

https://pastebin.com/raw/e0iLMa3h

[github-actions]

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.

[lukastribus]

Already done.

[kousyougi]

same problem here

[lukastribus]

It appears it's working once again.

This was most likely a regression at buypass introduced by the change from public to private resolver for the DNS01 challenge:

https://bugzilla.mozilla.org/show_bug.cgi?id=1872371
https://community.buypass.com/t/h7y3k4h/important-information-that-requires-immediate-action
https://community.buypass.com/t/q6y3f5v/due-to-maintenance-the-go-ssl-acme-solution-is-down

I will wait a few days before closing this issue.

For everyone that did not get the email notification from buypass: buypass certificates issued before December 22 12:00, 2023 will be revoked shortly (see above links).

[kousyougi]

same problem here

Tested, looks like fixed.

[lukastribus]

https://web.archive.org/web/20240103233755/https://community.buypass.com/t/35y31dp/faq-related-to-renewal-of-buypass-acme-go-ssl-certificates

Q: Why do we need to renew the certificates?

The reason for the need for renewal is that we recently were made aware that our systems used for domain validation and DNS lookups did not comply with certificate issuance requirements. Unfortunately, these requirements are not very specific and allow for interpretations. We have fixed the issue, but are required to revoke certificates affected by this.

[...]

Q: I'm using dns-01 domain validation with a delegated domain (CNAME). Why does the validation fail?

We are aware of an issue with this and are working to resolve it. We will come back with an update later.

Q: I’ve tried to renew my certificate, but get response ‘Too many pending authorizations’

Due to this issue, we decided, as a temporary measure to not allow for reuse of domain validations for certificate orders made after December 23. This measure made it necessary to create new domain authorizations for each certificate order and could end up with multiple (pending) authorizations that potentially blocked further orders. We will from January 2nd 2024 remove this temporary measure and allow to reuse domain validations completed after December 23rd.