The WaitAuthorization function in golang.org/x/crypto/acme/acme.go hides a lot of useful error messages when it decodes into a wireAuthz structure.

For example, the full response on a failed request for a DNS authorisation is:

{
  "type": "dns-01",
  "status": "invalid",
  "error": {
    "type": "urn:acme:error:unauthorized",
    "detail": "Correct value not found for DNS challenge",
    "status": 403
  },
  "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/challengeuid",
  "token": "challengetoken",
  "keyAuthorization": "challengekey"
}

whereas the actual function returns the error message acme: authorization error for :.

For now, I think we'll need to fork and vendor the library ourselves. I'd like to look into upstreaming a fix for this however.