Dns-01 verification with acme-dns

sicknote · June 18, 2021, 3:12pm

I am trying to renew a certificate in CertifyTheWeb, verified using dns-01 verification.

It’s my understanding of acme-dns that there needs to be a single CNAME DNS record pointing to the unique URL in acme?

When I run Test in CTW, it works, but no matter what I do, the Request Certificate fails with the following message:

Validation of the required challenges did not complete successfully. DNS problem: NXDOMAIN looking up TXT for _acme-challenge.[domain here] - check that a DNS record exists for this domain

I cannot see anywhere that suggests I would need a TXT record as well. I have checked everything multiple times. I have tested the domain in https://letsdebug.net and I ahve manually checked and found the CNAME record using Network Tools: DNS,IP,Email

The DNS is in 123-reg, so doesn’t have an API, but I have not had this kind of issue before. As I said, this was meant to be a renewal, not a new certificate creation.

Below is latest run log with domain removed.

2021-06-18 15:56:12.776 +01:00 [INF] ---- Beginning Request [Site] ----
2021-06-18 15:56:12.776 +01:00 [INF] Certify/5.4.3.0 (Windows; Microsoft Windows NT 10.0.19041.0) 
2021-06-18 15:56:12.779 +01:00 [INF] Beginning Certificate Request Process: SJC using ACME Provider:Certes
2021-06-18 15:56:12.779 +01:00 [INF] Requested identifiers to include on certificate: [DOMAIN-NAME]
2021-06-18 15:56:12.779 +01:00 [INF] Beginning certificate order for requested domains
2021-06-18 15:56:12.779 +01:00 [INF] BeginCertificateOrder: creating/retrieving order. Retries remaining:2 
2021-06-18 15:56:13.961 +01:00 [INF] Created ACME Order: https://acme-v02.api.letsencrypt.org/acme/order/91144177/10480861481
2021-06-18 15:56:14.274 +01:00 [INF] Fetching Authorizations.
2021-06-18 15:56:15.490 +01:00 [INF] Got http-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/14085810019/UxmPhQ
2021-06-18 15:56:16.122 +01:00 [INF] Got dns-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/14085810019/zBnivA
2021-06-18 15:56:16.122 +01:00 [INF] Attempting Domain Validation: [DOMAIN-NAME]
2021-06-18 15:56:16.123 +01:00 [INF] Registering and Validating [DOMAIN-NAME] 
2021-06-18 15:56:16.123 +01:00 [INF] Performing automated challenge responses ([DOMAIN-NAME])
2021-06-18 15:56:16.123 +01:00 [INF] DNS: Creating TXT Record '_acme-challenge.[DOMAIN-NAME]' with value '5X5eGHvnBj3Zj_IjirQOM5JWcs2LsUf0nTolEtBt9vs', in Zone Id '' using API provider 'acme-dns DNS API'
2021-06-18 15:56:16.521 +01:00 [INF] DNS: acme-dns DNS API :: Updated: _acme-challenge.[DOMAIN-NAME] :: f9958d79-7d5a-4afd-a4d2-0fc1fabf531e.auth.acme-dns.io
2021-06-18 15:56:16.521 +01:00 [INF] Requesting Validation: [DOMAIN-NAME]
2021-06-18 15:56:21.581 +01:00 [INF] Attempting Challenge Response Validation for Domain: [DOMAIN-NAME]
2021-06-18 15:56:21.581 +01:00 [INF] Registering and Validating [DOMAIN-NAME] 
2021-06-18 15:56:21.581 +01:00 [INF] Checking automated challenge response for Domain: [DOMAIN-NAME]
2021-06-18 15:56:22.112 +01:00 [WRN] Challenge response validation still pending. Re-checking [10]..
2021-06-18 15:56:23.933 +01:00 [INF] DNS problem: NXDOMAIN looking up TXT for _acme-challenge.[DOMAIN-NAME] - check that a DNS record exists for this domain
2021-06-18 15:56:25.197 +01:00 [INF] DNS: Deleting TXT Record '_acme-challenge.[DOMAIN-NAME]', in Zone Id '' using API provider 'acme-dns DNS API'
2021-06-18 15:56:25.811 +01:00 [INF] Validation of the required challenges did not complete successfully. DNS problem: NXDOMAIN looking up TXT for _acme-challenge.[DOMAIN-NAME] - check that a DNS record exists for this domain
2021-06-18 15:56:25.811 +01:00 [INF] Validation of the required challenges did not complete successfully. DNS problem: NXDOMAIN looking up TXT for _acme-challenge.[DOMAIN-NAME] - check that a DNS record exists for this domain
2021-06-18 15:56:25.811 +01:00 [INF] Validation of the required challenges did not complete successfully. DNS problem: NXDOMAIN looking up TXT for _acme-challenge.[DOMAIN-NAME] - check that a DNS record exists for this domain

Am I missing something really stupid?

webprofusion · June 19, 2021, 8:07am

You don’t need to create a TXT record because acme-dns is managing that for you. Let’s Encrypt ultimately needs to read a TXT record for DNS validation to work but acme-dns abstracts that via a CNAME so you don’t need to constantly update your own DNS.

I can’t tell if you have the right settings without knowing your domain but I think you generally have the right idea, so I’d suggest that something changed in your DNS and it’s not pointing to what you think it is.

For acme-dns (or using the new Certify DNS managed acme-dns service: https://docs.certifytheweb.com/docs/dns/providers/certifydns) the following happens:

each domain or sudomains has a one-time registration with the service. This tells you the CNAME to create, which will be in the form _acme-challenge.subdomain.domain.com pointing to a TXT record hosted by the acme-dns type service.
From then on, all requests/renewals for those domains in that managed certificate will update the acme-dns service, so it knows what the response would be whenever it is asked for that TXT record. Let’s Encrypt follows your CNAME record to the acme-dns service which then responds with the latest value as a TXT record.

Common issues:

Creating the CNAME in the wrong DNS zone (e.g. the domains DNS is hosted elsewhere)
Creating something that’s not a CNAME (i.e. creating a TXT record instead)

I note that acme-dns is responding with the correct value:
dig -t TXT f9958d79-7d5a-4afd-a4d2-0fc1fabf531e.auth.acme-dns.io

outputs:

f9958d79-7d5a-4afd-a4d2-0fc1fabf531e.auth.acme-dns.io. 0 IN TXT "5X5eGHvnBj3Zj_IjirQOM5JWcs2LsUf0nTolEtBt9vs"
f9958d79-7d5a-4afd-a4d2-0fc1fabf531e.auth.acme-dns.io. 0 IN TXT "84zgblmINRx8yl3eWGbnEwAP_68ElKJlOv9YjtOVYzs"

Which is fine (acme-dns remembers that last 2 values so that wildcard DNS validation works).

So to get that to work you’d need a CNAME called _acme-challenge.subdomain.yourdomain.com in your domain DNS pointing to f9958d79-7d5a-4afd-a4d2-0fc1fabf531e.auth.acme-dns.io

I recommend checking TXT records with https://unboundtest.com/ as this closely mirrors the way Let’s Encrypt does validation.

webprofusion · June 21, 2021, 9:14am

Let’s Encrypt have confirmed a general problem using acme-dns (not Certify DNS) and are working on a fix with a downstream network provider (cloudflare).

webprofusion · June 21, 2021, 11:43am

Note that you can now enable Certify DNS (like acme-dns) for free during the beta phase via https://certifytheweb.com/ - to register for an account click Sign In, Create New Account, then when signed in click Enable Certify DNS on the License Keys tab.