Hi,
I’ve set up an ACME-DNS server and I’m trying to use it to validate a wildcard certificate through Certify The Web but it keeps failing. Test runs fine though. What am I doing wrong?
Here’s the DNS records for my domain:
A record auth -> 162.XXX.XXX.XXX
NS record auth -> auth.mydomain.com
CNAME record _acme-challenge -> auth.mydomain.com
And here’s the logs - https://pastebin.com/eQ1d4Bvg (it wouldn’t let me paste here because I’m a new user)
Hi, so it’s worth checking what your current DNS response for _acme-challenge.yourdomain.com isusing dig (on linux, WSL or mac os) , acme-dns is running as a simple DNS server so your CNAME direction should just be redirecting to your acme dns record and acme-dns should in turn be responding. An empty record is pretty weird, normally if it wasn’t found you’d get NXDOMAIN. Check you don’t also have a TXT record in your primary DNS zone (i.e. the one that’s hosting the CNAME) that might be confusing things.
If you need more help I’d need details of your domain so I can check the dig response etc.
Appreciate your response webprofusion! The only TXT record I have for the root domain is just simple SPF stuff. That shouldn’t cause issues right?
Here’s a Certify The Web log from latest attempt: https://pastebin.com/VdqEMe6p
Acme-dns log from the same cert request: https://pastebin.com/AKF1kbZC
Dig results using acme-dns to resolve, as well as Google dns: https://pastebin.com/ECb4yBVk
And because why not, here’s my acme-dns config.cfg file: https://pastebin.com/FzEiGygN (domain = “mydomain .com” used to be auth.mydomain .com but I noticed NXDOMAIN in acme-dns logs so I switched to just mydomain .com and now it’s all clear from the looks of it)
Thank you for your time!!
The dig answer section seems to say that _acme-challenge is a CNAME to auth.mydomain.com, it should be a CNAME to 3e6cd9c8-094f-4256-b838-9a082ee5d7a7.auth.mydomain.com (according to your previous log)
Your log:
acme-challenge.mydomain.com. 1798 IN CNAME auth.mydomain.com.
Here is a working example:
dig -t TXT _acme-challenge.webprofusion.com
_acme-challenge.webprofusion.com. 0 IN CNAME acd20f56-a473-4e13-ab42-1dceac04a4b0.auth.acme-dns.io.
acd20f56-a473-4e13-ab42-1dceac04a4b0.auth.acme-dns.io. 0 IN TXT "HdHx_pkl0SBsw_r0Z9jjqo2DQQklh1Obc4ThanUqPFI"
That worked, thank you! Although won’t the part before auth.mydomain.com change at next renewal?
The reason I used a CNAME to auth.mydomain.com was because I read on various sites and blogs that it would just forward the _acme-challenge request to ACME-DNS server which would provide the correct record. Is that wrong?
So your acme-dns server internally has a database of registered domains that are using it, this happens for each domain the first time you use it, each domain (or subdomain) will get a different something.auth.yourserver.com CNAME entry that you will have to set up the first time. Subsequent renewals use the same acme-dns registration details (stored under C:\ProgramData\Certify\acmedns) per domain.
It’s a pain to have to create each CNAME initially, but you don’t have to change them later (unless your acme-dns server was changed).