Hello everyone, I’m new here and have an issue with acme-dns DNS API. I’m trying to get a cert for rdsgw3.usfbreastresearch.org. I run the test and it passes. However, when I try to get the cert, I get a message that there is an incorrect TXT found at _acme-challenge.rdsgw3.usfbreastresearch.org. I have tried entering the TXT value as: 1b3cf9b7-5acd-4d7e-8721-6023c3dd0ddd.auth.acme-dns.io and as: 1b3cf9b7-5acd-4d7e-8721-6023c3dd0ddd. Neither seems to work for me. My domain and DNS admin app are at Register.com. Note, I don’t have a web server, instead I want to use this cert on an RDS/Terminal Services server. Can anyone help by suggesting where I’m going wrong?
So when you are using acme-dns, on the first use (for each domain) it will register with the acme-dns server and the request will stop, in the log file you will see a message asking you to create a CNAME pointing to the acme-dns server (in your case pointing to 1b3cf9b7-5acd-4d7e-8721-6023c3dd0ddd.auth.acme-dns.io
This creates a redirection (CNAME) which Let’s Encrypt will follow, then your actual DNS challenge response is handled by the acme-dns server.
You have accidentally added the record as a TXT record instead of adding it as a CNAME. Delete the txt record in your dns records, then add the CNAME.
Then hit ‘Request Certificate’ in Certify again (Test currently only checks it can talk to the acme-dns server, not that your domain is configured).
Great, that looks good and checking using the linux dig command dig -t TXT _acme-challenge.rdsgw3.usfbreastresearch.org shows that the CNAME is redirecting to the acme-dns server and it is in turn serving the TXT response. So that’s all working.
Now when you hit ‘Request Certificate’ in Certify the app will get the latest challenge value from Let’s Encrypt then update the acme-dns server automatically. Let’s Encrypt will then check the TXT record has been set correctly and if so domain validation is complete and the certificate will be issued.
You can either click ‘Request Certificate’ manually or wait until the system tries to renew the cert automatically but as you have had various failures the automatic renewal will have backed-off to only retry every 48hrs, so you’re better to just click the button this time. Once you have your cert renewing OK there is nothing more to do.
Incidentally I got your feedback regarding registration emails not coming through, your @usf email is rejecting emails from our system because they are sent using SendGrid and somebody somewhere has added them to the spamcop blacklist, that’s not something we can control unfortunately.
Thanks for all your help so far. When I click on Request Certificate, I get an error:
Incorrect TXT record “02_cdzfhQjeNdDMFx7mkrWAXwf5DyUrE07_khIC-Dvk” (and 1 more) found at _acme-challenge.rdsgw3.usfbreastresearch.org
2020-05-06 12:28:54.342 -04:00 [INF] DNS: Deleting TXT Record ‘_acme-challenge.rdsgw3.usfbreastresearch.org’, in Zone Id ‘’ using API provider ‘acme-dns DNS API’
2020-05-06 12:28:54.812 -04:00 [INF] Validation of the required challenges did not complete successfully. Incorrect TXT record “02_cdzfhQjeNdDMFx7mkrWAXwf5DyUrE07_khIC-Dvk” (and 1 more) found at _acme-challenge.rdsgw3.usfbreastresearch.org
2020-05-06 12:28:54.812 -04:00 [INF] Validation of the required challenges did not complete successfully. Incorrect TXT record “02_cdzfhQjeNdDMFx7mkrWAXwf5DyUrE07_khIC-Dvk” (and 1 more)
I’m not finding any TXT record created when I check my domain at Register.com. Is it possible they do not support to API and thus a TXT record is not automatically created?
In addition, I started by clicking New Certificate, so there is no old certificate on my workstation for it to renew. I assume I can run Certify on a workstation and it is not required to be run on my server. Is this correct as long as I use DNS verification?
I have Certify running on two VM’s. The above messages are for one of those machines. I went to the other machine just now and it works! Since Certify runs in the background as a service, I assume it can’t be run on two machines at the same time…is this correct? Anyway, I have it working on one so I’ll continue to experiment with that one. Thanks again!
Ah so the problem will be that the two machines using different acme-dns accounts (your acme-dns account registration is done dynamically). Your CNAME can only point to one acme-dns redirection and these are unique to the combination of domain and acme-dns registration.
I haven’t tried it but you should be able to copy the acme-dns configuration from the working machine to the other machine so they both use the same acme-dns registration (and therefore the CNAME redirection only points to one acme-dns redirection). Copy C:\ProgramData\Certify\acme-dns\
If using acme-dns the TXT records are updated on the acme-dns server which in turn is handling all the TXT record stuff for you, that why you have the CNAME redirecting to the acme-dns server, so you don’t have to constantly change your own DNS records and instead you’re delegating to the acme-dns server just for the acme-challenge record…
When using dns validation you can run the app on desktop or servers, it usually just depends where you then want to deploy the certificate you get - typically this is for a public IIS website running on a server but you can also deploy the certificate to all sorts of other services (via scripting or using the new Deployment Tasks in the upcoming v5).
I actually tried copying the configuration files last night and it worked great! I can use my desktop version to monitor and experiment, without needing to log onto the server. The server version will deploy to the certificate store (I think) when needed. I'll continue to learn the system and let you know if I run into any more issues.
Great! Note that you can see what deployment plans to do in the Preview tab. Auto deployment (the default) stores in the certificate store and if you have any matching IIS sites it will deploy to those (if not it’s just stored).