Hi,
I see the following message:
Even if I have created the DNS record!
When testing, it says all OK!
Hi, Test will just check it can contact the DNS service (in this case acme-dns) to update the records OK, it will not check your CNAME redirection.
When Let’s Encrypt tries to validate your domain using DNS validation it looks to your DNS records for a record called '_acme-challenge.your.domain.com`. If it’s a TXT record it reads that value and checks it’s the expected challenge response. If it’s a CNAME record it follows that to whatever record that points to.
In the case of acme-dns (or Certify DNS, which is a cloud managed acme-dns implementation) when you first add each domain to your certificate and click ‘Request Certificate’ you will be prompted to create a CNAME record in your DNS zone pointing to a new record (generally this means using your DNS control panel with whoever hosts your domain’s DNS). In your case this should be pointing to a-unique-identifier.auth.acme-dns.io
You can test your DNS is setup ok using the unbound test tool: https://unboundtest.com/ and selecting TXT then entering your _acme-challenge.something.com record name to check.
In this scenario there are a few moving parts:
- your own DNS which hosts the CNAME record, pointing to an acme-dns hosted TXT record
- The acme-dns service
- Let’s Encrypts DNS validation process
To work out where the problem is you first need to check your own DNS is properly configured and that you can follow the CNAME through to the acme-dns TXT record.
Thanks for your well-explained response.
I can confirm that the CNAME entry _acme-challenge.mydomain.com pointing to unique-identifier.auth.acme-dns.io is present in my DNS control panel; it has not been changed since it was created.
When using unboundtest.com it seems ok, results below.
Hi, thanks I’ve tested this on my side and I can confirm there is a problem using acme-dns with Let’s Encrypt currently. I will raise this issue with Let’s Encrypt. The two services (acme-dns and Let’s Encrypt) are not operated by us, so if a new problem has developed between them we can only raise it as an issue.
If you have a Certify The Web account on https://certifytheweb.com we can enable a CertifyDNS license as an alternative to using acme-dns (it’s just the same idea, hosted/implemented differently) for you to try. You can email support at certifytheweb.com for more information.
Note that you can now enable Certify DNS for free during the beta phase via https://certifytheweb.com/ - to register for an account click Sign In, Create New Account, then when signed in click Enable Certify DNS on the License Keys tab.