TXT Lookup Error for _acme-challenge

mspcetera · February 13, 2023, 1:29pm

Dear Certify Community

I appear to have a DNS Problem with Certify The Web.
I wanted to deploy a new Certificate but even after creating all needed DNS entries and setting the TTL to 15 minutes it still doesn’t work and I have even managed to exceed the failed authorizations limit.
This is my DNS config:

I tested the DNS-01 Connection using Let’s Debug and it gave me this:

This is my Certify Log:

2023-02-13 13:51:30.154 +01:00 [INF] ---- Beginning Request [Default Web Site] ----
2023-02-13 13:51:30.154 +01:00 [INF] Certify/5.6.8.0 (Windows; Microsoft Windows NT 10.0.20348.0) 
2023-02-13 13:51:30.157 +01:00 [INF] Beginning Certificate Request Process: Default Web Site using ACME Provider:Certes
2023-02-13 13:51:30.157 +01:00 [INF] Requested identifiers to include on certificate: rdg.test.pcetera.ch
2023-02-13 13:51:30.157 +01:00 [INF] Beginning certificate order for requested domains
2023-02-13 13:51:30.157 +01:00 [INF] BeginCertificateOrder: creating/retrieving order. Retries remaining:2 
2023-02-13 13:51:31.376 +01:00 [INF] Created ACME Order: https://acme-v02.api.letsencrypt.org/acme/order/962622326/164554586276
2023-02-13 13:51:31.675 +01:00 [INF] Fetching Authorizations.
2023-02-13 13:51:32.552 +01:00 [INF] Got http-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/203143401296/xcH5qg
2023-02-13 13:51:32.845 +01:00 [INF] Got dns-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/203143401296/g58-Pw
2023-02-13 13:51:32.845 +01:00 [INF] Attempting Domain Validation: rdg.test.pcetera.ch
2023-02-13 13:51:32.846 +01:00 [INF] Registering and Validating rdg.test.pcetera.ch 
2023-02-13 13:51:32.846 +01:00 [INF] Preparing automated challenge responses (rdg.test.pcetera.ch)
2023-02-13 13:51:32.846 +01:00 [INF] DNS: Creating TXT Record '_acme-challenge.rdg.test.pcetera.ch' with value '_DBM_9-jIznDK0wFm2ULQvbsoFTlXFjTCDHXnL4AG_s', in Zone Id '' using API provider 'acme-dns DNS API'
2023-02-13 13:51:33.195 +01:00 [INF] DNS: acme-dns DNS API :: Updated: _acme-challenge.rdg.test.pcetera.ch :: ddaefb54-4f31-4b30-8360-e9b178adbe44.auth.acme-dns.io
2023-02-13 13:51:33.195 +01:00 [INF] Requesting Validation: rdg.test.pcetera.ch
2023-02-13 13:51:38.234 +01:00 [INF] Attempting Challenge Response Validation for Domain: rdg.test.pcetera.ch
2023-02-13 13:51:38.234 +01:00 [INF] Registering and Validating rdg.test.pcetera.ch 
2023-02-13 13:51:38.235 +01:00 [INF] Checking automated challenge response for Domain: rdg.test.pcetera.ch
2023-02-13 13:51:39.120 +01:00 [INF] Domain validation failed: rdg.test.pcetera.ch 
DNS problem: NXDOMAIN looking up TXT for _acme-challenge.rdg.test.pcetera.ch - check that a DNS record exists for this domain BadRequest urn:ietf:params:acme:error:dns
2023-02-13 13:51:41.178 +01:00 [INF] DNS: Deleting TXT Record '_acme-challenge.rdg.test.pcetera.ch', in Zone Id '' using API provider 'acme-dns DNS API'
2023-02-13 13:51:43.677 +01:00 [INF] Validation of the required challenges did not complete successfully. Domain validation failed: rdg.test.pcetera.ch 
DNS problem: NXDOMAIN looking up TXT for _acme-challenge.rdg.test.pcetera.ch - check that a DNS record exists for this domain BadRequest urn:ietf:params:acme:error:dns
2023-02-13 13:51:43.677 +01:00 [INF] Validation of the required challenges did not complete successfully. Domain validation failed: rdg.test.pcetera.ch 
DNS problem: NXDOMAIN looking up TXT for _acme-challenge.rdg.test.pcetera.ch - check that a DNS record exists for this domain BadRequest urn:ietf:params:acme:error:dns
2023-02-13 13:51:43.677 +01:00 [INF] Performing Post-Request (Deployment) Tasks..
2023-02-13 13:51:43.678 +01:00 [INF] Task [Export Certificate] :: Task is enabled but will not run because primary request unsuccessful.
2023-02-13 13:51:43.678 +01:00 [INF] Export Certificate :: Task is enabled but will not run because primary request unsuccessful.
2023-02-13 13:51:43.678 +01:00 [INF] Validation of the required challenges did not complete successfully. Domain validation failed: rdg.test.pcetera.ch 
DNS problem: NXDOMAIN looking up TXT for _acme-challenge.rdg.test.pcetera.ch - check that a DNS record exists for this domain BadRequest urn:ietf:params:acme:error:dns

Is there anything I can do to fix this?

Greetings

Martin

mspcetera · February 13, 2023, 1:32pm

Addition since I can’t put more than one picture in:

The tests run smoothly:

jljtgr · February 13, 2023, 6:29pm

The public Internet has no idea about your DNS entries. They are not being propagated correctly.

>nslookup rdg.test.pcetera.ch 8.8.8.8
Server:  dns.google
Address:  8.8.8.8

*** dns.google can't find rdg.test.pcetera.ch: Non-existent domain

>nslookup -q=cname _acme-challenge.rdg.test.pcetera.ch 8.8.8.8
Server:  dns.google
Address:  8.8.8.8

*** dns.google can't find _acme-challenge.rdg.test.pcetera.ch: Non-existent domain

webprofusion · February 14, 2023, 1:52am

A good way to test this is to use the CNAME option in https://toolbox.googleapps.com/apps/dig/ - once you have your DNS returning the correct public record it should all work OK.

DNS validation uses your public DNS and the failure is happening when the CA (Let’s Encrypt) not Certify The Web, tries to check your DNS. The NXDOMAIN part means your DNS server did not know the record it asked for.

mspcetera · February 14, 2023, 12:29pm

Hello @webprofusion and @jljtgr
It appears that the DNS Entries failed to synchronise with the servers.
I am already looking into it with the DNS Hoster.
Thank you both for your help!

I think we can close this problem now.