Acme-dns https api

I have run up an instance of acme-dns in a docker container but initially had problems starting the container relating to it not being able to generate its own certificate. I changed over to http for the setup process and can successfully request certificates using the certify the web client. I am now wanting to setup the api using https but get the following error:

DNS problem: NXDOMAIN looking up TXT for _acme-challenge.acme-dns.brigidine.qld.edu.au - check that a DNS record exists for this domain

I am assuming I need to enter a TXT record on my public dns for _acme-challenge.acme-dns.brigidine.qld.edu.au, however it does not tell me what the content needs to be?

2 Likes

You are correct.

There’s a base64 token string (will look like garbage) that your ACME client will give you to use as the value. I’m not really familiar with your client, but it should supply this token either visually or in a file somewhere.

1 Like

Hi freessltools.com,

The problem is I believe the acme-dns container itself is attempting to generate its own certificate using its own built in client.

1 Like

It’s not super clear from the docs, but I believe you need to delegate the acme-dns.brigidine.qld.edu.au zone to itself (with a glue record).

e.g. Add on the uqschoolsnet.com.au nameservers:

acme-dns.brigidine.qld.edu.au.      IN A    <the ip address>
acme-dns.brigidine.qld.edu.au.      IN NS   acme-dns.brigidine.qld.edu.au.

Then, when a public query is made for _acme-challenge.acme-dns.brigidine.qld.edu.au, it will end up being queried from your acme-dns server, and that will allow it to issue a certificate for its own REST API.

The nameserver domain would need to match whatever you configure for nsname and records key in your config.

3 Likes

Hi _az,

It appears you are correct, originally I had my NS record as a.acme-dns.brigidine.ql.edu.au IN NS acme.brigidine.qld.edu.au but have since changed it to acme.brigidine.qld.edu.au. The reason being I was following this guide https://jaletzki.de/posts/acme-dns-on-centos-7/ that said potentially not all DNS hosts support an NS record pointing to itself. I also duplicated this in my acme-dns config file. While using http it could successfully request certificates. Do you know why setting it up in this way would not allow it to request its own certificate? (my CNAME records would also point to a.acme.brigidine.qld.edu.au). I must confess I am not very well versed in dns configuration.

1 Like

I’m not sure, sorry. It’s hard to say without seeing the configuration in action. When I checked initially, there didn’t seem to be any delegation setup at all.

Hi _az,

No problems. I initially used a.acme.brigidine.qld.edu.au as I was initially having other problems but now simplified to acme.brigidine.qld.edu.au. Thanks for your help, you answer has been marked as the solution.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.