DNS Alias with POSH-ACME

Help
1

Hi , I've successfully used POSH-ACME to create an order and issue a certificate via the Windows DNS Plugin using powershell remoting - however as per the following :

I'd like to use a DNS alias to point to another DNS server to complete the challenge - the main reason is for security as I don't want to expose my main DNS server to the challenge.

I've setup a new DNS server which I'd like to use and setup a CNAME for the domain example to point to the new DNS Server.

So in this example the following challenge CNAME which is on the original DNS server ( originaldns.example.com ) has the cname like this

_acme-challenge.a123.domain.example.com
points to
newdns.example.com

When I attempt a new certificate using the following commands

$pArgs = @{
WinServer = 'newdns.example.com'
wincred=get-credential
WinUseSSL=$true
}

New-PACertificate "a123.domain.example.com" -AcceptTOS -Contact "email@email.com" -Plugin Windows -dnsalias "newdns.example.com" -PluginArgs $pArgs -verbose -directory LE_STAGE

However then I receive the following :

VERBOSE: Connected to newdns.example.com
Submit-ChallengeValidation : Failed to enumerate zones from the server newdns.example.com.

I haven't seen anything regarding this error message - the new DNS server is bare bones and I've tried creating the zone structure for this example ( a123.domain.example.com ) but the error is the same.

Is there something I've missed here ?

2

Hi @skwieste, and welcome to the LE community forum :slight_smile:

Have you reviewed?:
Troubleshooting DNS Validation - Posh-ACME (poshac.me)

Also:

image
image694×122 5.71 KB

3 Likes
3

I have yes, however it doesnt answer my query. I'm sure I'm missing something simple here but I'm not sure what! The query via the full domain acme challenge lookup does point to the cname entry of the new dns server but i still see the fail.

4

Without actual domain names, there isn't much else I can do for you.
Perhaps someone else will respond with more knowledge.

3 Likes
5

Just as a sanity check, does running Get-DnsServerZone directly from the new DNS server actually return any results? And if so, do those results contain your newdns.example.com zone?

My first guess would normally be that something about the remoting config is screwed up. But the error you're getting suggests that part is working and the server just isn't returning any zones when asked. Is the DNS service running? Was it restarted after adding the zone?

Ultimately, this is effectively all the plugin is doing before you get the error. If you want to reproduce it, make sure you have a fresh PowerShell session or explicitly close any existing CimSession objects.

$cimParams = @{
    ComputerName = $pArgs.WinServer
    Credential = $pArgs.WinCred
    SessionOption = (New-CimSessionOption -UseSsl)
}
$session = New-CimSession @cimParams

$zoneParams = @{
    ComputerName = $pArgs.WinServer
    CimSession = $session
}
Get-DnsServerZone @zoneParams | ?{ !$_.IsAutoCreated -and $_.ZoneName -ne 'TrustAnchors' }
6 Likes
6

Hi , thanks that helped to further test it - the original server worked fine with those commands so in the end I removed the DNS server role on the secondary and readded it and then the get-dnsserverzone command responded as expected.

2 Likes
7

Nice. Glad to hear it's working for you now.

4 Likes
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.