Dns challenge OK even when I havnt got a txt record

Hi all,

When testing dns challenge with let's encrypt using this website


It says my domain name is OK even tho my ddns provider let's encrypt I havnt got an txt record or an api for my acme client on my opnsense firewall

Why is this please


It just checks some conditions and common errors which might impede the dns-01 challenge. It won't actually perform one, as that would be impossible.



So I'm guessing I need to change to another ddns provider as I don't see noip on this list for it to challenge dns for the acme client

1 Like

I don't know if noip lets you do that, but if possible you might be able to use a CNAME to redirect the challenge to a different DNS server, e.g. one you control. Using acme-dns comes to mind :slight_smile:


Mmm, so I can't use a free service like this for example, so I have my DDNS and acme client ie dns challenge all using the same provider

If you prefer to switch, that's of course your prerogative. I just gave you a (maybe) possible alternative :slight_smile:

Switching probably would be easier.


thanks @Osiris i just need to check what one to get for opnsense, ie what provider supports both DDNS and the acme client

do you know of any?

1 Like

I'm not a fan of it (poorly documented, not very sensible setup if you ask me and it defaults to ZeroSSL [and is bought by it], a different, commercial [but free using the ACME protocol] CA, although it can be configured to use Let's Encrypt), but the client called "acme.sh" has a lot of DNS implementations.


so the acme.sh can do both for me ie DDNS and acme client, i suppose i install it on my opnsense firewall?

I don't know what the capabilities of "opnsense" are, but "acme.sh" is an ACME client written entirely in Bash with just a few dependencies (I think OpenSSL, stuff like that) and has a ton of DNS API scripts available. You can check the latter out here: https://github.com/acmesh-official/acme.sh/tree/master/dnsapi You might also find other dynamic DNS providers among the list. Don't ask me which one is better tho :roll_eyes:


ive got this on my opnsense FW, its a package/plugin that you install

just trying to figure out aswell as having a DDNS provider (which i do noip) whether i can have one provider that does both acme client and ddns or whether i can just have the acme client and that also does the DDNS for me

sorry if that doesnt make sense

1 Like

It actually indeed doesn't make much sense to me. It seems you're thinking a DDNS provider can also do some "ACME" stuff or the other way around and have an ACME client do some "DDNS" stuff. While in reality, it's not one thing doing both but always two things doing two separate things.

It seems the PR you're quoting added acme.sh to opnsense, so it might be that any DDNS provider supported by acme.sh is also supported by opnsense.


OK il look for a provider that does both DDNS and ACME challenge

I don't understand. What do you mean by "a provider that does [...] ACME challenge"?

1 Like

I don't know the correct terminolgy then

Dns challenge
ACME support

1 Like

The only thing a DDNS provider can do, is provide a well documented API. The rest all comes down to the ACME client.


Yeah so I need a DDNS provider that supports an api aswell that can talk to the acme client?


No, the other way around: the ACME client will talk to the DNS providers API.


Great perfect, so I just need to find a DDNS provider that provides api support to talk to the ACME client on my opnsense firewall

Sorry the client talks to the dns api