Error while issuing certificates for a domain using acme DNS challenge

#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: chicagotraffictracker.com

I ran this command: ./acme.sh --issue -d chicagotraffictracker.com --challenge-alias ekicocvalidation.com --dns dns_gd

It produced this output:

Verifying:chicagotraffictracker.com
[Wed May 15 11:05:19 CDT 2019] chicagotraffictracker.com:Verify error:DNS problem: NXDOMAIN looking up TXT for _acme-challenge.chicagotraffictracker.com
[Wed May 15 11:05:19 CDT 2019] Removing DNS records.
[Wed May 15 11:05:20 CDT 2019] Please add ‘–debug’ or ‘–log’ to check more details.
[Wed May 15 11:05:20 CDT 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.s

My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version): Linux RHEL

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): No

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): acme

I did a dig to see if the entries are in place and it seems they are.

dig _acme-challenge.chicagotraffictracker.com

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> _acme-challenge.chicagotraffictracker.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10805
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_acme-challenge.chicagotraffictracker.com. IN A

;; ANSWER SECTION:
_acme-challenge.chicagotraffictracker.com. 5 IN CNAME acme-challenge.ekicocvalidation.com.

;; Query time: 4 msec
;; SERVER: 10.96.254.16#53(10.96.254.16)
;; WHEN: Wed May 15 13:23:56 CDT 2019
;; MSG SIZE rcvd: 116

Please advise. Thank you

#2

from this doc you can see:

your client will create a TXT record derived from that token and your account key, and put that record at _acme-challenge.<YOUR_DOMAIN>

I think that your dig should be
dig _acme-challenge.chicagotraffictracker.com TXT

#3

@gpatel-fr Thank you for the reply

I followed the same procedure for a bunch of domains but only having an error with this particular domain(chicagotraffictracker.com)

Below provided examples of one of the domains that I could issue certificates for(chicagoearlylearning.org)

dig _acme-challenge.chicagotraffictracker.com TXT

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> _acme-challenge.chicagotraffictracker.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60863
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_acme-challenge.chicagotraffictracker.com. IN TXT

;; ANSWER SECTION:
_acme-challenge.chicagotraffictracker.com. 5 IN CNAME acme-challenge.ekicocvalidation.com.

dig _acme-challenge.chicagoearlylearning.org

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> _acme-challenge.chicagoearlylearning.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63062
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_acme-challenge.chicagoearlylearning.org. IN A

;; ANSWER SECTION:
_acme-challenge.chicagoearlylearning.org. 3600 IN CNAME _acme-challenge.ekicocvalidation.com.

#4
_acme-challenge.chicagotraffictracker.com. 5 IN CNAME http://acme-challenge.ekicocvalidation.com

it’s a http link - not something you want in a DNS entry.

#5

@gpatel-fr I don’t know where you got the http://, it’s not present in DNS. OP is using https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode , which uses a CNAME to a second domain to indirect the challenge.

@Pradeep have you tried with a longer DNS sleep, e.g. 5 minutes? Maybe the default is too short for the GoDaddy nameservers:

--dnssleep 360

If that doesn’t work, can you run acme.sh with --debug and upload the log somewhere?

#6

ah, it’s discourse again. I’ll never get used to this system and its handling of text pasted without backticks.

Anyway, looking back at my test of one hour ago:

dig _acme-challenge.chicagotraffictracker.com TXT
; <<>> DiG 9.11.3-1ubuntu1.7-Ubuntu <<>> _acme-challenge.chicagotraffictracker.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 21798
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

and just now:

dig _acme-challenge.chicagotraffictracker.com TXT

; <<>> DiG 9.11.3-1ubuntu1.7-Ubuntu <<>> _acme-challenge.chicagotraffictracker.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5581
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;_acme-challenge.chicagotraffictracker.com. IN TXT

;; ANSWER SECTION:
_acme-challenge.chicagotraffictracker.com. 1800	IN CNAME _acme-challenge.ekicocvalidation.com.
_acme-challenge.ekicocvalidation.com. 599 IN TXT ""

it’s probably safe to say that the problem is solved now

.