Error while issuing certificates for a domain using acme DNS challenge

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: chicagotraffictracker.com

I ran this command: ./acme.sh --issue -d chicagotraffictracker.com --challenge-alias ekicocvalidation.com --dns dns_gd

It produced this output:

Verifying:chicagotraffictracker.com
[Wed May 15 11:05:19 CDT 2019] chicagotraffictracker.com:Verify error:DNS problem: NXDOMAIN looking up TXT for _acme-challenge.chicagotraffictracker.com
[Wed May 15 11:05:19 CDT 2019] Removing DNS records.
[Wed May 15 11:05:20 CDT 2019] Please add ‘–debug’ or ‘–log’ to check more details.
[Wed May 15 11:05:20 CDT 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.s

My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version): Linux RHEL

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): No

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): acme

I did a dig to see if the entries are in place and it seems they are.

dig _acme-challenge.chicagotraffictracker.com

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> _acme-challenge.chicagotraffictracker.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10805
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_acme-challenge.chicagotraffictracker.com. IN A

;; ANSWER SECTION:
_acme-challenge.chicagotraffictracker.com. 5 IN CNAME acme-challenge.ekicocvalidation.com.

;; Query time: 4 msec
;; SERVER: 10.96.254.16#53(10.96.254.16)
;; WHEN: Wed May 15 13:23:56 CDT 2019
;; MSG SIZE rcvd: 116

Please advise. Thank you

from this doc you can see:

your client will create a TXT record derived from that token and your account key, and put that record at _acme-challenge.<YOUR_DOMAIN>

I think that your dig should be
dig _acme-challenge.chicagotraffictracker.com TXT

@gpatel-fr Thank you for the reply

I followed the same procedure for a bunch of domains but only having an error with this particular domain(chicagotraffictracker.com)

Below provided examples of one of the domains that I could issue certificates for(chicagoearlylearning.org)

dig _acme-challenge.chicagotraffictracker.com TXT

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> _acme-challenge.chicagotraffictracker.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60863
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_acme-challenge.chicagotraffictracker.com. IN TXT

;; ANSWER SECTION:
_acme-challenge.chicagotraffictracker.com. 5 IN CNAME acme-challenge.ekicocvalidation.com.

dig _acme-challenge.chicagoearlylearning.org

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> _acme-challenge.chicagoearlylearning.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63062
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_acme-challenge.chicagoearlylearning.org. IN A

;; ANSWER SECTION:
_acme-challenge.chicagoearlylearning.org. 3600 IN CNAME _acme-challenge.ekicocvalidation.com.

_acme-challenge.chicagotraffictracker.com. 5 IN CNAME http://acme-challenge.ekicocvalidation.com

it’s a http link - not something you want in a DNS entry.

@gpatel-fr I don’t know where you got the http://, it’s not present in DNS. OP is using https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode , which uses a CNAME to a second domain to indirect the challenge.

@Pradeep have you tried with a longer DNS sleep, e.g. 5 minutes? Maybe the default is too short for the GoDaddy nameservers:

--dnssleep 360

If that doesn’t work, can you run acme.sh with --debug and upload the log somewhere?

ah, it's discourse again. I'll never get used to this system and its handling of text pasted without backticks.

Anyway, looking back at my test of one hour ago:

dig _acme-challenge.chicagotraffictracker.com TXT
; <<>> DiG 9.11.3-1ubuntu1.7-Ubuntu <<>> _acme-challenge.chicagotraffictracker.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 21798
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

and just now:

dig _acme-challenge.chicagotraffictracker.com TXT

; <<>> DiG 9.11.3-1ubuntu1.7-Ubuntu <<>> _acme-challenge.chicagotraffictracker.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5581
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;_acme-challenge.chicagotraffictracker.com. IN TXT

;; ANSWER SECTION:
_acme-challenge.chicagotraffictracker.com. 1800	IN CNAME _acme-challenge.ekicocvalidation.com.
_acme-challenge.ekicocvalidation.com. 599 IN TXT ""

it's probably safe to say that the problem is solved now

.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.