Error while renewing ceritificates using acme.sh DNSapi method


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: int.backtoschoolimmunization.org

I ran this command:
./acme.sh --issue -d int.backtoschoolimmunization.org --challenge-alias ekicocvalidation.com --dns dns_gd

ekicocvalidation.com is an alias domain(used DNS API and alias method to issue certificates)

It produced this output: int.backtoschoolimmunization.org:Verify error:DNS problem: NXDOMAIN looking up TXT for _acme-challenge.int.backtoschoolimmuniz ation.org

My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version): RHEL

My hosting provider, if applicable, is: LOCAL DNS

I can login to a root shell on my machine (yes or no, or I don’t know): No

The certificates were issued to
int.backtoschoolimmunization.org
qa.backtoschoolimmunization.org
backtoschoolimmunization.org

These domains were hosted in GoDaddy when issued the certificates using Lets Encrypt acme.sh DNSAPI method using an alias.

Recently these domains were moved to Internal DNS and the entries[1] were added to the DNS.

Domain Host/Name Type Points to
backtoschoolimmunization.org _acme-challenge CNAME _acme-challenge.ekicocvalidation.com
backtoschoolimmunization.org _acme-challenge.int CNAME _acme-challenge.ekicocvalidation.com
backtoschoolimmunization.org _acme-challenge.qa CNAME _acme-challenge.ekicocvalidation.com

The get the error
int.backtoschoolimmunization.org:Verify error:DNS problem: NXDOMAIN looking up TXT for _acme-challenge.int.backtoschoolimmunization.org
while renewing int.backtoschoolimmunization.org


#2

Hi,

Do you mind to tell us if _acme-challenge.int.backtoschoolimmunization.org matches with _acme-challenge.qd.backtoschoolimmunization.org?

Thank you


#3

I am sorry for the confusion, I made an edit to the question for better understanding.

int.backtoschoolimmunization.org
qa.backtoschoolimmunization.org
backtoschoolimmunization.org

I am having an issue renewing certificates to all three of them. Initially I issued certificates seperatly to these domains


#4

Hi,

The int and qa does not have a valid cname record.
Could you please double check if that’s correctly setup?

Thank you


#5

Steve,

Is there a way I can check that online about the entries made in the DNS using a tool. We don’t manage the DNS and it takes a long time to get a reply from that department.


#6

Yes.
There’s a tool online called unboundtest.com.

Or you could also try to query directly to your NS server and ask them the latest status.
First, you’ll need to check the CNAME status
dig CNAME _acme-challenge.int.backtoschoolimmunization.org.
dig CNAME _acme-challenge.qa.backtoschoolimmunization.org.
dig CNAME _acme-challenge.backtoschoolimmunization.org.
Then, if all the CNAME showed up as usual, check the TXT record.
dig TXT _acme-challenge.ekicocvalidation.com @ns31.domaincontrol.com

Thank you


#7

There are no TXT record for:
_acme-challenge.int.backtoschoolimmunization.org
_acme-challenge.qa.backtoschoolimmunization.org

I do see one for:
_acme-challenge.backtoschoolimmunization.org


#8

@stevenzhu @rg305

Just want to make sure that the entries that I posted in the in the question are correct?


#9

If you are trying to request certificates for int.backtoschoolimmunization.org, qa.backtoschoolimmunization.org, and backtoschoolimmunization.org, the entries should be correct (all with _acme-challenge.)…

However, you haven’t added CNAME to _acme-challenge.int.backtoschoolimmunization.org and _acme-challenge.qa.backtoschoolimmunization.org… (which you said should CNAME to _acme-challenge.ekicocvalidation.com, according to that table)

Thank you


#10

@stevenzhu

Those were the entries initially added when The certificates were issued

I remember GoDaddy automatically picks up .backtoschoolimmunization.org after _acme-challenge.int. That was the reason I did not make a CNAME entry to _acme-challenge.int.backtoschoolimmunization.org.

Thank you for bringing that up. I have a followup question if you dont mind.

Is it the same with all hosting services or just GoDaddy. Because now this domain is moved to a local DNS.


#11

If you are asking about automatically add the root domain to DNS records, it depends on the DNS service (software)

Thank you


#12

A local DNS system will (should) be easier to manage; but you still have to have one CNAME per:
_acme-challenge.int.backtoschoolimmunization.org > _acme-challenge.ekicocvalidation.com
_acme-challenge.qa.backtoschoolimmunization.org > _acme-challenge.ekicocvalidation.com
_acme-challenge.backtoschoolimmunization.org > _acme-challenge.ekicocvalidation.com


#13

@rg305

For backtoschoolimmunization.org, The entry that was added is

_acme-challenge CNAME _acme-challenge.ekicocvalidation.com

I could successfully renew the certificates for that domain. The problem I am having is with
int.backtoschoolimmunization.org and qa.backtoschoolimmunization.org

One more question, when I ping _acme-challenge.ekicocvalidation.com there is no response. Is it normal or could that be creating an issue.


#14

Hi @Pradeep

this is normal. These are only txt entries, so there is no server required -> no server is able to answer a ping.


#15

nslookup _acme-challenge.backtoschoolimmunization.org returns:
_acme-challenge.backtoschoolimmunization.org

nslookup _acme-challenge.int.backtoschoolimmunization.org returns:
UnKnown can't find _acme-challenge.int.backtoschoolimmunization.org: Non-existent domain

nslookup _acme-challenge.qa.backtoschoolimmunization.org returns:
UnKnown can't find _acme-challenge.qa.backtoschoolimmunization.org: Non-existent domain

Also, when renewing multiple names that require TXT records:
You will need to ensure that all TXT records are added and exist (simultaneously).
That is, if for any reason subsequent TXT record additions overwrite any previous TXT record entries (so that only one TXT record exists at a time), you will need to add all the required TXT records at once (at the same time - with a line break between them).


#16

Rudy,
This is not resolving because they are internal domains. When I do
nslookup _acme-challenge.qa.backtoschoolimmunization.org ---- I get

Non-authoritative answer:
_acme-challenge.qa.backtoschoolimmunization.org canonical name = _acme-challenge.ekicocvalidation.com

I added _acme-challenge.int.backtoschoolimmunization.org and it seems like it still doesnt resolve the issue. I am attaching the log file. Can you please take a look if you dont mind.

Thank you @rg305 @JuergenAuer @stevenzhuacme.txt (12.8 KB)


#17

Hi,

In this case, could you please try to add those records (only txt records) to the public DNS the domain is using? Else Let’s Encrypt are not able to issue certificates for those domains.

Thank you


#18

Steven, we added
_acme-challenge.int.backtoschoolimmunization.org CNAME _acme-challenge.ekicocvalidation.com

I attached the log file that was generated after after I tried to renew. Can you please take a look.

Also, after adding _acme-challenge.int.backtoschoolimmunization.org instead of _acme-challenge.int, and do NSLOOKUP, I get

** server can’t find _acme-challenge.int.backtoschoolimmunization.org: NXDOMAIN

acme.txt (12.8 KB)


#19

Validation happens entirely on the external side.
You will have to obtain the cert from a system that has access to the Internet and can also update an Internet DNS zone.
The CNAME entries were to permanently forward the non-public zones to a publicly accessible zone.
They have to be in place for this to work.
The CNAME entries only need to be added to the public DNS zone.


#20

It still doesn’t exist in your public DNS records.

$ dig _acme-challenge.int.backtoschoolimmunization.org txt

; <<>> DiG 9.13.4-1+ubuntu16.04.1+deb.sury.org+1-Ubuntu <<>> _acme-challenge.int.backtoschoolimmunization.org txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 32249
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_acme-challenge.int.backtoschoolimmunization.org. IN TXT

;; AUTHORITY SECTION:
backtoschoolimmunization.org. 300 IN    SOA     dns.illinois.net. hostmaster.cityofchicago.org. 2018101702 14400 3600 2419200 300

;; Query time: 25 msec
;; SERVER: ::1#53(::1)
;; WHEN: Tue Dec 04 17:14:43 UTC 2018
;; MSG SIZE  rcvd: 154