Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
Is there a way I can check that online about the entries made in the DNS using a tool. We don’t manage the DNS and it takes a long time to get a reply from that department.
Or you could also try to query directly to your NS server and ask them the latest status.
First, you'll need to check the CNAME status dig CNAME _acme-challenge.int.backtoschoolimmunization.org. dig CNAME _acme-challenge.qa.backtoschoolimmunization.org. dig CNAME _acme-challenge.backtoschoolimmunization.org.
Then, if all the CNAME showed up as usual, check the TXT record. dig TXT _acme-challenge.ekicocvalidation.com @ns31.domaincontrol.com
If you are trying to request certificates for int.backtoschoolimmunization.org, qa.backtoschoolimmunization.org, and backtoschoolimmunization.org, the entries should be correct (all with _acme-challenge.)...
However, you haven't added CNAME to _acme-challenge.int.backtoschoolimmunization.org and _acme-challenge.qa.backtoschoolimmunization.org... (which you said should CNAME to _acme-challenge.ekicocvalidation.com, according to that table)
Those were the entries initially added when The certificates were issued
I remember GoDaddy automatically picks up .backtoschoolimmunization.org after _acme-challenge.int. That was the reason I did not make a CNAME entry to _acme-challenge.int.backtoschoolimmunization.org.
Thank you for bringing that up. I have a followup question if you dont mind.
Is it the same with all hosting services or just GoDaddy. Because now this domain is moved to a local DNS.
A local DNS system will (should) be easier to manage; but you still have to have one CNAME per: _acme-challenge.int.backtoschoolimmunization.org > _acme-challenge.ekicocvalidation.com _acme-challenge.qa.backtoschoolimmunization.org > _acme-challenge.ekicocvalidation.com _acme-challenge.backtoschoolimmunization.org > _acme-challenge.ekicocvalidation.com
Also, when renewing multiple names that require TXT records:
You will need to ensure that all TXT records are added and exist (simultaneously).
That is, if for any reason subsequent TXT record additions overwrite any previous TXT record entries (so that only one TXT record exists at a time), you will need to add all the required TXT records at once (at the same time - with a line break between them).
Rudy,
This is not resolving because they are internal domains. When I do
nslookup _acme-challenge.qa.backtoschoolimmunization.org ---- I get
Non-authoritative answer:
_acme-challenge.qa.backtoschoolimmunization.org canonical name = _acme-challenge.ekicocvalidation.com
I added _acme-challenge.int.backtoschoolimmunization.org and it seems like it still doesnt resolve the issue. I am attaching the log file. Can you please take a look if you dont mind.
In this case, could you please try to add those records (only txt records) to the public DNS the domain is using? Else Let's Encrypt are not able to issue certificates for those domains.
Validation happens entirely on the external side.
You will have to obtain the cert from a system that has access to the Internet and can also update an Internet DNS zone.
The CNAME entries were to permanently forward the non-public zones to a publicly accessible zone.
They have to be in place for this to work.
The CNAME entries only need to be added to the public DNS zone.