Error while renewing ceritificates using acme.sh DNSapi method

Pradeep · December 4, 2018, 5:38pm

@rg305
This is the same server that was used to generate the certificates the first time for all three domains. Also, I can renew certificates for backtoschoolimmunization.org but not the other two domains from this server. So I think that is not an issue.

Pradeep · December 4, 2018, 5:48pm

@mnordhoff

for int.backtoschoolimmunization.org, the DNS entry is

_acme-challenge.int.backtoschoolimmunization.org CNAME _acme-challenge.ekicocvalidation.com

For qa.backtoschoolimmunization.org, The DNS entry is
_acme-challenge.qa CNAME _acme-challenge.ekicocvalidation.com

For this when I do dig, it is returning with an answer

[SVC-apache@dw21wil50 acme.sh-master]$ dig _acme-challenge.qa.backtoschoolimmunization.org

; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> _acme-challenge.qa.backtoschoolimmunization.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47319
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_acme-challenge.qa.backtoschoolimmunization.org. IN A

;; ANSWER SECTION:
_acme-challenge.qa.backtoschoolimmunization.org. 3600 IN CNAME _acme-challenge.ekicocvalidation.com.

;; AUTHORITY SECTION:
ekicocvalidation.com. 135 IN SOA ns31.domaincontrol.com. dns.jomax.net. 2018120415 28800 7200 604800 600

;; Query time: 4 msec
;; SERVER: 10.96.254.16#53(10.96.254.16)
;; WHEN: Tue Dec 04 11:42:17 CST 2018
;; MSG SIZE rcvd: 194

mnordhoff · December 4, 2018, 6:01pm

It doesn’t exist in your public DNS zone. The CNAME and TXT records have to exist in public, not just on the private side of your split horizon setup.

Pradeep · December 4, 2018, 6:16pm

@mnordhoff

I am sorry, I didnt understand what you meant. Do you mean the entries should also be added in external DNS. Right now they are only added in internal DNS. Can you please elaborate.

Thank you for the quick response

mnordhoff · December 4, 2018, 6:18pm

Yes, exactly. The CNAME records -- and TXT records -- need to be in the external DNS, if that's what you call it.

Pradeep · December 4, 2018, 8:55pm

Thank you @mnordhoff. After adding the entry in external DNS, I could renew certificates to the domains.

@stevenzhu @rg305 @JuergenAuer @mnordhoff Thank you guys. Great Support

system · January 3, 2019, 8:56pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Error during DNS-based certificate renewal (acme.sh) Help	11	6543	July 14, 2019
DNS problem: NXDOMAIN looking up A for hostname.mydomain.tld Help	9	11626	February 23, 2018
Troubles with certbot duplicate certificate renewal using dns challenge acme-dns-certbot Help	10	1761	October 4, 2020
DNS challenge failing: NXDOMAIN looking up TXT Issuance Tech	25	42621	August 15, 2016
I can't renew: NXDOMAIN looking up TXT Help	35	1407	July 22, 2021

Error while renewing ceritificates using acme.sh DNSapi method

Related topics