Failed txt record validation on renewal even though a LetsEncrypt certificate was obtained successfully using win-acme

My domain I want to renew or get new certificate for I already got a working LetsEncrypt certificate using win-acme.v2.2.5.1541.x64.pluggable 2 months ago

I ran this command:
wacs (I used the interactive one and chose M Create certificate (full options)
It produced this output:
[] Preliminary validation succeeded
[] Preliminary validation succeeded
[] Authorization result: invalid
** [] {"type":"urn:ietf:params:acme:error:dns","detail":"DNS problem: NXDOMAIN looking up TXT for - check that a DNS record exists for this domain","status":400,"instance":null}**

My web server is (include version):
The operating system my web server runs on is (include version):
Microsoft Server 2019
My hosting provider, if applicable, is:
Networksolution but I put my _acme-challenge txt record in my on-prem dns servers and it let me obtained my Letsncrypt certificate with no issue about 2 months ago.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
I tried to use control panel from networkstation but it did not even pass preliminary validation.

Here is my dnsviz result for the record: | DNSViz

Let's Encrypt is looking at your public DNS only and cannot see inside your network to query an internal DNS service.

Your ACME client configuration must update your public DNS for the _acme-challenge record(s).

If it worked before you either used HTTP validation instead of DNS validation, or you manually created the TXT record in your public DNS at the time, or something else copied the TXT record from your internal DNS to your public DNS. Either way, it's only your public DNS for your domain that matters for domain validation.


Hi Chris,

Thanks so much for replying. My manager was under the impression the ACME client at my on-prem windows server does all the validations with acme-challenge dns record in the internal network and generates a Let’s Encrypt certificate via the client and then the public will see the certificate. So he thinks there is something wrong with the ACME client that generates the certificate. Is he right or wrong?





1 Like

The Let's Encrypt Certificate Authority is what needs to validate the domain and that happens from their servers on the public internet.


He is unfortunately wrong, every day is a school day and a manager will know that as much as anyone else. Domain Validation for a public CA happens from a public perspective because they are asserting that they agree you control the domain as much as they can see.

I'll also reply to the related win-acme issue because you are trying to automatically renew using Manual DNS which by definition needs a manual input every time you renew. How to uninstall everything related win-acme after a certificate was obtained successfully · Issue #2476 · win-acme/win-acme · GitHub


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.