My domain is:jssi.com I want to renew or get new certificate for c.jssi.com I already got a working LetsEncrypt certificate using win-acme.v2.2.5.1541.x64.pluggable 2 months ago
I ran this command:
wacs (I used the interactive one and chose M Create certificate (full options)
It produced this output:
[c.jssi.com] Preliminary validation succeeded
[c.jssi.com] Preliminary validation succeeded [c.jssi.com] Authorization result: invalid
** [c.jssi.com] {"type":"urn:ietf:params:acme:error:dns","detail":"DNS problem: NXDOMAIN looking up TXT for _acme-challenge.c.jssi.com - check that a DNS record exists for this domain","status":400,"instance":null}**
My web server is (include version):
IIS VER 10
The operating system my web server runs on is (include version):
Microsoft Server 2019
My hosting provider, if applicable, is:
Networksolution but I put my _acme-challenge txt record in my on-prem dns servers and it let me obtained my Letsncrypt certificate with no issue about 2 months ago.
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
I tried to use control panel from networkstation but it did not even pass preliminary validation.
Let's Encrypt is looking at your public DNS only and cannot see inside your network to query an internal DNS service.
Your ACME client configuration must update your public DNS for the _acme-challenge record(s).
If it worked before you either used HTTP validation instead of DNS validation, or you manually created the TXT record in your public DNS at the time, or something else copied the TXT record from your internal DNS to your public DNS. Either way, it's only your public DNS for your domain that matters for domain validation.
Thanks so much for replying. My manager was under the impression the ACME client at my on-prem windows server does all the validations with acme-challenge dns record in the internal network and generates a Let’s Encrypt certificate via the client and then the public will see the certificate. So he thinks there is something wrong with the ACME client that generates the certificate. Is he right or wrong?
He is unfortunately wrong, every day is a school day and a manager will know that as much as anyone else. Domain Validation for a public CA happens from a public perspective because they are asserting that they agree you control the domain as much as they can see.
