In case it matters, my end goal is a cert for a autodiscover (and maybe OWA) on Exchange 2010. I have split DNS on the server (but all DNS mentioned forthwith is on the public authoritative NS for my domain, thomas-mail.com, and not in the local zone file on the SBS2011 box.) I have a DDNS entry on namecheap for remote.thomas-mail (and can do others for webmail and autodiscover, just wanted to figure this out, first.)
My domain is:
thomas-mail.com (I’m doing a test to get a cert for remote.thomas-mail.com)
My NS is namecheap
Commands below are using ACMESharp, on Powershell. (shouldn’t matter but this is all on SBS2011 (win 2008 rs2 sp1, with wmf3.0 for powershell 3. Everything is fine on the server and powershell side.)
(1) I ran this command:
New-ACMERegistration -Contacts mailto:mrbaggins(at, only the symbol)hotmail.com -AcceptTos
(1) It produced this output:
Contacts : {mailto:mrbaggins(at, only the symbol)hotmail.com}
PublicKey : { e = AQAB, kty = RSA, n = A very long alpha numeric string, which I’m guessing you don’t need… let me know if thats not the case}
RecoveryKey :
RegistrationUri : https://acme-v01.api.letsencrypt.org/acme/reg/29320383
Links : {https://acme-v01.api.letsencrypt.org/acme/new-authz;rel=“next”,
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf;rel=“terms-of-service”}
TosLinkUri : https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
TosAgreementUri : https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
AuthorizationsUri :
CertificatesUri :
(2) I typed
New-ACMEIdentifier -dns remote.thomas-mail.com -alias remote.t-m
(2) Result:
IdentifierPart : ACMESharp.Messages.IdentifierPart
IdentifierType : dns
Identifier : remote.thomas-mail.com
Uri : https://acme-v01.api.letsencrypt.org/acme/authz/dN4So9am2VSS22iRIDP4oRlRKvrrxCUWwlr1vjFav4c
Status : pending
Expires : 2/18/2018 10:27:43 PM
Challenges : {, }
Combinations : {0, 1}
(3) My command: Complete-ACMEChallenge remote.t-m -ChallengeType dns-01 -Handler manual
(3) Result:
IdentifierPart : ACMESharp.Messages.IdentifierPart
IdentifierType : dns
Identifier : remote.thomas-mail.com
Uri : https://acme-v01.api.letsencrypt.org/acme/authz/dN4So9am2VSS22iRIDP4oRlRKvrrxCUWwlr1vjFav4c
Status : pending
Expires : 2/18/2018 10:27:43 PM
Challenges : {, manual}
Combinations : {0, 1}
(4) At this point I took a look at the above captioned webpage, to check what dns change I needed to make (and now understand that that was probably wrong! see below.) I made a change (in namecheap Advanced Management) in DNS (what I assume to be the correct .TXT record host of) [type] TXT Record [host] _acme-challenge.remote.thomas-mail.com [value] the (I guess challenge) token found in that URL, rather than the different value explicitly stated as the required TXT value found with (Update-ACMEIdentifier remote.t-m -ChallengeType dns-01).challenges, which I got to later.
(4) No response, here, because it was a change on a web interface at namecheap
(5) My command: Submit-ACMEChallenge remote.t-m -ChallengeType dns-01
(5) Response:
IdentifierPart : ACMESharp.Messages.IdentifierPart
IdentifierType : dns
Identifier : remote.thomas-mail.com
Uri : https://acme-v01.api.letsencrypt.org/acme/authz/dN4So9am2VSS22iRIDP4oRlRKvrrxCUWwlr1vjFav4c
Status : pending
Expires : 2/18/2018 10:27:43 PM
Challenges : {, manual}
Combinations : {0, 1}
(6) My Command : (Update-ACMEIdentifier remote.t-m -ChallengeType dns-01).challenges
(6) Response:
ChallengePart : ACMESharp.Messages.ChallengePart
Challenge :
Type : http-01
Uri : https://acme-v01.api.letsencrypt.org/acme/challenge/dN4So9am2VSS22iRIDP4oRlRKvrrxCUWwlr1vjFav4
c/3424800284
Token : MTM6hyZ-gZkdLoUEgauRPAN_YtYNZT-ohV9wT9272Rc
Status : pending
OldChallengeAnswer : [, ]
ChallengeAnswerMessage :
HandlerName :
HandlerHandleDate :
HandlerHandleMessage :
HandlerCleanUpDate :
HandlerCleanUpMessage :
SubmitDate :
SubmitResponse :
ChallengePart : ACMESharp.Messages.ChallengePart
Challenge : ACMESharp.ACME.DnsChallenge
Type : dns-01
Uri : https://acme-v01.api.letsencrypt.org/acme/challenge/dN4So9am2VSS22iRIDP4oRlRKvrrxCUWwlr1vjFav4
c/3424800285
Token : xs6wLtX9t6ovF2YFHzJhpHajy2QnTshCJpNtfG4mXPk
Status : invalid
OldChallengeAnswer : [, ]
ChallengeAnswerMessage :
HandlerName : manual
HandlerHandleDate : 2/11/2018 2:29:07 PM
HandlerHandleMessage : == Manual Challenge Handler - DNS ==
* Handle Time: [2/11/2018 2:29:07 PM]
* Challenge Token: [xs6wLtX9t6ovF2YFHzJhpHajy2QnTshCJpNtfG4mXPk]
To complete this Challenge please create a new Resource
Record (RR) with the following characteristics:
* RR Type: [TXT]
* RR Name: [_acme-challenge.remote.thomas-mail.com]
* RR Value: [NqyMDOTcH6G2blX0vexRpeKcumAlkMq__LNRoLvgjZw]
------------------------------------
HandlerCleanUpDate :
HandlerCleanUpMessage :
SubmitDate : 2/11/2018 2:42:10 PM
SubmitResponse : {StatusCode, Headers, Links, RawContent…}
(7) Realized here that I’d probably put in the TXT record wrong. I changed the DNS config for the value to
NqyMDOTcH6G2blX0vexRpeKcumAlkMq__LNRoLvgjZw
(8) Waited a bit, tried to -force the complete again. Essentially the same output as previous complete. -force the submit thinking maybe that was necessary. No dice with that. Kept checking (Update-ACMEIdentifier remote.t-m -ChallengeType dns-01).challenges
And a couple of days later, after DNS propagation must have worked through, still invalid. Not 100% what my next step is, or even where I’m going wrong example-- in my DNS config, in something I haven’t done to refresh/resubmit this that I should be doing, or if I screwed up in a new and exciting way that I didn’t forsee.
I don’t want to hit any of the caps on submits or whatever, so I figured I should ask rather than blindly trying stuff.
My web server is (include version):
IIS7 for Exchange 2010 OWA / Autodiscover – although, shouldn’t matter since haven’t gotten there.
The operating system my web server runs on is (include version):
Windows 2008 Server RS2 (SP1)
My hosting provider, if applicable, is:
namecheap.com for NS only
I can login to a root shell on my machine (yes or no, or I don’t know):
admin on powershell counts, right?
Thanks so much for wading thru this wall of text.
Cordially,
Justin