Office365 emails / website hosting SSL gets verification error

I have a website that has it's nameservers set to go to Office365, and from there it uses the IP address of the web server to point to the actual website. So emails are done through Office365, but the website is hosted on a GreenGeeks server. I tried to install Let's encrypt, but get the verification error below. When I look at the tutorial it tells me that I have to add _acme-challenge Name Server Records to my DNS. To quote them: "It involves delegating the _acme-challenge subdomain to our nameservers. You should have access to set up NS records for a subdomain if you use a third-party DNS provider. At your domain registrar or DNS provider, add the following NS records:
_acme-challenge.acspom.ca NS: chi-ns1.websitehostserver.net". I logged into Office 365 and found the page where to add records, but don't know how I would add them in. Do I have to create a subdomain called _acme-challenge first using the cpanel? I'm very new at this, so step by step instructions would be great.
thanks in advance for your help!

My domain is: acspom.ca

I ran this command: Used the SSL Auto-Installer.

It produced this output:
Step 5 of 8 : Test Challenges

Error 54: Waiting on DNS verification. Please try again in 30 minutes. Contact Support if this takes longer than an hour. [5297337]

My web server is (include version): Apache Version 2.4.46

The operating system my web server runs on is (include version): linux

I can login to a root shell on my machine (yes or no, or I don't know): don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): cpanel 92.0 (build 9)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): ??

Hello @webstar ,

I suppose you are talking about this guide https://www.greengeeks.com/support/article/lets-encrypt-installation-process/

I don't use Office365 so I've no access to the admin center to provide more info but I've seen an answer saying that you can't add NS records to your domain in Office365, only A, CNAME, TXT... records but not NS (I can't confirm it so you should check it in admin center whether you can add NS records or not):

  • In the admin center, go to the Settings > Domains page.
  • On the Domains page, select the domain and then choose DNS Records .
  • Under DNS settings , select Custom Records .
  • Select + New custom record <-- here you should check what are the types of records you can add.

If you can't add NS records then, reading the GreenGeeks' guide you can only get a Let's Encrypt certificate using the Option 3: Add TXT Records for Your Domain(s) and that is a manual process that you should repeat every 60-90 days.

I don't know why GreenGeeks doesn't implement an alias mode so you can add _acme-challenge CNAME records in Office365 pointing to a GreenGeeks domain to validate the DNS challenge and they use only the ns records way... maybe they are more interested in the Option 4 so they can sell a "Premium" Certificate.

No, you don't need to add a subdomain called _acme-challenge in your cPanel.

Cheers,
sahsanu

4 Likes

Thanks for your help. No, I can't add actual NS records, just the TXT and CNAME, etc. I tried doing it as a CNAME but that didn't work. So I guess you've answered my question... it's just not possible to do it via office 365. Maybe GreenGeeks will do the alias mode someday!
thanks again for the quick reply! :slight_smile:

3 Likes

Were you not able to use TXT records?

I just tried that and was able to put in all 3 webservers as TXT records. When I put in _acme-challenge.acspom.ca in the first box it takes off the .acspom.ca after I save it though. Is that normal?

When I tried to finish the install of SSL afterwards, it still gives me the same DNS verification error. Does the TXT record addition take up to 48 hrs to propagate too?

thanks so much for your help! :slight_smile:

1 Like

You've set the webservers as TXT records, but you actually need to set something different in that field: every 60 days, you'll request a token from GreenGeeks to add as a TXT field. That token will be a long random-looking string of letters and numbers.

Note what GreenGeeks says here: https://www.greengeeks.com/support/article/lets-encrypt-installation-process/#option3

Option 3: Add TXT Records for Your Domain(s)
We don’t recommend this method because it requires you to make a manual DNS update every 60 days when the Let’s Encrypt certificate is renewed. However, if none of the other methods work for you, this is a valid option.

Here's what your TXT records look like right now:

$ dig txt _acme-challenge.acspom.ca

; <<>> DiG 9.16.1-Ubuntu <<>> txt _acme-challenge.acspom.ca
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39714
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.acspom.ca.     IN      TXT

;; ANSWER SECTION:
_acme-challenge.acspom.ca. 1800 IN      TXT     "chi-ns2.websitehostserver.net"
_acme-challenge.acspom.ca. 1800 IN      TXT     "ams-ns1.websitehostserver.net"
_acme-challenge.acspom.ca. 1800 IN      TXT     "chi-ns1.websitehostserver.net"

You mention that Office365 hosts your DNS right now. I think your best bet would be to do GreenGeeks Option 1:

Option 1: Change the Name Servers for the Domain(s)

It should be possible to do this, and still use Office365 for your email. Office365 (presumably) just needs an MX record pointing to them, which you can still have after switching your Name Servers to the domain. I recommend asking Office365 support about how to move your DNS to GreenGeeks.

3 Likes

oh right... TXT is option 3 which I don't want to do because of the manual renewal.

Right now, the registrar points the DNS to the microsoft name servers, and then from the Office 365 dashboard it gets pointed to the website using the ip address of the server in an A record, and also has a CNAME www leading to the domain.
Are you saying that the registrar should be pointing to GreenGeeks, and then an MX record points back to Microsoft? Is that done in cpanel?
Or can the registrar point to Microsoft, and Microsoft send a DNS record on to GreenGeeks?
confusing...
thanks for your help! :slight_smile:

1 Like

You've got it exactly right!

There are two places you'll need to make the change:

  • You need GreenGeeks to start serving a copy of your "zone" (that is, all your dns records, like MX, A, etc) from their nameservers. Then,
  • You need to change your settings at the registrar to point your NS (nameserver) records at GreenGeeks' servers.

I'm afraid I don't know enough about cpanel to know if it allows you to configure these settings, but your registrar settings definitely won't be in cpanel.

3 Likes

ok, thanks again for your help :slight_smile:

2 Likes

Hello @webstar,

Before trying to do any change on your dns, double check the process with Microsoft, with GreenGeeks and your domain registrar because you not only need to change the dns servers on your registrar pointing to GreenGeeks (I don't know if you can manage it from cPanel or using another tool from GreenGeeks) and creating a MX record, you will need to:

1.- Create a TXT record to verify you have control over your domain.
2.- Create a MX record pointing to Microsoft.
3.- Create six CNAMES records pointing to different services.
4.- Create a SPF/TXT record.
5.- Create two SRV records.

So, as I said, you should follow the instructions carefully.

Here the doc with the process: Add DNS records to connect your domain - Microsoft 365 admin | Microsoft Docs

Here some instructions for a few host companies (unfortunately GreenGeeks is not in the list): Set up your domain (host-specific instructions) - Microsoft 365 admin | Microsoft Docs

Good luck,
sahsanu

5 Likes

Thanks for the added detail, @sahsanu! I'm not very familiar with Office365 so I didn't know all those steps. Glad you stepped in. :grin:

4 Likes

thank you! :slight_smile:

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.