Problems Dynu domains

I have

I have some domains on dynu. some examples

problems are that some of the domains the script works perfectly normal and i get the certificate approved but others domains will not work … and i get this error

Authorization invalid for No TXT record found at _acme-challenge.brevikas.longrangev
At C:\Program Files\WindowsPowerShell\Modules\Posh-ACME\3.12.0\Private\Wait-AuthValidation.ps1:34 char:17

  • … throw “Authorization invalid for $($auth.fqdn): $message” …
  •             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

on the same computer and the same scrip then works but not


if (!([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] “Administrator”)) {
Write-Output “This script must be run as Administrator”
$answer = Read-Host “Press (Y)es to run as Administrator or any other key to quit”
if ($answer -like ‘Y’) {
Start-Process powershell.exe "-NoProfile -ExecutionPolicy Bypass -File "$PSCommandPath“” -Verb RunAs

function ConvertFrom-SecureString {
(New-Object pscredential (‘none’, $secureString)).GetNetworkCredential().Password

try {

Write-Output "Setting Execution Policy to RemoteSigned for the current process"
Set-ExecutionPolicy RemoteSigned -Scope Process

Write-Output "Installing Posh-ACME and Posh-XProtectMobile"
Write-Output "To continue, we will need to set PSGallery as a trusted repository."
if ((Read-Host "Continue? (Y)es, or (N)o?") -notlike "Y") {

Set-PSRepository -Name PSGallery -InstallationPolicy Trusted -Verbose
Install-Module Posh-ACME -Repository PSGallery -Verbose
Install-Module Posh-XProtectMobile -Repository PSGallery -Verbose

$domain = Read-Host "Domain Name"
$contact = ""
$dynuClientId = REDACTED
$dynuSecret = REDACTED
$DynuParams = @{
    DynuClientID = $dynuClientId
    DynuSecret = $dynuSecret

New-PACertificate -force $domain -AcceptTOS -Contact $contact -DnsPlugin Dynu -PluginArgs $DynuParams -Install -ErrorAction SilentlyContinue
$stagingCert = Get-PACertificate
Get-ChildItem Cert:\LocalMachine\My | Where-Object Thumbprint -eq $stagingCert.Thumbprint | Remove-Item
Set-PAServer LE_PROD
New-PACertificate -force $domain -AcceptTOS -Contact $contact -DnsPlugin Dynu -PluginArgs $DynuParams -Install -ErrorAction Stop -Verbose

$DynuParams = $null
Get-PACertificate | Set-MobileServerCertificate -ErrorAction Stop -Verbose

# Creates C:\scripts\renew-certificate.ps1
Write-Output "Setting up automatic certificate renewal script in C:\scripts\"
if (!(Test-Path C:\scripts)) {
    New-Item C:\scripts -ItemType Directory
$scriptBlock = {
    function WriteLog {
        Param ([string]$message)
        Add-Content -Path C:\scripts\log.txt -Value "$(Get-Date) - $message"

    try {

        $thumbprint = (Get-PACertificate).Thumbprint
        $cert = Submit-Renewal -WarningAction Stop -ErrorAction Stop
        $cert | Set-MobileServerCertificate

        WriteLog "New certificate installed with thumbprint $($cert.Thumbprint)"
        WriteLog "Removing old certificate with thumbprint $thumbprint"

        Get-ChildItem Cert:\LocalMachine\My |
            Where-Object Thumbprint -eq $thumbprint |

    } catch {
        WriteLog $_.Exception.Message
Set-Content -Path C:\scripts\renew-certificate.ps1 -Value $scriptBlock

# Create daily scheduled task to call the renewal script
Write-Output "Registering a new scheduled task to run the renewal script daily"
$taskName = 'Posh-ACME Certificate Renewal'
$action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument '-NoProfile -File "C:\scripts\renew-certificate.ps1"'
$trigger = New-ScheduledTaskTrigger -Daily -At 2am
Unregister-ScheduledTask -TaskName $taskName -Confirm:$false -ErrorAction SilentlyContinue
$credential = Get-Credential -Message "Enter your password to setup the Scheduled Task" -UserName ([System.Security.Principal.WindowsIdentity]::GetCurrent().Name)
$taskParams = @{
    Action = $action
    Trigger = $trigger
    TaskName = $taskName
    RunLevel = "Highest"
    User = $credential.UserName
    Password = ConvertFrom-SecureString $credential.Password
Register-ScheduledTask @taskParams
$taskParams = $null

# Edits Windows hosts file so that on the local machine, the $domain address always routes to the local machine
Write-Output "Adding $domain to the local hosts file"
$params = @{
    Path = "$($env:SystemRoot)\System32\drivers\etc\hosts"
    Value = "`r`n127.0.0.1  $domain"
Add-Content @params

# Launch the default web browser to the mobile server's HTTPS page
$mobileServer = Get-MobileServerInfo
$url = "https://$($domain):$($mobileServer.HttpsPort)"
Write-Output "Finished! Opening a web browser to $url"
Start-Process $url

} catch {

1 Like

Hey there, @longrange. You probably want to redact the script you posted that contains your Dynu client ID and secret values and then go regenerate new ones in your Dynu control panel.

As for your issue, are you using a free account with Dynu? They impose a limitation of 4 DNS records per domain on a free account. So if your root domain is and you have any records (like an A record pointing to a web server), you might be running into that limitation when creating cert with multiple names in that domain.

You can test just the TXT record publishing with Posh-ACME like this:

Publish-DnsChallenge (Get-PAAccount) faketoken Dynu $DynuParams -Verbose

Run it once for each name in the cert and you should see a “Quota Exception” error once you pass the limit.

Assuming this is the problem, I’m not sure why the original call to New-PACertificate didn’t fail during the TXT record publishing. I’ll have to check how the Dynu plugin is doing its error handling.


@longrange I have redacted the information in your script so it’s not publicly listed on the community forums. You’ll still want to follow the advice above and regenerate that information.


Hi @rmbolger

the id and secret is an old. so thats shoud not be a problem but thanks…

in the test script you sent where shoud i put the id and secret?

i have paid for the domain at dynu.


1 Like

hi @rmbolger

I am also a paying member at dynu
then shouldn’t the restriction be a problem?

1 Like

The ID and secret go into the same $DynuParams hashtable variable you had created in your script. If you’re using a paid account, you shouldn’t (as far as I know) be running into record quota limitations.

Do you get any errors trying to publish a test record for the name you were having trouble with?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.