TXT Record Challenge DNS Timeout

Hey Guys
i followed this Tutorial Failed authorization procedure - The server could not connect to the client to verify the domain.
Everything seems straightforward, but at the end i’m failing the DNS Challange due to timeout.
Acme can succsfully create over the Dynu Api the necessary txt record.
But after this “Let’s check each DNS record now.” it fails within 5 minutes.
It retrys it the whole time, but nothing changes.

My Setup:
RspbPi 2 with acme and ddclient
DDNS Service: Dynu

I uploaded my log Pastebin: https://paste.ubuntu.com/p/qPB6Mts2zd/

What’s your actual domain?

It’s hard to tell from your post, but if the acme.sh preflight DNS check is failing, then you can try run it with this flag:

--dnssleep 60

(adjust the time to whatever is suitable for Dynu).

This prevents the DNS check from running, and instead replaces it with a static delay.

1 Like

No actual Domain. Just a DDNS Hostname showing at my IP.
Does it not work with a DDNS Service?

A DDNS hostname is a “domain” in the sense that it can have a unique cert associated to it.
A fully qualified domain name.
It looks to be: c0nvert.dyndns.de
[But I might be wrong]

1 Like

i thought maybe acme don’t support “domains” in that sense…

Yes this is my Domain : c0nvert.dyndns.de

Do you think the Error is on there site not mine?

I’m trying it now with --dnssleep 90.
But i dont think it will work

I think the problem is with the way acme.sh checks whether the DNS record has updated.

If you use --dnssleep 60, it will skip the check, instead just sleeping for 60s.

Now i have a different error.
acme is creating the txt file , but then tells me after 60 or 120 seconds (depens on the dnssleep parameter) it can’t find it and deletes it.
But if you log in into Dynu one can see the created txt

https://paste.ubuntu.com/p/bCTnmYZxRx/

i tested 20, 60 and 120 seconds. It’s not working

Yeah … looking more closely, your nameserver setup doesn’t make any sense to me.

Your domain, c0nvert.dyndns.de, is run by dyndns.de/fix-ip.de.

You are trying to update it via Dynu API. which a completely separate service. I don’t see the connection between the two.

It looks like you have added your c0nvert.dyndns.de domain to your Dynu account, but you haven’t actually delegated the domain.

So acme.sh is adding the records to the Dynu nameservers … but nobody sees the change, because your domain is not connected to the Dynu nameservers.

You have to add delegate your domain’s nameservers from your dyndns.de/fix-IP.de account to ns1.dynu.com/ns2.dynu.com, otherwise this isn’t going to work.

1 Like

Wait a second.
Maybe i missunderstanding this whole thing, but i thought c0nvert.dyndns.de is my Domain, wich i freely created on the dynu.com site.
Maybe my created domain is conflicting with an existing domain?

Normaly i would buy a domain from strato for e.g and add an A record with my Ip Adress)

But in this case i read on their site that you can create your own domain for free and have the possibility to add a text record.
Could be i’m mistaken it all…

1 Like

That’s what I’m worried about. Dynu doesn’t own dyndns.de. They didn’t create your subdomain, it already existed.

dyndns.de appears to be a completely separate service with completely different nameservers.

When you “added” it to Dynu, Dynu expects you to delegate the nameservers from your old nameservers to the Dynu servers.

1 Like

Seems to be the case if you think logically about it.
Thank you very much, i will try to made up a new domain and will report you back.

1 Like

Right - I think you should be able to get c0nvert.dynu.com directly from Dynu, and that should solve your problem.

1 Like

Problem is if you get it from them, you can’t use a the txt record…
my made up domain
nztzt.gg didn’t work.
Same Error.

Actually i only want to secure one site.
I tried it with openssl but Chrome is complaining about it. (Cannot be trusted ).

Are you sure?

I just went through the Dynu signup process, created acmeshtest.ddnsfree.com, and was able to issue a certificate with acme.sh:

$ export Dynu_ClientId="d0b6676f-55d8-4360-91c4-ce9bb5dbc713"
$ export Dynu_Secret="redacted"
$ acme.sh --issue --dns dns_dynu -d acmeshtest.ddnsfree.com --test
[Sun 28 Jun 2020 10:56:23 AEST] Using stage ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
[Sun 28 Jun 2020 10:56:25 AEST] Creating domain key
[Sun 28 Jun 2020 10:56:25 AEST] The domain key is here: /home/alex/.acme.sh/acmeshtest.ddnsfree.com/acmeshtest.ddnsfree.com.key
[Sun 28 Jun 2020 10:56:25 AEST] Single domain='acmeshtest.ddnsfree.com'
[Sun 28 Jun 2020 10:56:25 AEST] Getting domain auth token for each domain
[Sun 28 Jun 2020 10:56:28 AEST] Getting webroot for domain='acmeshtest.ddnsfree.com'
[Sun 28 Jun 2020 10:56:28 AEST] Adding txt value: tkMvMktSeE6ns2BNRtDzcm7VecrdHAnnw06cH8ecpZ8 for domain:  _acme-challenge.acmeshtest.ddnsfree.com
[Sun 28 Jun 2020 10:56:28 AEST] Getting Dynu token.
[Sun 28 Jun 2020 10:56:29 AEST] Getting https://api.dynu.com/v2/dns/getroot/acmeshtest.ddnsfree.com
[Sun 28 Jun 2020 10:56:30 AEST] Creating TXT record.
[Sun 28 Jun 2020 10:56:32 AEST] The txt record is added: Success.
[Sun 28 Jun 2020 10:56:32 AEST] Let's check each dns records now. Sleep 20 seconds first.
[Sun 28 Jun 2020 10:56:53 AEST] Checking acmeshtest.ddnsfree.com for _acme-challenge.acmeshtest.ddnsfree.com
[Sun 28 Jun 2020 10:56:54 AEST] Domain acmeshtest.ddnsfree.com '_acme-challenge.acmeshtest.ddnsfree.com' success.
[Sun 28 Jun 2020 10:56:54 AEST] All success, let's return
[Sun 28 Jun 2020 10:56:54 AEST] Verifying: acmeshtest.ddnsfree.com
[Sun 28 Jun 2020 10:56:58 AEST] Success
[Sun 28 Jun 2020 10:56:58 AEST] Removing DNS records.
[Sun 28 Jun 2020 10:56:58 AEST] Removing txt: tkMvMktSeE6ns2BNRtDzcm7VecrdHAnnw06cH8ecpZ8 for domain: _acme-challenge.acmeshtest.ddnsfree.com
[Sun 28 Jun 2020 10:56:58 AEST] Getting Dynu token.
[Sun 28 Jun 2020 10:56:59 AEST] Getting https://api.dynu.com/v2/dns/getroot/acmeshtest.ddnsfree.com
[Sun 28 Jun 2020 10:57:00 AEST] Checking for TXT record.
[Sun 28 Jun 2020 10:57:00 AEST] Getting https://api.dynu.com/v2/dns/9148751/record
[Sun 28 Jun 2020 10:57:01 AEST] Removing TXT record.
[Sun 28 Jun 2020 10:57:04 AEST] Removed: Success
[Sun 28 Jun 2020 10:57:04 AEST] Verify finished, start to sign.
[Sun 28 Jun 2020 10:57:04 AEST] Lets finalize the order, Le_OrderFinalize: https://acme-staging-v02.api.letsencrypt.org/acme/finalize/12010659/106511348
[Sun 28 Jun 2020 10:57:05 AEST] Download cert, Le_LinkCert: https://acme-staging-v02.api.letsencrypt.org/acme/cert/fa7333ddba816f0ee575c9a24e0db2581bfd
[Sun 28 Jun 2020 10:57:06 AEST] Cert success.
-----BEGIN CERTIFICATE-----
MIIFRzCCBC+gAwIBAgITAPpzM926gW8O5XXJok4Nslgb/TANBgkqhkiG9w0BAQsF
ADAiMSAwHgYDVQQDDBdGYWtlIExFIEludGVybWVkaWF0ZSBYMTAeFw0yMDA2Mjcy
MzU3MDVaFw0yMDA5MjUyMzU3MDVaMCIxIDAeBgNVBAMTF2FjbWVzaHRlc3QuZGRu
c2ZyZWUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5wa/kY/U
pIGX1VgNwPZyplkQ/M4ocEN0qyVjcSzS1p/Sye4Fl5ADMS5YrVP7K1P75dzFray5
Aeq9vLO0LUR4govYgcVWpBNAkc8jkv8fkyTwkN88jZFxg0aZZaEWGNdXBLGEp0oq
oNqEZyIjT5JQSILBIFyyuYbXb7hTnLvQ94P4Rnr8xYKT+EBGAFsg47F3KliLgCK+
jzUKZqyswAuj0AOna7phLP/rZUs3qVvVehm8478tJxWIqJkKoL6rWAQ+AzG/LcYB
M1tddhinKRTmvm5I+f05kXQ4+gtFeVFKHigntjtb4ON67qXuc9JbQE3DJqaXUnpo
frGw8vai2tZobwIDAQABo4ICdDCCAnAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQO
wMbfI947pkt3drzI/ofbACKCjDAfBgNVHSMEGDAWgBTAzANGuVggzFxycPPhLssg
pvVoOjB3BggrBgEFBQcBAQRrMGkwMgYIKwYBBQUHMAGGJmh0dHA6Ly9vY3NwLnN0
Zy1pbnQteDEubGV0c2VuY3J5cHQub3JnMDMGCCsGAQUFBzAChidodHRwOi8vY2Vy
dC5zdGctaW50LXgxLmxldHNlbmNyeXB0Lm9yZy8wIgYDVR0RBBswGYIXYWNtZXNo
dGVzdC5kZG5zZnJlZS5jb20wTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC
3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcw
ggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdQDdmTT8peckgMlWaH2BNJkISbJJ97Vp
2Me8qz9cwfNuZAAAAXL4bYE2AAAEAwBGMEQCIE2eyR2E+i0xVFtL3eEHfqLHpLPE
SoGm2tFKL6PeL0mnAiAvkfBr8NA5THDl9yq1KhdAtSq/Qlyt2919669Hmg6O4AB3
ALDMg+Wl+X1rr3wJzChJBIcqx+iLEyxjULfG/SbhbGx3AAABcvhtgToAAAQDAEgw
RgIhAN+K/lIKoQivKWgjbj/AnEOxg+ETfCTed821UVbtsiyQAiEArJU7zcgdpOP6
/DI6QBnMdrBpE2a8SCP682IOkQFVPX8wDQYJKoZIhvcNAQELBQADggEBAIbm5I+w
ejLCJ7+uuBM7aCkNXojJvWmM7n/jCoUMscPX+lDMaHyzEyK7mwZT9p4h48OJB7LR
8ZyJ2Q5N5gAoyzzDjugD2ypkTfF+ZyoGLgaVmD/zyCUUdnBkr9SlLGEUqJcMm7S5
R8uh6ICzFIbNoiNdzcY5uj8jUeT9Nj+f7p2YYP7ILVW761ix5kd6Wgz/aud5s2Ex
Us+rvDpXiXdNcq5ls8+rtLpv0rzb24KSps0dEPfaVPMJJlI2GfirYglGGXnfr0bj
sx87U1SVz/iQFn1PxgqyQARhqDWFX0iM130/cgSNS6wCcPO1HEd66rD4kiIZ+ZCz
SYwqxJ+664wtrVE=
-----END CERTIFICATE-----
[Sun 28 Jun 2020 10:57:06 AEST] Your cert is in  /home/alex/.acme.sh/acmeshtest.ddnsfree.com/acmeshtest.ddnsfree.com.cer
[Sun 28 Jun 2020 10:57:06 AEST] Your cert key is in  /home/alex/.acme.sh/acmeshtest.ddnsfree.com/acmeshtest.ddnsfree.com.key
[Sun 28 Jun 2020 10:57:07 AEST] The intermediate CA cert is in  /home/alex/.acme.sh/acmeshtest.ddnsfree.com/ca.cer
[Sun 28 Jun 2020 10:57:07 AEST] And the full chain certs is there:  /home/alex/.acme.sh/acmeshtest.ddnsfree.com/fullchain.cer
1 Like

If you mean you need arbitrary TXT records (not related to acme-challenge), then maybe you can consider buying a domain, paying for Dynu, or gettin a free registered domain from Freenom.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.