TXT Record Challenge DNS Timeout

Hey Guys
i followed this Tutorial Failed authorization procedure - The server could not connect to the client to verify the domain.
Everything seems straightforward, but at the end i’m failing the DNS Challange due to timeout.
Acme can succsfully create over the Dynu Api the necessary txt record.
But after this “Let’s check each DNS record now.” it fails within 5 minutes.
It retrys it the whole time, but nothing changes.

My Setup:
RspbPi 2 with acme and ddclient
DDNS Service: Dynu

I uploaded my log Pastebin: https://paste.ubuntu.com/p/qPB6Mts2zd/

What’s your actual domain?

It’s hard to tell from your post, but if the acme.sh preflight DNS check is failing, then you can try run it with this flag:

--dnssleep 60

(adjust the time to whatever is suitable for Dynu).

This prevents the DNS check from running, and instead replaces it with a static delay.

1 Like

No actual Domain. Just a DDNS Hostname showing at my IP.
Does it not work with a DDNS Service?

A DDNS hostname is a “domain” in the sense that it can have a unique cert associated to it.
A fully qualified domain name.
It looks to be: c0nvert.dyndns.de
[But I might be wrong]

1 Like

i thought maybe acme don’t support “domains” in that sense…

Yes this is my Domain : c0nvert.dyndns.de

Do you think the Error is on there site not mine?

I’m trying it now with --dnssleep 90.
But i dont think it will work

I think the problem is with the way acme.sh checks whether the DNS record has updated.

If you use --dnssleep 60, it will skip the check, instead just sleeping for 60s.

Now i have a different error.
acme is creating the txt file , but then tells me after 60 or 120 seconds (depens on the dnssleep parameter) it can’t find it and deletes it.
But if you log in into Dynu one can see the created txt


i tested 20, 60 and 120 seconds. It’s not working

Yeah … looking more closely, your nameserver setup doesn’t make any sense to me.

Your domain, c0nvert.dyndns.de, is run by dyndns.de/fix-ip.de.

You are trying to update it via Dynu API. which a completely separate service. I don’t see the connection between the two.

It looks like you have added your c0nvert.dyndns.de domain to your Dynu account, but you haven’t actually delegated the domain.

So acme.sh is adding the records to the Dynu nameservers … but nobody sees the change, because your domain is not connected to the Dynu nameservers.

You have to add delegate your domain’s nameservers from your dyndns.de/fix-IP.de account to ns1.dynu.com/ns2.dynu.com, otherwise this isn’t going to work.

1 Like

Wait a second.
Maybe i missunderstanding this whole thing, but i thought c0nvert.dyndns.de is my Domain, wich i freely created on the dynu.com site.
Maybe my created domain is conflicting with an existing domain?

Normaly i would buy a domain from strato for e.g and add an A record with my Ip Adress)

But in this case i read on their site that you can create your own domain for free and have the possibility to add a text record.
Could be i’m mistaken it all…

1 Like

That’s what I’m worried about. Dynu doesn’t own dyndns.de. They didn’t create your subdomain, it already existed.

dyndns.de appears to be a completely separate service with completely different nameservers.

When you “added” it to Dynu, Dynu expects you to delegate the nameservers from your old nameservers to the Dynu servers.

1 Like

Seems to be the case if you think logically about it.
Thank you very much, i will try to made up a new domain and will report you back.

1 Like

Right - I think you should be able to get c0nvert.dynu.com directly from Dynu, and that should solve your problem.

1 Like

Problem is if you get it from them, you can’t use a the txt record…
my made up domain
nztzt.gg didn’t work.
Same Error.

Actually i only want to secure one site.
I tried it with openssl but Chrome is complaining about it. (Cannot be trusted ).

Are you sure?

I just went through the Dynu signup process, created acmeshtest.ddnsfree.com, and was able to issue a certificate with acme.sh:

$ export Dynu_ClientId="d0b6676f-55d8-4360-91c4-ce9bb5dbc713"
$ export Dynu_Secret="redacted"
$ acme.sh --issue --dns dns_dynu -d acmeshtest.ddnsfree.com --test
[Sun 28 Jun 2020 10:56:23 AEST] Using stage ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
[Sun 28 Jun 2020 10:56:25 AEST] Creating domain key
[Sun 28 Jun 2020 10:56:25 AEST] The domain key is here: /home/alex/.acme.sh/acmeshtest.ddnsfree.com/acmeshtest.ddnsfree.com.key
[Sun 28 Jun 2020 10:56:25 AEST] Single domain='acmeshtest.ddnsfree.com'
[Sun 28 Jun 2020 10:56:25 AEST] Getting domain auth token for each domain
[Sun 28 Jun 2020 10:56:28 AEST] Getting webroot for domain='acmeshtest.ddnsfree.com'
[Sun 28 Jun 2020 10:56:28 AEST] Adding txt value: tkMvMktSeE6ns2BNRtDzcm7VecrdHAnnw06cH8ecpZ8 for domain:  _acme-challenge.acmeshtest.ddnsfree.com
[Sun 28 Jun 2020 10:56:28 AEST] Getting Dynu token.
[Sun 28 Jun 2020 10:56:29 AEST] Getting https://api.dynu.com/v2/dns/getroot/acmeshtest.ddnsfree.com
[Sun 28 Jun 2020 10:56:30 AEST] Creating TXT record.
[Sun 28 Jun 2020 10:56:32 AEST] The txt record is added: Success.
[Sun 28 Jun 2020 10:56:32 AEST] Let's check each dns records now. Sleep 20 seconds first.
[Sun 28 Jun 2020 10:56:53 AEST] Checking acmeshtest.ddnsfree.com for _acme-challenge.acmeshtest.ddnsfree.com
[Sun 28 Jun 2020 10:56:54 AEST] Domain acmeshtest.ddnsfree.com '_acme-challenge.acmeshtest.ddnsfree.com' success.
[Sun 28 Jun 2020 10:56:54 AEST] All success, let's return
[Sun 28 Jun 2020 10:56:54 AEST] Verifying: acmeshtest.ddnsfree.com
[Sun 28 Jun 2020 10:56:58 AEST] Success
[Sun 28 Jun 2020 10:56:58 AEST] Removing DNS records.
[Sun 28 Jun 2020 10:56:58 AEST] Removing txt: tkMvMktSeE6ns2BNRtDzcm7VecrdHAnnw06cH8ecpZ8 for domain: _acme-challenge.acmeshtest.ddnsfree.com
[Sun 28 Jun 2020 10:56:58 AEST] Getting Dynu token.
[Sun 28 Jun 2020 10:56:59 AEST] Getting https://api.dynu.com/v2/dns/getroot/acmeshtest.ddnsfree.com
[Sun 28 Jun 2020 10:57:00 AEST] Checking for TXT record.
[Sun 28 Jun 2020 10:57:00 AEST] Getting https://api.dynu.com/v2/dns/9148751/record
[Sun 28 Jun 2020 10:57:01 AEST] Removing TXT record.
[Sun 28 Jun 2020 10:57:04 AEST] Removed: Success
[Sun 28 Jun 2020 10:57:04 AEST] Verify finished, start to sign.
[Sun 28 Jun 2020 10:57:04 AEST] Lets finalize the order, Le_OrderFinalize: https://acme-staging-v02.api.letsencrypt.org/acme/finalize/12010659/106511348
[Sun 28 Jun 2020 10:57:05 AEST] Download cert, Le_LinkCert: https://acme-staging-v02.api.letsencrypt.org/acme/cert/fa7333ddba816f0ee575c9a24e0db2581bfd
[Sun 28 Jun 2020 10:57:06 AEST] Cert success.
[Sun 28 Jun 2020 10:57:06 AEST] Your cert is in  /home/alex/.acme.sh/acmeshtest.ddnsfree.com/acmeshtest.ddnsfree.com.cer
[Sun 28 Jun 2020 10:57:06 AEST] Your cert key is in  /home/alex/.acme.sh/acmeshtest.ddnsfree.com/acmeshtest.ddnsfree.com.key
[Sun 28 Jun 2020 10:57:07 AEST] The intermediate CA cert is in  /home/alex/.acme.sh/acmeshtest.ddnsfree.com/ca.cer
[Sun 28 Jun 2020 10:57:07 AEST] And the full chain certs is there:  /home/alex/.acme.sh/acmeshtest.ddnsfree.com/fullchain.cer
1 Like

If you mean you need arbitrary TXT records (not related to acme-challenge), then maybe you can consider buying a domain, paying for Dynu, or gettin a free registered domain from Freenom.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.