TXT record to enter in DNS unknown, cannot complete challenge

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
Complete-ACMEChallenge mo-testenvironment -ChallengeType dns-01 -Handler manual

It produced this output:
IdentifierPart : ACMESharp.Messages.IdentifierPart
IdentifierType : dns
Identifier : monext.testvgz.nl
Uri : https://acme-v01.api.letsencrypt.org/acme/authz/_jghGaMKOHQ8duNZ9t5W2YGsaTE7q5uuqtqJBWQwpXM
Status : pending
Expires : 29-11-2017 15:14:39
Challenges : {, , manual}
Combinations : {1, 2, 0}

My web server is (include version):
IIS 7.5

The operating system my web server runs on is (include version):
Windows Server 2012 R2

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

My problem is; according to https://github.com/ebekker/ACMESharp/wiki/Quick-Start the command Complete-ACMEChallenge should produce output like below:
PS> Complete-ACMEChallenge dns1 -ChallengeType dns-01 -Handler manual
== Manual Challenge Handler - DNS ==

  • Handle Time: [1/12/2016 1:41:51 PM]
  • Challenge Token: [xfc0oQahXVqdaBlcZbk5nL8H-GSDFCoQ8LGzOL07qVI]
    To complete this Challenge please create a new Resource
    Record (RR) with the following characteristics:
  • RR Type: [TXT]
  • RR Name: [_acme-challenge.example.com]
  • RR Value: [vNx_fpLgvq0l4rqSATuxhxl9pa155SoeKvNZ98AFB_4]

but it does not, it produces the output which I described. I cannot enter the required Resource Record into the DNS. My powershell version is

Major Minor Build Revision

4 0 -1 -1

Im completely stumped at how I can get the required token to enter into the DNS so I cannot do a Submit-ACMEChallenge. When I browse to https://acme-v01.api.letsencrypt.org/acme/authz/_jghGaMKOHQ8duNZ9t5W2YGsaTE7q5uuqtqJBWQwpXM I see the dns-01 token section, do I need to get that token, calculate a SHA256 base64 hash from it using http://approsto.com/sha-generator/ and enter that one in the DNS? According to https://tools.ietf.org/html/draft-ietf-acme-acme-07#section-8.5 there needs to be a key authorization field but that’s not there. That’s only there when I do a Submit-ACMEChallenge and then the validation fails because DNS record is not setup correctly. I know the DNS record has to be of the format _acme-challenge.monext.testvgz.nl.

Help is appreciated.

Lets begin at the beginning…

Do you understand where, and how, the DNS entry should be found?

testvgz.nl nameserver = ns1.leaseweb.nl
testvgz.nl nameserver = ns4.leaseweb.net
testvgz.nl nameserver = ns5.leaseweb.nl

Hi, thanks for your reply. Yes I do. At the moment there is no TXT record created at that domain but that’s because I deleted earlier attempts to start over again.

Ok, then I would try it again and test each DNS server to ensure it has propagated to all three before continuing.

It did but I just found a solution to my problem. The challenge details are stored within the Challenges property:

(Get-ACMEIdentifier mo-testenvironment).Challenges

It was a bit confusing as I understood that this output was automatically given when running Complete-ACMEChallenge and information where to get it elsewhere seemed to be a bit sparse. Now I’m seeing the necessary details as expected. I got my info from this thread which I’m posting here for future reference:

thanks for your replies though, help is always appreciated.

All’s well that ends well :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.