TXT record verification

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: felzer.com

I ran this command: https://mxtoolbox.com/SuperTool.aspx?action=txt%3Afelzer.com&run=toolpage#

It produced this output:

Type Domain Name TTL Record
_acme-challenge.felzer.com.=VQ_4oITDICs0scP5VW4HWfeOxXECA1XeM8I-mRJO4yU
_acme-challenge.felzer.com=VQ_4oITDICs0scP5VW4HWfeOxXECA1XeM8I-mRJO4yU
_acme-challenge.www.felzer.com.=VQ_4oITDICs0scP5VW4HWfeOxXECA1XeM8I-mRJO4yU
_acme-challenge.www.felzer.com=VQ_4oITDICs0scP5VW4HWfeOxXECA1XeM8I-mRJO4yU

My web server is (include version): Hassio on RP3

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: mydomain.com

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

I am trying to get an SSL cert for my Home assistant server installed on RP3. I am using DNS verification and have created the txt records. Based on some googling I added some additional records with a trailing “.” and a couple with the www added. My dns verification still fails with a no TXT record found. I am sure I have something wrong with the txt records (other than not needing the www ones) but I cannot figure out what is wrong.

Thanks

Hi,

You are supposed to deploy the record to _acme-challenge.felzer.com instead of the root domain…

Thank you

You have concatenated the _acme-challenge part with the token part. Those two items are NOT to be one thing, they are separate entities.

The _acme-challenge part is best explained as a ‘subdomain’ to the hostname you’re authenticating: if you want to authenticate the ‘base domain’ felzer.com, you’ll need to add the value VQ_4oITDICs0scP5VW4HWfeOxXECA1XeM8I-mRJO4yU to the hostname _acme-challenge.felzer.com (as a TXT record).
If you’d want to authenticate the subdomain www.felzer.com, you’d have to add another token value to the “sub-sub”-domain _acme-challenge.www.felzer.com (of course with type TXT again).

Now you’ve added the (erroneous) concatenated stuff ("_acme-challenge"+token value) to the hostname felzer.com and www.felzer.com.

Do you understand the difference?

Also, if you’d like to authenticate the www subdomain, certbot will give you a distinct token value which is different than the token for the ‘bare’ domain felzer.com.

1 Like

Hi @tika911

if you want to use the dns-01 - validation, msxtoolbox.com should show something like that:

So, as name, use only _acme-challenge, as type txt, as record the string.

Thanks for the quick responses. This crappy registrar does not allow its customers to create dns records for subdomains. I have to open a ticket to get this done. Doing that now…

Really? Is it possible that you create a picture of these settings?

If you are able to create a txt - entry, that should work.

image

But you can add TXT records to the domain itself and to the www domain. How did you make that distinction on the configuration panel?

I only added them at the root domain. When I tried the www subdomain I just pasted the verification string in with the www inserted before the domain name.

Mhm. This looks not good. There, you can’t add the _acme-challenge - part.

Are there more options under “Modify”? Or is it possible to add txt entries under “Subdomains”?

Creating a subdomain _acme-challenge, then add a txt entry.

I tried that. I can create a subdomain that points at a URL but I cannot create a txt record for it. I contacted them via chat and they told me they have added the record on the backend (and I was not able to do it) but it will take 24-48 hours to propogate. Guess I will find out in 1-2 days.

They probably mean propagate to recursive resolvers - it shouldn’t take more than 5-10 minutes to deploy to your authoritative name servers. That being said, they’re not available yet on authoritative name servers ns1.yourhostingaccount.com and ns2.yourhostingaccount.com.

But there are A records named _acme-challenge.felzer.com. and _acme-challenge.www.felzer.com.. I’m worried they may have configured the wrong thing.

But maybe the TXT records will show up later.

Will the current token still work at that time?

HAH, yeah, pretty sure they did it wrong.

@Osiris My understanding is that it’s ok as long as the anti-replay nonce is held onto, which will be a while but probably not two days.

Pending authorizations last for… a week?

If your replay nonce is no good, you can just get a new one. Some ACME clients don’t support that, though.

If you already tried to validate it and the authorization is invalid, you need to get a new authorization, with new TXT record values…

What exactly is the reason you're using the DNS challenge? Is HTTP port 80 closed?

1 Like

I was able to get it working using the web server. Not sure why I did not try that first. I guess I figured the DNS would be easier and then once down the rabbit hole......

1 Like

IMHO, DNS is easier as long as you've got a client that supports your provider for automatic record creation. It's also the only way (for the time being) to get a wildcard cert and the only way to get a cert from a non-Internet-facing device (which admittedly is uncommon).

To me, it always seemed like more of a hassle trying to configure your web server in a particular way to satisfy a challenge while also needing to configure it separately for your actual site. Those two purposes often conflict particularly with all of the HTTP redirect rules people end up putting in and complex web frameworks with routing rules and such. DNS is just more direct.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.