Unable to issue certfcate for internal application. Urn:ietf:params:acme:error:dns

ayanalg · February 2, 2021, 4:45pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: certbot.nci.nih.gov

I ran this command: I used the interactive Win-acme. It finds my binding and feels in DNS. This is internal application[ only available inside the firewall]

It produced this output: "type": "urn:ietf:params:acme:error:dns",
"detail": "DNS problem: NXDOMAIN looking up A for certbot.nci.nih.gov - check that a DNS record exists for this domain",
"status": 400

My web server is (include version): IIS 10

The operating system my web server runs on is (include version): Windows 2016

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): I am an admin. Hence, Yes.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): I am using IIS to manage application.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): I am using Win-acme.

griffin · February 2, 2021, 4:48pm

Welcome to the Let's Encrypt Community, Leul

You need an A/AAAA record in the DNS for certbot.nci.nih.gov that points to the IPv4/IPv6 address of a webserver that responds on port 80 in order to use an http-01 challenge.

https://toolbox.googleapps.com/apps/dig

ayanalg · February 2, 2021, 4:51pm

Thank you for replying Griffin. I already have a DNS record [Cname] and it resolves internally. However, it's not exposed to the outside world. Is it a must it should be external facing? We have applications that works only inside our firewall and not exposed externally.

griffin · February 2, 2021, 4:54pm

You can use a dns-01 challenge instead that requires temporarily adding a TXT record to your DNS with host _acme-challenge.certbot.nci.nih.gov and a random value given by your ACME client. Usually this is a manual process that takes a couple of minutes.

ayanalg · February 2, 2021, 4:56pm

Thank you again Griffin. Is auto renewal possible with dns-01 challenge?

griffin · February 2, 2021, 4:59pm

Yes, if you have a means of automatically creating the DNS TXT record. You could use a CNAME for _acme-challenge.certbot.nci.nih.gov to delegate the dns-01 challenge to acme-dns for this.

https://www.win-acme.com/reference/plugins/validation/dns/

https://www.win-acme.com/reference/plugins/validation/dns/acme-dns

ayanalg · February 2, 2021, 5:00pm

Great. Let me review these docs and I'll get back if I have any questions. Thank you very much.

griffin · February 2, 2021, 5:05pm

You might also consider using one of the Windows-friendly ACME clients listed below. It could make your life significantly easier. They are both designed and supported by frequent contributors to this community and offer great technical support.

https://certifytheweb.com/

Osiris · February 2, 2021, 6:34pm

Note that acme-dns is not required for the dns-01 challenge. It's just something developed for certain purposes, like security et cetera.

ayanalg · February 2, 2021, 7:12pm

Thank you. Even after I add the txt file, I am receiving this error type": "urn:ietf:params:acme:error:dns",
detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.nci.nih.gov - check that a DNS record exists for this domain",
status": 400

Question. How does it validates? How does it know where to look?

sahsanu · February 2, 2021, 7:27pm

@ayanalg, are you sure you are creating the TXT record for _acme-challenge.nci.nih.gov? Seems you are creating the TXT record for nci.nih.gov

ayanalg · February 2, 2021, 7:35pm

TXT record

Yes. see attached.

sahsanu · February 2, 2021, 7:40pm

I only see a record but can't see whether it is TXT or not. This record exists now? I'm asking because I see nothing:

$ dig txt _acme-challenge.nci.nih.gov

; <<>> DiG 9.11.1 <<>> txt _acme-challenge.nci.nih.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44111
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.nci.nih.gov.   IN      TXT

;; AUTHORITY SECTION:
nci.nih.gov.            900     IN      SOA     nihblox5.nih.gov. hostmaster.nih.gov. 327882 10800 1080 2592000 900

;; Query time: 125 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 02 20:39:27 CET 2021
;; MSG SIZE  rcvd: 112

ayanalg · February 2, 2021, 7:43pm

Let me ask, does the TXT record needs to be externally available? it needs to be resolve outside NIH firewall,? If so, the record is only available internally hence that is why you don't see it.

If my theory is correct, we need a TXT file in our external facing DNS in order to both create and renew?

sahsanu · February 2, 2021, 7:44pm

Yes, it must be available to internet, Let's Encrypt must validate it before issuing the certificate.

ayanalg · February 2, 2021, 7:45pm

Yes, that is the issue then. Let me create the external record and test.

Thank you very much.

system · March 4, 2021, 7:46pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.