using wacs 2.1.23.1315
I have been able to run the tool to create certs for individual subdomains all good. However trying to create a cert for a wildcard, seems to work during the --test
when running it as normal it seems to fail the validation. I have updated and created the relevant TXT records and _acme subdomain. when I do nslookup with 8.8.8.8 i can see the TXT record showing, but the tool does not complete that validation process, what am i missing please?
Please provide the exact output of WACS. Even better, please answer the entire questionnaire:
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
here is the output:
[DBUG] [.entreesolutions.co.uk] Looking for TXT value jUjFhtyA2n13Rxfb7HY4x0bvLQu4Zdx9Mb7GY3HncCU...
[DBUG] [.entreesolutions.co.uk] Preliminary validation asking 8.8.8.8...
[WARN] [*.entreesolutions.co.uk] Preliminary validation failed: no TXT records found
The correct record has not yet been found by the local resolver. That means
it's likely the validation attempt will fail, or your DNS provider needs a
little more time to publish and synchronize the changes.
web server is IIS
OS is windows server 2019
domain control is via heartinternet
thanks for that, so where do i update those TXT records?
in my domain control for entreesolutions.co.uk when i enter the subdomain _acme-challenge as it already has the CNAMe, it doesn't seem to allow me to enter a TXT record for that subdomain?
do i remove the CNAME and just add the subdomain and TXT record?
The CNAME is explained at topic below along with examples.
You need to provide more info for us to help you. Like show the wacs command you are trying and explain what '--test' worked.
I see you got Let's Encrypt certs for discrete domain names but not any wildcards yet. What method did you use for the other domain names (link here)? Is a wildcard required?
You need to query _acme-challenge.entreesolutions.co.uk like this
$ nslookup -q=txt _acme-challenge.entreesolutions.co.uk 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
_acme-challenge.entreesolutions.co.uk canonical name = 9ca2000e-6b80-4fb7-bf4b-e90c9356af41.auth.acme-dns.io.
9ca2000e-6b80-4fb7-bf4b-e90c9356af41.auth.acme-dns.io text = "qQkicg_-BBfUMHEfYRsXakYaKkNAJZtbetPni2KJdZI"
9ca2000e-6b80-4fb7-bf4b-e90c9356af41.auth.acme-dns.io text = "Hrgjaorv8Ohiyjpi5yd9qS8pUpVkc-tSp0FqPxf14Bo"
Authoritative answers can be found from:
See win-acme settings.json - you want to either set PreValidateDns to false as in this case prevalidation is the thing stopping you from being successful.
auth.acme-dns-io did have an outage the other day but I think that's resolved now.
As an aside, you mentioned in your original post that you have updated and created the relevant TXT records - but to be clear to anyone else finding this thread later what you have done is used the acme-dns service and a CNAME record, that's very different to maintaining your own TXT records withing your own DNS zone.