Wacs TXT validation fails

My domain is:

using wacs 2.1.23.1315
I have been able to run the tool to create certs for individual subdomains all good. However trying to create a cert for a wildcard, seems to work during the --test
when running it as normal it seems to fail the validation. I have updated and created the relevant TXT records and _acme subdomain. when I do nslookup with 8.8.8.8 i can see the TXT record showing, but the tool does not complete that validation process, what am i missing please?

Please provide the exact output of WACS. Even better, please answer the entire questionnaire:


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

4 Likes

here is the output:
[DBUG] [.entreesolutions.co.uk] Looking for TXT value jUjFhtyA2n13Rxfb7HY4x0bvLQu4Zdx9Mb7GY3HncCU...
[DBUG] [
.entreesolutions.co.uk] Preliminary validation asking 8.8.8.8...
[WARN] [*.entreesolutions.co.uk] Preliminary validation failed: no TXT records found

The correct record has not yet been found by the local resolver. That means
it's likely the validation attempt will fail, or your DNS provider needs a
little more time to publish and synchronize the changes.

web server is IIS
OS is windows server 2019
domain control is via heartinternet

thank you for your support and response

2 Likes

The DNS-01 challenge is the only of the Challenge Types - Let's Encrypt that would have the TXT value.
Using nslookup it seem the canonical name = 9ca2000e-6b80-4fb7-bf4b-e90c9356af41.auth.acme-dns.io. cannot be retrieved.

$ nslookup
> server ns01.domaincontrol.com.
Default server: ns01.domaincontrol.com.
Address: 97.74.100.1#53
> set q=txt
> _acme-challenge.entreesolutions.co.uk
Server:         ns01.domaincontrol.com.
Address:        97.74.100.1#53

_acme-challenge.entreesolutions.co.uk   canonical name = 9ca2000e-6b80-4fb7-bf4b-e90c9356af41.auth.acme-dns.io.
> 9ca2000e-6b80-4fb7-bf4b-e90c9356af41.auth.acme-dns.io.
Server:         ns01.domaincontrol.com.
Address:        97.74.100.1#53

** server can't find 9ca2000e-6b80-4fb7-bf4b-e90c9356af41.auth.acme-dns.io: REFUSED
>

1 Like

This is probably a better tool (online too) https://unboundtest.com/ to use.
Results here: https://unboundtest.com/m/TXT/_acme-challenge.entreesolutions.co.uk/6ZTFQW5E
Top of output

Query results for TXT _acme-challenge.entreesolutions.co.uk

Response:
;; opcode: QUERY, status: NOERROR, id: 19802
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;_acme-challenge.entreesolutions.co.uk.	IN	 TXT

;; ANSWER SECTION:
_acme-challenge.entreesolutions.co.uk.	0	IN	CNAME	9ca2000e-6b80-4fb7-bf4b-e90c9356af41.auth.acme-dns.io.
9ca2000e-6b80-4fb7-bf4b-e90c9356af41.auth.acme-dns.io.	0	IN	TXT	"qQkicg_-BBfUMHEfYRsXakYaKkNAJZtbetPni2KJdZI"
9ca2000e-6b80-4fb7-bf4b-e90c9356af41.auth.acme-dns.io.	0	IN	TXT	"Hrgjaorv8Ohiyjpi5yd9qS8pUpVkc-tSp0FqPxf14Bo"

----- Unbound logs -----
Jan 24 15:23:11 unbound[43503:0] notice: init module 0: validator
Jan 24 15:23:11 unbound[43503:0] notice: init module 1: iterator
Jan 24 15:23:11 unbound[43503:0] info: start of service (unbound 1.16.3).
1 Like

There are also some DNS Warnings here entreesolutions.co.uk | DNSViz

1 Like

Thank you for the responses, very much appreciated, sorry for sounding dumb, i'm not sure what I need to do to get this working?

3 Likes

No need for apologies, you a just learning new things for you. So all is good.
From my perspective, the piece of information I would like is:

So we know what caused the output you supplied.

Kindly wait for more knowledgeable Let's Encrypt community volunteers to assist.
(I do not know about wacs)

1 Like

Thank you for your support and patience!!
Much appreciated!

3 Likes

I don't really see anything wrong with the DNS to be honest.

It might be as simple as that your local DNS server somehow doesn't manage to resolve it correctly for some (yet) unknown reason.

I'm also not familiar with WACS, but is it perhaps possible to disable the local check? Or fix the local DNS server.

3 Likes

Not sure this helps but the TXT value will change for each challenge. Right now there are two TXT values but neither is the above one.

;; ANSWER SECTION:
_acme-challenge.entreesolutions.co.uk.	0	IN	CNAME	9ca2000e-6b80-4fb7-bf4b-e90c9356af41.auth.acme-dns.io.
9ca2000e-6b80-4fb7-bf4b-e90c9356af41.auth.acme-dns.io.	0	IN	TXT	"qQkicg_-BBfUMHEfYRsXakYaKkNAJZtbetPni2KJdZI"
9ca2000e-6b80-4fb7-bf4b-e90c9356af41.auth.acme-dns.io.	0	IN	TXT	"Hrgjaorv8Ohiyjpi5yd9qS8pUpVkc-tSp0FqPxf14Bo"
3 Likes

The domain auth.acme-dns.io seems to have only 1 Authoritative Name Server

$ nslookup
> set q=ns
> auth.acme-dns.io
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
auth.acme-dns.io        nameserver = ns.auth.acme-dns.io.

Authoritative answers can be found from:
> server ns.auth.acme-dns.io.
Default server: ns.auth.acme-dns.io.
Address: 46.4.128.227#53
> auth.acme-dns.io
Server:         ns.auth.acme-dns.io.
Address:        46.4.128.227#53

auth.acme-dns.io        nameserver = ns.auth.acme-dns.io.
> set q=txt
> 9ca2000e-6b80-4fb7-bf4b-e90c9356af41.auth.acme-dns.io
Server:         ns.auth.acme-dns.io.
Address:        46.4.128.227#53

9ca2000e-6b80-4fb7-bf4b-e90c9356af41.auth.acme-dns.io   text = "qQkicg_-BBfUMHEfYRsXakYaKkNAJZtbetPni2KJdZI"
9ca2000e-6b80-4fb7-bf4b-e90c9356af41.auth.acme-dns.io   text = "Hrgjaorv8Ohiyjpi5yd9qS8pUpVkc-tSp0FqPxf14Bo"
>
``
1 Like

Hi thanks for your feedback, where are you getting that from please, when I do nslookup i was getting the below:

nslookup -q=txt *.entreesolutions.co.uk 8.8.8.8
Server: dns.google
Address: 8.8.8.8

Non-authoritative answer:
*.entreesolutions.co.uk text =

    "jUjFhtyA2n13Rxfb7HY4x0bvLQu4Zdx9Mb7GY3HncCU"

https://unboundtest.com/

Follows the authoritative DNS servers similar to how Let's Encrypt does it

3 Likes

thanks for that, so where do i update those TXT records?

in my domain control for entreesolutions.co.uk when i enter the subdomain _acme-challenge as it already has the CNAMe, it doesn't seem to allow me to enter a TXT record for that subdomain?
do i remove the CNAME and just add the subdomain and TXT record?

The CNAME is explained at topic below along with examples.

You need to provide more info for us to help you. Like show the wacs command you are trying and explain what '--test' worked.

I see you got Let's Encrypt certs for discrete domain names but not any wildcards yet. What method did you use for the other domain names (link here)? Is a wildcard required?

3 Likes

You need to query _acme-challenge.entreesolutions.co.uk like this

$ nslookup -q=txt _acme-challenge.entreesolutions.co.uk 8.8.8.8
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
_acme-challenge.entreesolutions.co.uk   canonical name = 9ca2000e-6b80-4fb7-bf4b-e90c9356af41.auth.acme-dns.io.
9ca2000e-6b80-4fb7-bf4b-e90c9356af41.auth.acme-dns.io   text = "qQkicg_-BBfUMHEfYRsXakYaKkNAJZtbetPni2KJdZI"
9ca2000e-6b80-4fb7-bf4b-e90c9356af41.auth.acme-dns.io   text = "Hrgjaorv8Ohiyjpi5yd9qS8pUpVkc-tSp0FqPxf14Bo"

Authoritative answers can be found from:

See DNS-01 challenge for details.

2 Likes

Hi,

See win-acme settings.json - you want to either set PreValidateDns to false as in this case prevalidation is the thing stopping you from being successful.

auth.acme-dns-io did have an outage the other day but I think that's resolved now.

As an aside, you mentioned in your original post that you have updated and created the relevant TXT records - but to be clear to anyone else finding this thread later what you have done is used the acme-dns service and a CNAME record, that's very different to maintaining your own TXT records withing your own DNS zone.

4 Likes

wow it looks like that was it, thanks guys for all your help, I just changed the PrevalidateDns value and all seems to be good!

thanks again for your fantastic insight, support and knowledge!

5 Likes