using wacs 188.8.131.525
I have been able to run the tool to create certs for individual subdomains all good. However trying to create a cert for a wildcard, seems to work during the --test
when running it as normal it seems to fail the validation. I have updated and created the relevant TXT records and _acme subdomain. when I do nslookup with 184.108.40.206 i can see the TXT record showing, but the tool does not complete that validation process, what am i missing please?
Please provide the exact output of WACS. Even better, please answer the entire questionnaire:
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
here is the output:
[DBUG] [.entreesolutions.co.uk] Looking for TXT value jUjFhtyA2n13Rxfb7HY4x0bvLQu4Zdx9Mb7GY3HncCU...
[DBUG] [.entreesolutions.co.uk] Preliminary validation asking 220.127.116.11...
[WARN] [*.entreesolutions.co.uk] Preliminary validation failed: no TXT records found
The correct record has not yet been found by the local resolver. That means
it's likely the validation attempt will fail, or your DNS provider needs a
little more time to publish and synchronize the changes.
web server is IIS
OS is windows server 2019
domain control is via heartinternet
thanks for that, so where do i update those TXT records?
in my domain control for entreesolutions.co.uk when i enter the subdomain _acme-challenge as it already has the CNAMe, it doesn't seem to allow me to enter a TXT record for that subdomain?
do i remove the CNAME and just add the subdomain and TXT record?
You need to query _acme-challenge.entreesolutions.co.uk like this
$ nslookup -q=txt _acme-challenge.entreesolutions.co.uk 18.104.22.168
_acme-challenge.entreesolutions.co.uk canonical name = 9ca2000e-6b80-4fb7-bf4b-e90c9356af41.auth.acme-dns.io.
9ca2000e-6b80-4fb7-bf4b-e90c9356af41.auth.acme-dns.io text = "qQkicg_-BBfUMHEfYRsXakYaKkNAJZtbetPni2KJdZI"
9ca2000e-6b80-4fb7-bf4b-e90c9356af41.auth.acme-dns.io text = "Hrgjaorv8Ohiyjpi5yd9qS8pUpVkc-tSp0FqPxf14Bo"
Authoritative answers can be found from:
See win-acme settings.json - you want to either set PreValidateDns to false as in this case prevalidation is the thing stopping you from being successful.
auth.acme-dns-io did have an outage the other day but I think that's resolved now.
As an aside, you mentioned in your original post that you have updated and created the relevant TXT records - but to be clear to anyone else finding this thread later what you have done is used the acme-dns service and a CNAME record, that's very different to maintaining your own TXT records withing your own DNS zone.