Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I ran this command: wacs.exe running to create wildcard certificate.
It produced this output: Got error as below:
[.khaneducation.net] [192.168.100.1] No TXT records found
[.khaneducation.net] [192.168.100.2] No TXT records found
[*.khaneducation.net] Preliminary validation failed on all nameservers
The correct record has not yet been found by the local resolver. That means
it's likely the validation attempt will fail, or your DNS provider needs a
little more time to publish and synchronize the changes.
My web server is (include version): N/A
The operating system my web server runs on is (include version): N/A
My hosting provider, if applicable, is: google domain
I can login to a root shell on my machine (yes or no, or I don't know): N/A
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): N/A
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): N/A
Trying to generate a wild-card certificate for my webservers and ADFS servers to be used with, but unable to do so, new to this, appreciate someone's help here.
win-acme does a pre-check for the expected TXT record and it is not finding it. You might need to wait longer for your local resolver to see new result.
Or, just skip the pre-check and see if Let's Encrypt servers see the TXT record. LE servers look directly at the authoritive DNS servers so don't need to wait for TTL propagation. You still need to wait some time (usually just a minute or so) for your auth DNS servers to sync.
Right now I see a TXT record so at least that much looks to be working
Use https://unboundtest.com to lookup the TXT in a similar way as Let's Encrypt does it. Example output:
[.khaneducation.net] [192.168.100.1] No TXT records found
[.khaneducation.net] [192.168.100.2] No TXT records found
[*.khaneducation.net] Preliminary validation failed on all nameservers
The correct record has not yet been found by the local resolver. That means
it's likely the validation attempt will fail, or your DNS provider needs a
little more time to publish and synchronize the changes.
1: Retry check
2: Ignore and continue
3: Abort
How would you like to proceed?: 2
[.khaneducation.net] [192.168.100.1] No TXT records found
[.khaneducation.net] [192.168.100.2] No TXT records found
[.khaneducation.net] Preliminary validation failed on all nameservers
Will retry in 30 seconds (retry 1/10)...
[.khaneducation.net] [192.168.100.1] No TXT records found
[.khaneducation.net] [192.168.100.2] No TXT records found
[.khaneducation.net] Preliminary validation failed on all nameservers
Will retry in 30 seconds (retry 2/10)...
.
.
.
.
.
Will retry in 30 seconds (retry 9/10)...
[.khaneducation.net] [192.168.100.1] No TXT records found
[.khaneducation.net] [192.168.100.2] No TXT records found
[.khaneducation.net] Preliminary validation failed on all nameservers
Will retry in 30 seconds (retry 10/10)...
[.khaneducation.net] [192.168.100.1] No TXT records found
[.khaneducation.net] [192.168.100.2] No TXT records found
[.khaneducation.net] Preliminary validation failed on all nameservers
It looks like validation is going to fail, but we will try now anyway...
First chance error calling into ACME server, retrying with new nonce...
[*.khaneducation.net] Authorization result: valid
This part succeeded. I can't tell if you are using Manual DNS validation or an automated DNS provider. If you are using Manual DNS you will need to repeat your request and update the TXT record again then it should work. This is because *.khaneducation.net and khaneducation.net are two different identifiers but will require updates to the same _acme-challenge txt record. Let's Encrypt caches validations for at least a few days so the next time you attempt to you don't have to repeat validations that already worked.
win-acme has an option to disable PreValidateDns : win-acme - the issue is probably that your local DNS lookup doesn't resolve the TXT record but public DNS does.
@webprofusion , do you suggest any action needs to be taken on my local DNS servers or what, because it's been nearly 23 hours since I am seeing the same issue.
@Jeelani my suggestion would be to disable PreValidateDns in settings.json as per my link. The particular method it's using (looking at your system DNS) is not ideal and instead it should be querying your domains primary name servers for the definitive answer (if at all), but it doesn't do that.
unboundtest can clearly see your TXT record, so everything else public should as well. It's possible/likely that your internal DNS does not replicate public DNS settings and that they are two different zones for the same domain (one public, one internal).