Windows posh-acme DNS Plugin and DNS Challenge alias

Hi , I'm having an issue using the Windows DNS plugin in conjunction with a DNS Challenge Alias and I haven't found much documentation around them together.

I've reviewed this

and implemented the CNAME on the domain in question. While I can get the txt record created on the alias DNS server the submit validation always fails - I'm guessing it's querying in the wrong spot.

I'm not entirely sure about my setup though and would appreciate some advice.

While I don't particularly want to share domain names at this point I was hoping to get some feedback on how I have this configured.

In this example I have a authoritive name server for the domain called and an alias DNSserver called

My command to get this to work is to query and do the update on the alias DNS server like so.

$pArgs = @{
WinServer = ''

The run the below with the DNSalias switch

New-PACertificate "" -DNSSleep 300 -AcceptTOS -Contact "" -Plugin Windows -dnsalias "" -PluginArgs $pArgs -verbose -directory LE_STAGE

I have a CNAME setup on the authoritive name server which looks like this in the domain

_acme-challenge CNAME

So providing credentials to the alias DNS server and using the command above I can see the DNS challenge record being created there - however I always get back an authorization invalid via the submit-challengeValidation command when the new-pacertificate is run.

I'm guessing there is a config issue here with either the CNAME / DNSalias or even the way I'm doing the update via the pArgs with the Alias DNS Server but unsure how to troubleshoot further. If I do a lookup against the authoritive domain I do see the carnoical name populated Canonical name =

Is there a way to test this further to ensure the cname is being redirected to the right spot and that the query should see the actual text file ?

we'd debug better with actual domain name, but one thing i can think of is your client could actually make record on


Your _acme-challenge record on your real domain needs to point directly to a TXT record on your surrogate domain, it should not point to just the zone or a subdomain, it has to point to the name of the actual TXT record that will be created/updated.


Your DnsAlias argument would be e.g. the fully qualified TXT record name in your surrogate dns zone.


Is this thread different than DNS Alias with POSH-ACME? Why not continu there?

1 Like

Different problem so I thought I'd start a new thread.

CNAMEs are a basic DNS function.
Testing if they redirect or not is a simple task [it either does OR it doesn't]
When you query:

  • nslookup -q=cname FQDN1

Do you see?:

  • FQDN1 canonical name = FQDN2

If that fails, stop and fix it.
If that works, then does the TXT record update process work?
Does it create TXT records at FQDN2?
If not, stop and fix that.
If that also works, then check the process.
Maybe there is a logic problem ...
OR a TYPO ...
OR something else that is keeping it from doing what you expect.

I'm no expert on Posh-ACME; So, I can't help with specific troubleshooting steps there :frowning:


So does that mean I need to purchase another domain and make the alias DNS server authoritive for ?

My current setup is one authoritive DNS server and one Alias - I was just using the exact same domain name in the DNSAlias command to create it on the Alias DNS server which works but then I'm confused as to what the CNAME should be.

Both names can be from the same domain.
FQDN = Fully Qualified Domain Name.

  • = FQDN1
  • = FQDN2
  • = FQDN3
  • = FQDN4

In that "example", four FQDNs are shown and all from the same domain.


Just checking, you know you don't need a CNAME at all, yes? You can just use your actual domain (which is what most people do) and skip the DnsAlias things, that's really for when you don't want to make frequent TXT record updates to your primary domain/zone so you nominate a "sacrifical" zone that you're happy to make updates to.

If you are intentionally using a CNAME to another domain/subdomain you can just make it a subdomain like and so the TXT record being updated would be under that subdomain. So for instance to get a cert for you could have a CNAME pointing to No particular need to buy a new domain, but I'm curious why you are opting for a cname or subdomain at all.

1 Like

What do you mean by "Alias"?


Primarily the reason to use the CNAME / DNSAlias is to seperate the Authoritive DNS server credentials I am using via the Windows DNS Posh plugin to an expendable DNS server with different credentials.

I've actually used the process without the CNAME to the authoritve DNS server fine - it's just this last seperation I'm after.

If the alias is not authoritative for that zone, how can you update that zone there?
How will DNS requests return values that aren't being stored in the authoritative DNS server?


In my example I've created a sacrificial DNS server here

This server is my alias DNS server for the plugin if that makes sense.

I thought that is what the CNAME entry did ?

It sounds like you may need two domains/zones.

  • one authoritative in the main DNS server
  • one authoritative in the alias DNS server.

Then you CNAME from zone1 to zone2.
And update zone2 without touching zone1.


You haven't provided enough information to know [for sure].

I can't tell if you are only using one domain OR two.


That looks like the same domain to me:

That still looks like the same domain to me:


Indeed it is - the DNSalias switch uses the DNS server in the pArgs to create the txt record there.

$pArgs = @{
WinServer = ''
} -> which is the sacrificial DNS server.

The txt record challenge does get created on the sacrificial DNS Server ( ) but the cname redirection from authoritative to sacrificial I think is the issue.

To test the resolution of a record feed your _acme-challenge record name into (select TXT)

1 Like

I think I see the problem here. The -DnsAlias param needs to match exactly the CNAME target value rather than _acme-challenge.<target>. So you either need to change your CNAME to point to or change your alias param to -DnsAlias ''.