Windows server 2016 DNS problem: NXDOMAIN looking up A for mail.play-pen.net

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:play-pen.net

I ran this command: create new cert

It produced this output:DNS problem: NXDOMAIN looking up A for mail.play-pen.net
2019-10-07 12:46:49.272 -05:00 [INF] Validation of the required challenges did not complete successfully. DNS problem: NXDOMAIN looking up A for mail.play-pen.net

My web server is (include version): iis v:10

The operating system my web server runs on is (include version): windows server 2016 v:1607

My hosting provider, if applicable, is: self hosting internal dns server + public dns via zoneedit.com

I can login to a root shell on my machine (yes or no, or I don’t know): n/a windows

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certify ssl/tls certificate manager 4.1.6.0

Hi @gcodell

the mail - subdomain doesn’t have an A- or AAAA record ( https://check-your-website.server-daten.de/?q=mail.play-pen.net ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
mail.play-pen.net Name Error yes 1 0
www.mail.play-pen.net Name Error yes 1 0

If you want to use http validation, you need an A record

Your Domain name -> your ip address.

If you run the client on your play-pen.net domain, create an A record with the same ip address.

PS: Your main domain

Host T IP-Address is auth. ∑ Queries ∑ Timeout
play-pen.net A 173.197.225.50 Enterprise/Alabama/United States (US) - Spectrum Hostname: rrcs-173-197-225-50.west.biz.rr.com yes 1 0
AAAA yes

has a correct configuration. So create such an entry with your mail subdomain.

1 Like

Hi Gene,

I’ve tried to reply to your support requests but your email just doesn’t work (i.e. people cannot reply externally to your email at play-pen.net). I think you need to take a look at all of your DNS configuration for this domain and while your at it your public mail server settings (MX etc).

1 Like

ok… i’ve created an “a” record in both my network dns and my public dns. this is the error i’m getting now.
Invalid response from http://mail.play-pen.net/.well-known/acme-challenge/m1bv8nhCI8X7aEpS3RR21w48ExkcVeTaEI2GLC4Pu1U [173.197.225.50]: "\r\n<html xmlns=“http”

the ip address is my public internet ip

There is a check of your domain - https://check-your-website.server-daten.de/?q=mail.play-pen.net

Now the ip part looks good.

Find the webroot of the Website that answers. Then create the two subdirectories

webroot/.well-known/acme-challenge

there a file (file name 1234 without extension), then try to load that file via

http://mail.play-pen.net/.well-known/acme-challenge/1234

That should work.

deleted old cert request… created new one with just play-pen.net, owa.play-pen.net, autodiscover.play-pen.net. ran test and it failed with
Could not verify URL is accessible: http://play-pen.net/.well-known/acme-challenge/configcheck

this error occurred after i created the 1234 file.

That doesn’t work.

Do you have a web.config file in your application?

Something like

<configuration>
<system.webServer>
<staticContent><mimeMap fileExtension="." mimeType="text/plain" /></staticContent>
</system.webServer>
</configuration>

is required to allow extensionless files.

And autodiscover looks like a certificate created with another tool, so that tool (Plesk or another) may block your client.

this is the web.config file in the /.well-known/acme-challenge folder.

<?xml version="1.0" encoding="UTF-8"?>

which server does certify uses. the local domain dns or the public dns server. i ask as the error msg relates to the external ip address of 173.197.225.50 and not the internal ip address of 192.168.22.20…

An external client sees only the external address. So the error message can only show that address.

But your web config is wrong, you must allow extensionless files, so your test file must work.

Add the shared content to your empty web.config.

Gene, if you have the built in Certify http challenge server enabled (which you did originally) then you don’t need to worry about the IIS config as the app will temporarily register an http listener for the /.well-known/acme-challenge/ prefix and respond to the challenges that way. Failing that it should auto configure the IIS web config etc.

If it does have to auto configure IIS then your website folder will have a new .well-known/acme-challenge folder, in there is a file called ‘configcheck’ - once your web.config lets you browse to this file externally you’re all set.

Does mail.play-pen.net resolve to the actual server that’s running Certify? If not then that would explain why it’s not handling the challenge response.