[GH-ISSUE #213] bootstrapping the API TLS Certificate #97

New issue

Closed

opened 2026-03-13 15:46:31 +03:00 by kerem · 1 comment

kerem commented

2026-03-13 15:46:31 +03:00

Owner

Originally created by @dresske on GitHub (Mar 3, 2020).
Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/213

Hello,
I set up a acme-dns instance and gave it DNS control over a subdomain (put NS delegate and A record at primary DNS).
It's serving DNS records and answering requests. Starting from here I want to use the https API. The only config parameter at the API section is
# possible values: "letsencrypt", "letsencryptstaging", "cert", "none"
tls = "none"
When enabling letsencrypt it retries the procedure a few times and restarts the process because it's not sucessfull. How can I debug any further?
"acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up TXT for_acme-challenge.auth.mydomain.tld" (replaced in this output actual domain-names).
Does the creation procedure need any further configuration to set up its own certificate and also the challenge TXT record?

https://dnschecker.org

I tried this webservice to determine the current DNS propagation state of records in my subdomain. Only a subset of the servers is able to contact my acme-dns server until now. Is this a problem? The cloudflare Server i.e. reports positive responses also for test-records (test.auth.mydomain.tld) I made in the acme-dns config.

Best regards and many thanks in advance for useful hints.

Originally created by @dresske on GitHub (Mar 3, 2020). Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/213 Hello, I set up a acme-dns instance and gave it DNS control over a subdomain (put NS delegate and A record at primary DNS). It's serving DNS records and answering requests. Starting from here I want to use the https API. The only config parameter at the API section is `# possible values: "letsencrypt", "letsencryptstaging", "cert", "none"` `tls = "none"` When enabling letsencrypt it retries the procedure a few times and restarts the process because it's not sucessfull. How can I debug any further? "acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up TXT for_acme-challenge.auth.mydomain.tld" (replaced in this output actual domain-names). Does the creation procedure need any further configuration to set up its own certificate and also the challenge TXT record? https://dnschecker.org I tried this webservice to determine the current DNS propagation state of records in my subdomain. Only a subset of the servers is able to contact my acme-dns server until now. Is this a problem? The cloudflare Server i.e. reports positive responses also for test-records (test.auth.mydomain.tld) I made in the acme-dns config. Best regards and many thanks in advance for useful hints.

kerem closed this issue

2026-03-13 15:46:36 +03:00

kerem commented

2026-03-13 15:46:42 +03:00

Author

Owner

@dresske commented on GitHub (Mar 6, 2020):

To answer my own question: Caused to simple reason that the acme-instance is only responding to TCP requests. A few DNS resolvers support 'tcp fallback' that's why a subset of DNS Servers can contact the acme-instance. But I have to figure out why UDP is not working. Should be a network problem (router or hypervisor). Host from the same subnet can reach acme-dns via UDP.

@dresske commented on GitHub (Mar 6, 2020): To answer my own question: Caused to simple reason that the acme-instance is only responding to TCP requests. A few DNS resolvers support 'tcp fallback' that's why a subset of DNS Servers can contact the acme-instance. But I have to figure out why UDP is not working. Should be a network problem (router or hypervisor). Host from the same subnet can reach acme-dns via UDP.