dns-01 go-acme le-go doesn't create records for alt names

axelo

We are using dns-01 go-acme le-go with PowerDNS which works great for the primary subject/common name but when using alt names the DNS records are not created in their respective zones. While we can work around this by having multiple certs it certainly makes the deployment that much more complex.

gregtwallace

Do you have debug logs? I haven't had any other reports of this issue and I have certificates with alt names and haven't seen this before.

axelo

gregtwallace not really but i could get some if you direct me. I was manually checking the zones as the certs were not getting issued and found that the acme-challenge records were missing.

axelo

Hi Greg,

what we are seeing in the logs is the following:

4/18/2025, 11:47:40 AM, info, challenges/solver.go:165, challenges: challenge https://acme-v02.api.letsencrypt.org/acme/chall/2347168757/507404303107/34zcaQ status invalid; acme error: status: 400; type: urn:ietf:params:acme:error:dns; detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.cmm.mailkit.eu - check that a DNS record exists for this domain
4/18/2025, 11:44:31 AM, info, orders/fulfilling_do.go:24, orders: fulfilling worker 0: ordering order id 14 (certificate name: CMM, subject: cmm.mailkit.com)

And no surprise there - the record is not created in DNS. If there is a way to enable more detailed debug, please let me know, happy to check what exactly is happening.

gregtwallace

Edit the config file to set debug log level:
https://github.com/gregtwallace/certwarden-backend/blob/f896f4fc63faa3c1dde110b0a7569f91e55d6aa4/config.example.yaml#L38

Restart and then try to place an order for your certificate. Ideally, please provide the logs from start of order to failure.

Are your subject domain and your alt names on different domains? e.g. example.com and example2.com ? I'd suspect perhaps some domains are working and some are not and its just a coincidence that the one in the subject is the working one.

axelo

gregtwallace

yes, we are indeed trying to get a single cert for 3 different domains. the DNS record is only created in the zone that is the primary subject and not in the zones of alt subjects.

4/19/2025, 1:20:36 PM, debug, job_manager/manager.go:78, order fulfilling worker 1: end high priority job (order id: 18)
4/19/2025, 1:20:36 PM, info, orders/fulfilling_do.go:218, orders: fulfilling worker 1: order 18 done
4/19/2025, 1:20:36 PM, info, orders/fulfilling_do.go:216, orders: fulfilling worker 1: order id 18 completed with status invalid (certificate name: CMM, subject: cmm.mailkit.com)
4/19/2025, 1:20:36 PM, info, orders/fulfilling_do.go:167, orders: fulfilling worker 1: order status invalid; acme error: <nil>
4/19/2025, 1:20:36 PM, debug, acme/post_signed.go:148, acme signed post response code: 200 ; body: {
	"status": "invalid",
	"expires": "2025-04-26T11:17:27Z",
	"identifiers": [
		{
			"type": "dns",
			"value": "cmm.mailkit.net"
		},
		{
			"type": "dns",
			"value": "cmm.mailkit.com"
		},
		{
			"type": "dns",
			"value": "cmm.mailkit.eu"
		}
	],
	"authorizations": [
		"https://acme-v02.api.letsencrypt.org/acme/authz/2347168757/507333207697",
		"https://acme-v02.api.letsencrypt.org/acme/authz/2347168757/507074235897",
		"https://acme-v02.api.letsencrypt.org/acme/authz/2347168757/507929555687"
	],
	"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/2347168757/375752631817"
}
4/19/2025, 1:20:36 PM, debug, acme/post_signed.go:85, sending acme signed post (using kid: https://acme-v02.api.letsencrypt.org/acme/acct/2347168757) to: https://acme-v02.api.letsencrypt.org/acme/order/2347168757/375752631817 ; unencoded payload: ""
4/19/2025, 1:20:36 PM, debug, acme/post_signed.go:148, acme signed post response code: 200 ; body: {
	"identifier": {
		"type": "dns",
		"value": "cmm.mailkit.eu"
	},
	"status": "invalid",
	"expires": "2025-04-26T11:17:27Z",
	"challenges": [
		{
			"type": "dns-01",
			"url": "https://acme-v02.api.letsencrypt.org/acme/chall/2347168757/507929555687/lb7y6A",
			"status": "invalid",
			"validated": "2025-04-19T11:20:29Z",
			"error": {
				"type": "urn:ietf:params:acme:error:dns",
				"detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.cmm.mailkit.eu - check that a DNS record exists for this domain",
				"status": 400
			},
			"token": "h5y0r4QQbiXpk1UwfYw7z8w-2ejZfKdizVs0fqmqSxk"
		}
	]
}
4/19/2025, 1:20:36 PM, debug, acme/post_signed.go:85, sending acme signed post (using kid: https://acme-v02.api.letsencrypt.org/acme/acct/2347168757) to: https://acme-v02.api.letsencrypt.org/acme/authz/2347168757/507929555687 ; unencoded payload: ""
4/19/2025, 1:20:36 PM, info, challenges/solver.go:165, challenges: challenge https://acme-v02.api.letsencrypt.org/acme/chall/2347168757/507929555687/lb7y6A status invalid; acme error: status: 400; type: urn:ietf:params:acme:error:dns; detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.cmm.mailkit.eu - check that a DNS record exists for this domain
4/19/2025, 1:20:36 PM, debug, acme/post_signed.go:148, acme signed post response code: 200 ; body: {
	"type": "dns-01",
	"url": "https://acme-v02.api.letsencrypt.org/acme/chall/2347168757/507929555687/lb7y6A",
	"status": "invalid",
	"validated": "2025-04-19T11:20:29Z",
	"error": {
		"type": "urn:ietf:params:acme:error:dns",
		"detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.cmm.mailkit.eu - check that a DNS record exists for this domain",
		"status": 400
	},
	"token": "h5y0r4QQbiXpk1UwfYw7z8w-2ejZfKdizVs0fqmqSxk"
}
4/19/2025, 1:20:36 PM, debug, acme/post_signed.go:85, sending acme signed post (using kid: https://acme-v02.api.letsencrypt.org/acme/acct/2347168757) to: https://acme-v02.api.letsencrypt.org/acme/chall/2347168757/507929555687/lb7y6A ; unencoded payload: ""
4/19/2025, 1:20:29 PM, debug, acme/post_signed.go:148, acme signed post response code: 200 ; body: {
	"type": "dns-01",
	"url": "https://acme-v02.api.letsencrypt.org/acme/chall/2347168757/507929555687/lb7y6A",
	"status": "pending",
	"token": "h5y0r4QQbiXpk1UwfYw7z8w-2ejZfKdizVs0fqmqSxk"
}
4/19/2025, 1:20:28 PM, debug, acme/post_signed.go:85, sending acme signed post (using kid: https://acme-v02.api.letsencrypt.org/acme/acct/2347168757) to: https://acme-v02.api.letsencrypt.org/acme/chall/2347168757/507929555687/lb7y6A ; unencoded payload: {}
4/19/2025, 1:18:31 PM, debug, challenges/solver.go:133, challenges: minimum provisioning delay not met, waiting to check cmm.mailkit.eu until Sat, 19 Apr 2025 13:20:28 CEST
4/19/2025, 1:18:31 PM, debug, dns_checker/check.go:163, dns_checker: check _acme-challenge.cmm.mailkit.eu: propagated: 3 (100%, min: 100%)
4/19/2025, 1:18:31 PM, debug, dns_checker/check.go:161, dns_checker: check _acme-challenge.cmm.mailkit.eu: functional: 3 (100%, min: 50%)
4/19/2025, 1:18:09 PM, info, dns_checker/check_types.go:42, dns_checker: check _acme-challenge.cmm.mailkit.eu: propagated: 1 (33%, min: 100%), will check again in 21.8s
4/19/2025, 1:18:09 PM, debug, dns_checker/check.go:163, dns_checker: check _acme-challenge.cmm.mailkit.eu: propagated: 1 (33%, min: 100%)
4/19/2025, 1:18:09 PM, debug, dns_checker/check.go:161, dns_checker: check _acme-challenge.cmm.mailkit.eu: functional: 3 (100%, min: 50%)
4/19/2025, 1:17:47 PM, info, dns_checker/check_types.go:42, dns_checker: check _acme-challenge.cmm.mailkit.eu: propagated: 0 (0%, min: 100%), will check again in 20.3s
4/19/2025, 1:17:47 PM, debug, dns_checker/check.go:163, dns_checker: check _acme-challenge.cmm.mailkit.eu: propagated: 0 (0%, min: 100%)
4/19/2025, 1:17:47 PM, debug, dns_checker/check.go:161, dns_checker: check _acme-challenge.cmm.mailkit.eu: functional: 3 (100%, min: 50%)
4/19/2025, 1:17:30 PM, info, dns_checker/check_types.go:42, dns_checker: check _acme-challenge.cmm.mailkit.eu: propagated: 2 (67%, min: 100%), will check again in 15.6s
4/19/2025, 1:17:30 PM, debug, dns_checker/check.go:163, dns_checker: check _acme-challenge.cmm.mailkit.eu: propagated: 2 (67%, min: 100%)
4/19/2025, 1:17:30 PM, debug, dns_checker/check.go:161, dns_checker: check _acme-challenge.cmm.mailkit.eu: functional: 3 (100%, min: 50%)
4/19/2025, 1:17:28 PM, debug, acme/post_signed.go:148, acme signed post response code: 200 ; body: {
	"identifier": {
		"type": "dns",
		"value": "cmm.mailkit.net"
	},
	"status": "valid",
	"expires": "2025-05-17T18:00:46Z",
	"challenges": [
		{
			"type": "dns-01",
			"url": "https://acme-v02.api.letsencrypt.org/acme/chall/2347168757/507074235897/BFILwA",
			"status": "valid",
			"validated": "2025-04-17T18:00:39Z",
			"token": "ztv8B8t0JN5XYsUJOI8KokNju4C9G-EWbXF7ZKAHNaU",
			"validationRecord": [
				{
					"hostname": "cmm.mailkit.net"
				}
			]
		}
	]
}
4/19/2025, 1:17:28 PM, debug, acme/post_signed.go:148, acme signed post response code: 200 ; body: {
	"identifier": {
		"type": "dns",
		"value": "cmm.mailkit.com"
	},
	"status": "valid",
	"expires": "2025-05-18T09:41:53Z",
	"challenges": [
		{
			"type": "dns-01",
			"url": "https://acme-v02.api.letsencrypt.org/acme/chall/2347168757/507333207697/6Kii7w",
			"status": "valid",
			"validated": "2025-04-18T09:41:48Z",
			"token": "zE9BbQdAC6djvZU6KaWjBLmw528GiId1YGW8bWKbBd4",
			"validationRecord": [
				{
					"hostname": "cmm.mailkit.com"
				}
			]
		}
	]
}
4/19/2025, 1:17:28 PM, debug, acme/post_signed.go:85, sending acme signed post (using kid: https://acme-v02.api.letsencrypt.org/acme/acct/2347168757) to: https://acme-v02.api.letsencrypt.org/acme/authz/2347168757/507074235897 ; unencoded payload: ""
4/19/2025, 1:17:28 PM, debug, acme/post_signed.go:148, acme signed post response code: 200 ; body: {
	"identifier": {
		"type": "dns",
		"value": "cmm.mailkit.eu"
	},
	"status": "pending",
	"expires": "2025-04-26T11:17:27Z",
	"challenges": [
		{
			"type": "tls-alpn-01",
			"url": "https://acme-v02.api.letsencrypt.org/acme/chall/2347168757/507929555687/y40iLA",
			"status": "pending",
			"token": "h5y0r4QQbiXpk1UwfYw7z8w-2ejZfKdizVs0fqmqSxk"
		},
		{
			"type": "http-01",
			"url": "https://acme-v02.api.letsencrypt.org/acme/chall/2347168757/507929555687/afK_VA",
			"status": "pending",
			"token": "h5y0r4QQbiXpk1UwfYw7z8w-2ejZfKdizVs0fqmqSxk"
		},
		{
			"type": "dns-01",
			"url": "https://acme-v02.api.letsencrypt.org/acme/chall/2347168757/507929555687/lb7y6A",
			"status": "pending",
			"token": "h5y0r4QQbiXpk1UwfYw7z8w-2ejZfKdizVs0fqmqSxk"
		}
	]
}
4/19/2025, 1:17:28 PM, debug, acme/post_signed.go:85, sending acme signed post (using kid: https://acme-v02.api.letsencrypt.org/acme/acct/2347168757) to: https://acme-v02.api.letsencrypt.org/acme/authz/2347168757/507333207697 ; unencoded payload: ""
4/19/2025, 1:17:28 PM, debug, acme/post_signed.go:85, sending acme signed post (using kid: https://acme-v02.api.letsencrypt.org/acme/acct/2347168757) to: https://acme-v02.api.letsencrypt.org/acme/authz/2347168757/507929555687 ; unencoded payload: ""
4/19/2025, 1:17:28 PM, debug, acme/post_signed.go:148, acme signed post response code: 200 ; body: {
	"status": "pending",
	"expires": "2025-04-26T11:17:27Z",
	"identifiers": [
		{
			"type": "dns",
			"value": "cmm.mailkit.net"
		},
		{
			"type": "dns",
			"value": "cmm.mailkit.com"
		},
		{
			"type": "dns",
			"value": "cmm.mailkit.eu"
		}
	],
	"authorizations": [
		"https://acme-v02.api.letsencrypt.org/acme/authz/2347168757/507333207697",
		"https://acme-v02.api.letsencrypt.org/acme/authz/2347168757/507074235897",
		"https://acme-v02.api.letsencrypt.org/acme/authz/2347168757/507929555687"
	],
	"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/2347168757/375752631817"
}
4/19/2025, 1:17:27 PM, debug, acme/post_signed.go:85, sending acme signed post (using kid: https://acme-v02.api.letsencrypt.org/acme/acct/2347168757) to: https://acme-v02.api.letsencrypt.org/acme/order/2347168757/375752631817 ; unencoded payload: ""
4/19/2025, 1:17:27 PM, info, orders/fulfilling_do.go:24, orders: fulfilling worker 1: ordering order id 18 (certificate name: CMM, subject: cmm.mailkit.com)
4/19/2025, 1:17:27 PM, debug, job_manager/manager.go:76, order fulfilling worker 1: start high priority job (order id: 18)
4/19/2025, 1:17:27 PM, debug, orders/order_acme_create.go:36, orders: new order location: https://acme-v02.api.letsencrypt.org/acme/order/2347168757/375752631817
4/19/2025, 1:17:27 PM, debug, acme/post_signed.go:148, acme signed post response code: 201 ; body: {
	"status": "pending",
	"expires": "2025-04-26T11:17:27Z",
	"identifiers": [
		{
			"type": "dns",
			"value": "cmm.mailkit.com"
		},
		{
			"type": "dns",
			"value": "cmm.mailkit.eu"
		},
		{
			"type": "dns",
			"value": "cmm.mailkit.net"
		}
	],
	"authorizations": [
		"https://acme-v02.api.letsencrypt.org/acme/authz/2347168757/507333207697",
		"https://acme-v02.api.letsencrypt.org/acme/authz/2347168757/507074235897",
		"https://acme-v02.api.letsencrypt.org/acme/authz/2347168757/507929555687"
	],
	"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/2347168757/375752631817"
}
4/19/2025, 1:17:27 PM, debug, acme/post_signed.go:85, sending acme signed post (using kid: https://acme-v02.api.letsencrypt.org/acme/acct/2347168757) to: https://acme-v02.api.letsencrypt.org/acme/new-order ; unencoded payload: {
	"identifiers": [
		{
			"type": "dns",
			"value": "cmm.mailkit.com"
		},
		{
			"type": "dns",
			"value": "cmm.mailkit.eu"
		},
		{
			"type": "dns",
			"value": "cmm.mailkit.net"
		}
	]
}
4/19/2025, 1:17:19 PM, info, auth/handlers_common.go:38, client 172.29.146.70:52447: session refresh for user 'local|admin' succeeded
4/19/2025, 1:17:19 PM, info, auth/handlers_common.go:14, client 172.29.146.70:52447: attempting session refresh