5

I am using certbot to generate a ssl certificate for a third party web app. Because I cannot get into the source code or folder structure, I am using DNS validation. To further complicate things, my DNS provider does not make it clear when the changes have been applied and are propagating. I have to start the process, get the values, publish them to DNS, wait a long while, and hit ENTER to complete the validation. If the time I waited was not long enough, or the terminal session to the server dies, I have to start over -- which generates new values to be put into DNS.

I would like to query my DNS name servers to see if and when my _acme_challenge value has propagated. Let's Encrypt has a means to check this value, but I cannot seem to figure this one out. All the online forums that I am finding are for querying the default TXT record that is used for SPF.


Output of the certbot validation process

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.app.mydomain.com with the following value:

4Rn5ZNCdLYDYK9uQnyZ7k3CJ8kNsNyIJa9QeXCeOCMI

Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

How do I query this named TXT record?

wruckie
  • 546
  • 5
  • 18
  • I use this same method for SSL certs. Due to a purchase, I'm going to lose DNS mgmt access at my company soon. When I get the expiry email, I'll have to email the DNS manager to schedule a time for when I can get with him/her to send them the TXT record data. Such a PITA. – user38537 Jan 30 '19 at 01:04
  • 1
    Why the downvote? And yet, this is already a favorite question?!? That does not make any sense. – wruckie Feb 01 '19 at 17:01
  • I'll use my upvote and favorite to get you back to zero at least. This is a decent question. – user38537 Feb 01 '19 at 21:53

2 Answers2

7

Verify with a commands like this.

dig -t txt _acme-challenge.app.mydomain.com @nameserver1.example.org
dig -t txt _acme-challenge.app.mydomain.com @nameserver2.example.org
Zoredache
  • 128,755
  • 40
  • 271
  • 413
0

We can also use the googleapps webpage for such lookups.

https://toolbox.googleapps.com/apps/dig/#TXT/

enter image description here

wruckie
  • 546
  • 5
  • 18