acme.sh - It does not wait for DNS challenge TXT record creation

That is the correct behaviour.
You add the DNS entries and then rerun with renew.
It will validate the DNS entries and generate the certificate

@FernandoMiguel Thanks for your quick clarification . The documentation, wasn't clear for this scenario.

What is the expiry time for the DNS challenge token ? Is it 120 seconds (default) ?
If I use --dnssleep 86400 (24 hrs), then I can add and verify TXT record within 24 hrs and re-run with --renew -d ?

@thangamani-arun
Please read and follow this section carefully:
https://github.com/Neilpang/acme.sh#8-use-dns-mode

@Neilpang may i purpose an improvement?
either state after "Please add those txt records to the domains. Waiting for the dns to take effect."
that the user needs to run acme.sh --renew -d example.com

or, set a timer waiting for a long time (say 5/10 min?) and then run renew automatically. if it fails, ask the user to finish updating the DNS entries manually and run renew again when done.

@Neilpang @FernandoMiguel Thanks for your quick support. It works within 2 minutes and I confirmed for _m2.silverlining.systems_ domain.

But, When I tried with --dns and with --dnssleep 86400 options after 23:38hrs, It gives error for renewal,

Part-2: SSL request with --dns --dnssleep 86400 for _m4.silverlining.systems_

root@benchmark:~# _/root/.acme.sh/acme.sh --issue --accountemail [email protected] --dns --dnssleep 86400 -d m4.silverlining.systems_
[Mon Mar 27 18:01:24 SGT 2017] Creating domain key
[Mon Mar 27 18:01:24 SGT 2017] Single domain='m4.silverlining.systems'
[Mon Mar 27 18:01:24 SGT 2017] Getting domain auth token for each domain
[Mon Mar 27 18:01:24 SGT 2017] Getting webroot for domain='m4.silverlining.systems'
[Mon Mar 27 18:01:24 SGT 2017] Getting new-authz for domain='m4.silverlining.systems'
[Mon Mar 27 18:01:27 SGT 2017] The new-authz request is ok.
[Mon Mar 27 18:01:27 SGT 2017] Add the following TXT record:
[Mon Mar 27 18:01:27 SGT 2017] Domain: '_acme-challenge.m4.silverlining.systems'
[Mon Mar 27 18:01:27 SGT 2017] TXT value: 'Ah3LvktUH-UsLs75cdJL4nQXI3lLJwyjiweBvVOtTno'
[Mon Mar 27 18:01:27 SGT 2017] Please be aware that you prepend _acme-challenge. before your domain
[Mon Mar 27 18:01:27 SGT 2017] so the resulting subdomain will be: _acme-challenge.m4.silverlining.systems
[Mon Mar 27 18:01:27 SGT 2017] Please add the TXT records to the domains, and retry again.
[Mon Mar 27 18:01:27 SGT 2017] Please add '--debug' or '--log' to check more details.
[Mon Mar 27 18:01:27 SGT 2017] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh

DNS TXT Record:
;; ANSWER SECTION:
_acme-challenge.m4.silverlining.systems. 599 IN TXT "Ah3LvktUH-UsLs75cdJL4nQXI3lLJwyjiweBvVOtTno"

Renew:
root@benchmark:~# _/root/.acme.sh/acme.sh --renew -d m4.silverlining.systems_
[Tue Mar 28 17:38:12 SGT 2017] Renew: 'm4.silverlining.systems'
[Tue Mar 28 17:38:12 SGT 2017] Single domain='m4.silverlining.systems'
[Tue Mar 28 17:38:12 SGT 2017] Getting domain auth token for each domain
[Tue Mar 28 17:38:12 SGT 2017] Verifying:m4.silverlining.systems
[Tue Mar 28 17:38:15 SGT 2017] m4.silverlining.systems:Challenge error: {"type":"urn:acme:error:malformed","detail":"Unable to update challenge :: Response does not complete challenge","status": 400}
[Tue Mar 28 17:38:15 SGT 2017] Please add '--debug' or '--log' to check more details.
[Tue Mar 28 17:38:15 SGT 2017] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acm

Help me to resolve understand, why am I getting error

@thangamani-arun Do not use --dns anymore. Please use webroot mode or dns api mode instead.

@FernandoMiguel I don't think it's necessary. The manually dns mode can not work for auto-renewal. It's just for test. Maybe I will remove it in future. I think the readme doc is clear enough, if the user doesn't read the readme before using, that's not our responsibility. Leave him.

@Neilpang What am I testing is real Use-case. We have shared hosting for many customers and domains were owned different customers and they want smooth migration.

I can not use webroot method since customer domain are not mapped to my server IP until SSL installed. So I have to use DNS challenge method. Only problem is that the DNS key/token got expired in a short time.

Is there a way to achieve SSL with DNS method by adding TXT for a given DNS challenge key ?

@Neilpang thanks for clearing that up.
I've heard LE is going to reduce the validity time window for DNS entries.

I have the need to use manual DNS as Namecheap DNS api mode is not supported. I do not want to move NS server to Cloudflare as I need some feature from namechap.
Follow the readme with DNS manual challenge. Created TXT on Namecheap. Run the renew after couple minutes.
But got the same error message. 'Challenge error: {"type":"urn:acme:error:malformed","detail":"Unable to update challenge :: Response does not complete challenge","status": 400}'
In another reported issue, it is recommended to use DNS api for the renew. However, I cannot use DNS api that's why I have to use DNS manual mode but it does not work.
Please assist. Thanks.

@florid2
Please wait enough time, and check the txt record by yourself before your use --renew again.
you can use dig, nslookup or many online website to check the txt record of your domain.

acme.sh is not able to know how long it should wait.

@Neilpang
Apologize, it works now.
As a little bit confusing in the DNS manual guide, it generated two challenge code. The DNS TXT records messed up. Today, all clear now.
I am using Synology with DNS manual process. Followed the guide https://github.com/Neilpang/acme.sh/wiki/Synology-NAS-Guide
./acme.sh --issue -d YOURDOMAIN.TLD --dns --certpath /usr/syno/etc/certificate/system/default/cert.pem --keypath /usr/syno/etc/certificate/system/default/privkey.pem --fullchainpath /usr/syno/etc/certificate/system/default/fullchain.pem --dnssleep 300
After I added TXT record,
./acme.sh --renew -d YOURDOMAIN.TLD
But the --certpath and --keypath not works. It stored private key, cert and inter ca under ~/.acme.sh/ folder with .cer, .key format. I need to copy them out, then use the Synology DSM webgui to import to the system.
Not sure if I can append --certpath and --keypath with --renew in the next 60 days. It will save some time of the manual process.
Thanks again for this wonderful tool!

I'm the author of that guide.
Feel free to improve on it with your discovery.
I've updated it recently to simplify the instructions a bit, but I always welcome further input.

In your case I guess you would need to run acme.sh --install-cert and those paths.

Readme here needs to be updated: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert

It didn't mention that --renew was required.

The script output itself needs an improvement. Current unclear language:

Please add the TXT records to the domains, and retry again.

Better to understand advice:

Add the TXT records to the domain(s), and --renew instead of --install.

@ProBackup-nl it should always use dns api instead of just DNS01 mode...
dns01 without api is mostly for testing mode, as it will not auto renew

When doing testing it is still cumbersome to need to read a manual. That dns01 without api will not auto renew is explained later on in the --renew process:

It seems that you are using dns manual mode. please take care: The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead.