Issue with Godaddy regarding _acme-challenge TXT records, INCLUDING POSSIBLE SOLUTION

[ToonvdPas]

Hi,

Tot start with, I know about the recent policy change from Godaddy regarding their API.

However, certificate validation through DNS-01 should still be possible with a (small?) modification in the acme.sh script. Please read on.

I tested the ACME client on OPNsense 25.7.3_7.
In the log (debug 2) I notice that everything goes well until the acme.sh script tries to verify that the TXT record has been stored in the DNS zone. It performs this check via the API call...

curl -X GET -H "Authorization: sso-key <key>:<secret>" "https://api.godaddy.com/v1/domains/opnsense.labfridge.net/records/TXT/_acme-challenge"

...which gets a reply returned like this:

{"code":"UNKNOWN_DOMAIN","message":"The given domain is not registered, or does not have a zone file"}

The exit code of curl is 0.

I can reproduce this from the shell prompt.

At first I thought this to be a dead end, but then I noticed this issue, wherein Godaddy states that _acme-challenge TXT records CAN be posted!

I checked for the presence of the _acme-challenge TXT records using dig

It turns out that acme.sh really DID post these challenges successfully!

I made three attempts with the ACME client, and three records are present:

$ dig @localhost -t txt _acme-challenge.opnsense.labfridge.net

; <<>> DiG 9.20.12 <<>> @localhost -t txt _acme-challenge.opnsense.labfridge.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20231
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_acme-challenge.opnsense.labfridge.net.        IN TXT

;; ANSWER SECTION:
_acme-challenge.opnsense.labfridge.net. 600 IN TXT "tyYN6m4Gk4Ch2yxvCTQtvYqRkxs50uvf_XBLLoftouI"
_acme-challenge.opnsense.labfridge.net. 600 IN TXT "G0IZhtee2Uy2Cjf6Y25lKmwshrcFdC1oOhj8tUHBpTU"
_acme-challenge.opnsense.labfridge.net. 600 IN TXT "X9r-3FXkGPdOwhigp4fcF8-PZ_C9KxiybC3VjQqQNzU"

;; Query time: 41 msec
;; SERVER: 127.0.0.1#53(localhost) (UDP)
;; WHEN: Wed Sep 17 08:46:57 EDT 2025
;; MSG SIZE  rcvd: 235

Conclusion: Godaddy's API will always allow to post _acme-challenge TXT records, but does not always allow to query those very records.

Now, would it be possible to modify the acme.sh script to perform the check via a DNS query instead of an API call?

That should solve the problems with Godaddy!

Can you guys please have another go at this?

Thanks!

[github-actions]

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.

[ToonvdPas]

I ran acme.sh --upgrade, but the version remained 3.1.1:

root@opnsense:/tmp # acme.sh --version
https://github.com/acmesh-official/acme.sh
v3.1.1
root@opnsense:/tmp # acme.sh --upgrade
touch: /root/.acme.sh/http.header: No such file or directory
cd: /root/.acme.sh: No such file or directory
[Wed Sep 17 10:04:22 EDT 2025] Installing from online archive.
[Wed Sep 17 10:04:22 EDT 2025] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
touch: /root/.acme.sh/http.header: No such file or directory
[Wed Sep 17 10:04:22 EDT 2025] Extracting master.tar.gz
[Wed Sep 17 10:04:22 EDT 2025] Installing to /root/.acme.sh
[Wed Sep 17 10:04:22 EDT 2025] Installed to /root/.acme.sh/acme.sh
[Wed Sep 17 10:04:22 EDT 2025] OK
[Wed Sep 17 10:04:22 EDT 2025] Install success!
[Wed Sep 17 10:04:22 EDT 2025] Upgrade successful!
root@opnsense:/tmp # acme.sh --version
https://github.com/acmesh-official/acme.sh
v3.1.1

[ToonvdPas]

After the upgrade I performed another run with debug 2. See the attached log file.
20250917 acmeclient_20250917.log
After the run I performed another DNS query for the _acme-challenge TXT records.
A new record had been added successfully:

$ dig @localhost -t txt _acme-challenge.opnsense.labfridge.net

; <<>> DiG 9.20.12 <<>> @localhost -t txt _acme-challenge.opnsense.labfridge.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58405
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_acme-challenge.opnsense.labfridge.net.        IN TXT

;; ANSWER SECTION:
_acme-challenge.opnsense.labfridge.net. 600 IN TXT "RFUf7_CdjSKk7t2YuEvDM7CzHIzVafrHjo_hNp61u8M"
_acme-challenge.opnsense.labfridge.net. 600 IN TXT "X9r-3FXkGPdOwhigp4fcF8-PZ_C9KxiybC3VjQqQNzU"
_acme-challenge.opnsense.labfridge.net. 600 IN TXT "tyYN6m4Gk4Ch2yxvCTQtvYqRkxs50uvf_XBLLoftouI"
_acme-challenge.opnsense.labfridge.net. 600 IN TXT "G0IZhtee2Uy2Cjf6Y25lKmwshrcFdC1oOhj8tUHBpTU"

;; Query time: 85 msec
;; SERVER: 127.0.0.1#53(localhost) (UDP)
;; WHEN: Wed Sep 17 10:27:36 EDT 2025
;; MSG SIZE  rcvd: 291