Set Up DNS Verification
As of NetSuite 2024.1, HTTP-based challenges to verify that a certificate request comes from the owner of a domain name have been replaced by DNS-based verification.
DNS verification use the Automatic Certificate Management Environment (ACME) protocol. ACME is a modern, standardized protocol that is used for the automatic validation, issue, and renewal of X.509 certificates from a certificate authority (CA) to clients. With ACME, machines can receive certificates from a CA without human interaction.
If you are using a secure domain, you must set up a CNAME record for DNS verification with your domain provider. See Point Your Domain Name at Your Domain (DNS Settings).
How DNS Verification Records Work
DNS verification adds a layer of security when it comes to confirming ownership of your domain.
With DNS verification, a user requests a certificate from a CA by using ACME client software that supports DNS-based verification. When the client software requests a certificate, the CA asks the client to verify ownership of the domain by sending a unique token to the ACME client.
As an example, if a client was trying to validate the domain example.com, the validation subdomain would be _acme-challenge.example.org. When the token value is added to the DNS zone, the client tells the CA to proceed with validation, after which the CA will perform a DNS query on the domain’s DNS servers. If the DNS servers reply with a DNS record that contains the correct challenge token, ownership over the domain is verified and the certificate is issued.
NetSuite-hosted domains use CNAME records to delegate DNS verification from your domain to a NetSuite domain. For example, a DNS verification domain, such as _acme-challenge.example.com, is delegated to NetSuite’s verification server, example.com.hosting-verify.netsuite.com.
In the DNS area of the Domain record in NetSuite, a CNAME record for DNS verification is displayed, along with the CNAME record for web hosting. Both records must be set up as CNAME records with your domain provider.
The CNAME record for DNS verification will always be designated by the prefix _acme-challenge.
Set Up DNS Verification Records
When adding a new secure domain in NetSuite, records for DNS verification, as well as for website hosting, are automatically created and displayed on the Domain record page in the DNS area. The two records must be copied and added as CNAME records at your domain provider’s website.
In the following example, the record for DNS verification is highlighted.
See Point Your Domain Name at Your Domain (DNS Settings) for information about setting up CNAME records on your domain provider’s website.
You should set up CNAME records with your domain provider before completing domain setup in NetSuite. After you have set up the CNAME records with your domain provider, return to the Domain record in NetSuite and click Save. If you already saved the Domain record, go to Commerce > Hosting > Domains > and click Edit next to your domain, then click Save to trigger redeployment.
Adding a CNAME record for DNS verification is only necessary if you are setting up a secure domain. However, the DNS verification record will display on the NetSuite Domain record even if you have not secured your domain. This is because you always have the option to secure your non-secure domain in the future, or you may switch your domain between secure and unsecure. DNS verification information will always be available in the NetSuite Domain record for you to copy and add as a CNAME record with your domain provider.
DNS Verification Status Field
You can view the DNS verification status in the NetSuite Domain record in the Status area. The DNS Verification Status field is responsible for notifying you if the ACME challenge is set for your domain and correctly configured.
The DNS Verification Status field can have one of the two following statuses:
-
Your DNS record is configured correctly.
A green tick icon is displayed to the left of this message.
-
Your DNS record is configured incorrectly.
A red cross error icon is displayed to the left of this message. There will also be a red cross displayed in the DNS column on the Set Up Domains page.
Note:For secure domains, the DNS status on the Set Up Domains page includes both the DNS and DNS verification statuses. For unsecure domains, it only includes the DNS status.
If there is an error with the DNS Verification Status, confirm with your domain provider that the CNAME record for DNS verification is set up correctly.
If your domain is unsecured, you can ignore the DNS verification error because it is only required for secure domains. However, if you intend to secure your domain in the future, you should still proceed with setting up a DNS verification record with your domain provider.