so basically i want a wildcard certificate for my *.example.com
i have NS records for myserver.com in name.com
my nameserver have a PowerDNS API which only respond to lookup method
so when using cert_bot i put the given TXT to my nameservers to serve them
i can see the TXT records when i dig _acme-challenge.example.com but cert_bot gives me the following error: Failed authorization procedure. (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: No TXT record found at _acme-challenge.myserver.com
here is my dig -t TXT _acme-challenge.myserver.com output’s answer section:
;; ANSWER SECTION: _acme-challenge.myserver.com. 299 IN TXT "iP8WMczfTCkgxqAQuacure_gHcoQDsM_fZv6JxOLEWo" _acme-challenge.myserver.com. 299 IN TXT "p-4pkrTyrA2rWYTkbyt0uxLnHwxiG9ZT3btkkTZ2qT0"
to find errors, we need informations: So please answer the following questions:
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
First of all thanks for clarifying the secrecy part !
so wildcard domain i am trying to get is *.cdn.cafebazaar.cloud
cert_bot command : sudo /opt/certbot-auto certonly --server https://acme-v02.api.letsencrypt.org/directory --manual -d *.cdn.cafebazaar.cloud
produced output as mentioned above was Failed authorization procedure. cdn.cafebazaar.cloud (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: No TXT record found at _acme-challenge.cdn.cafebazaar.cloud
(and an IMPORTANT NOTES section that i think is static and not related to my problem)
by webserver i assume you mean my namservers which there is pdns(4.0.0-alpha2) service running which is connected to a unix backend on Ubuntu 16.04 and i have root shell
i’m using certbot-auto 0.30.2 as client
You need to sort out why it's doing that, or, if it shouldn't be authoritative for that zone, why it is.
This may not be relevant, but you should really upgrade off that three-year-old alpha. If nothing else, it has security vulnerabilities and a minor EDNS compliance bug (which isn't relevant to Flag Day).
Thank you both for looking this up
manually testing this with the command @mnordhoff mentioned i get below result:
`; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> +norecurse _acme-challenge.cdn.cafebazaar.cloud txt @79.175.132.51
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47247
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; ANSWER SECTION:
_acme-challenge.cdn.cafebazaar.cloud. 300 IN TXT “p-4pkrTyrA2rWYTkbyt0uxLnHwxiG9ZT3btkkTZ2qT0”
_acme-challenge.cdn.cafebazaar.cloud. 300 IN TXT “PmLJsa2OOjMlxhXTtSLUJYDqbh3BrUyY1UOFqjJctOU”
;; Query time: 1699 msec
;; SERVER: 79.175.132.51#53(79.175.132.51)
;; WHEN: Tue Jan 29 19:38:02 +0330 2019
;; MSG SIZE rcvd: 177`
as for the unboundtest i tried with a different valid domain and i see the problem but any idea how to debug this ?
p.s. i look forward to upgrading the pdns; thanks you again for mentioning it
ok because my backend code only supports lookup queries i had to put txt records in name.com(with acme.sh to be exact and then manually) and then query them from my backend upon the challenge hence the high response time
so i changed it to a sample string, response time got down to 250 ms but still the problem persists
