Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: proapps.dayq.eu
I ran this command:
I try to run dns-01 manual record challenge. We bought a domain name from a hosting provider, but we have our own dedicated server with hyper-v and bunch of VM’s. They are all connected, one of them hosts proapps.dayq.eu. DNS is installed on other machine. I create the record in the dns manager. And it seems that it finds the record, but it still does not issue the certificate. We made a port forwarding to proapps.dayq.eu. It is only accessible through 44444. So http validation is not an option as I understand
It produced this output:
[INFO] Answer should now be available at _acme-challenge.proapps.dayq.eu
[DBUG] Querying name servers for dayq.eu
[DBUG] Querying IP for name server
[DBUG] Name server IP 192.168.73.230 identified
[DBUG] Using random name server
[INFO] Preliminary validation succeeded: 2CaTtULlsXI3kMuICFKD-wisX-bYqdJt8ORG4JMCdqE found in 2CaTtULlsXI3kMuICFKD-wisX-bYqdJt8ORG4JMCdqE
[DBUG] Submitting challenge answer
[DBUG] Send POST request to https://acme-staging-v02.api.letsencrypt.org/acme/challenge/Km5eLkv7Ts8sWa7OxF3Q--84wdyk5JpQePAgcM6ychc/303788494
[DBUG] Refreshing authorization
[DBUG] Send GET request to https://acme-staging-v02.api.letsencrypt.org/acme/challenge/Km5eLkv7Ts8sWa7OxF3Q--84wdyk5JpQePAgcM6ychc/303788494
[EROR] {
“type”: “urn:ietf:params:acme:error:dns”,
“detail”: “DNS problem: NXDOMAIN looking up TXT for _acme-challenge.proapps.dayq.eu”,
“status”: 400
}
[EROR] Authorization result: invalid
My web server is (include version):
we host qlik sense
The operating system my web server runs on is (include version):
windows server 2016
My hosting provider, if applicable, is:
hostex.lt
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): win-acme.v2.05.246
if you are using manual dns, you need to actually change actual TXT record of requested domain accordingly.
it detected name server as 192.168.73.220, witch is private ip. it what real public faced DNS server?
But the actual server IP is 192.168.73.237. We do forwarding from the router on port 44444.
Regarding the TXT record. I do it on the DNS server which resides on 192.168.73.230. And it seems that the acme client finds the record:
[INFO] Preliminary validation succeeded: 2CaTtULlsXI3kMuICFKD-wisX-bYqdJt8ORG4JMCdqE found in 2CaTtULlsXI3kMuICFKD-wisX-bYqdJt8ORG4JMCdqE
Oh, I see. I will try to obtain the access, so I could edit in their zone file editor and then will update if it worked. Thanks. One more question, is it really not possible to do http-01 challenge if 80 or 443 ports are not available?
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server. Apache/2.4.29 (Ubuntu) Server at proapps.dayq.eu Port 80
Port 80 is open, checking /.well-known/acme-challenge/unknown-filename there is the expected result http status 404 - Not Found.
I mean I don’t know why it says that it is Ubuntu server, because I’m logged in and this is Windows Server 2016. I tried to do the http-01 challenge with win-acme client, but no use. I’ve done it on other servers with no issues at all. But I had never encountered where the 80 port is not available directly. I lack the knowledge at the moment to fully understand how this port forwarding actually works.