Auto Renewing of certs


#1

We want to use Let’s Encrypt for our certs. We used to use a wildcard cert but we are not renewing it.

We have multiple public facing IIS servers and a few public facing Linux machines that require certs. Am I able to get these to auto renew without the need to open port 80? Can I get the certs to update automatically in IIS / nginx or will I need to do something manually?

I am currently trying to generate certs via Certify The Web and keep getting errors;

_acme-challenge.domain.com TXT V96qDJ-f0px0oc3w-4ItEH99Urpx2HwJztsMAQz799Y

2019-01-21 11:54:20.196 +00:00 [INF] Created ACME Order: https://acme-v02.api.letsencrypt.org/acme/order/49752670/281202228
2019-01-21 11:54:20.951 +00:00 [INF] Fetching Authorizations.
2019-01-21 11:54:24.532 +00:00 [INF] Got http-01 challenge https://acme-v02.api.letsencrypt.org/acme/challenge/Exxdik3tTinpqxCbuqfv0Z-YdZDYUg6f84w2ZEoGulw/1170
2019-01-21 11:54:25.950 +00:00 [INF] Got dns-01 challenge https://acme-v02.api.letsencrypt.org/acme/challenge/Exxdik3tTinpqxCbuqfv0Z-YdZDYUg6f84w2ZEoGulw/1170
2019-01-21 11:54:28.893 +00:00 [INF] Got http-01 challenge https://acme-v02.api.letsencrypt.org/acme/challenge/mRXZcRL3dLLEqiz3lKQfjWSK-Ck0UN6tGLaO0aiWVcQ/1159
2019-01-21 11:54:30.408 +00:00 [INF] Got dns-01 challenge https://acme-v02.api.letsencrypt.org/acme/challenge/mRXZcRL3dLLEqiz3lKQfjWSK-Ck0UN6tGLaO0aiWVcQ/1159
2019-01-21 11:54:30.408 +00:00 [INF] Attempting Challenge Response Validation for Domain: domain.com
2019-01-21 11:54:30.409 +00:00 [INF] Registering and Validating domain.com
2019-01-21 11:54:30.409 +00:00 [INF] Checking automated challenge response for Domain: domain.com
2019-01-21 11:54:32.929 +00:00 [INF] DNS problem: NXDOMAIN looking up TXT for _acme-challenge.domain.com
2019-01-21 11:54:35.064 +00:00 [INF] Validation of the required challenges did not complete successfully. DNS problem: NXDOMAIN looking up TXT for _acme-challenge.domain.com
2019-01-21 11:54:35.064 +00:00 [INF] Validation of the required challenges did not complete successfully. DNS problem: NXDOMAIN looking up TXT for _acme-challenge.domain.com

Each time I change the TXT record to enter the requested text, I rerun the request as per the instructions and it gives me the same error, and requests that I add a different text string.

Any and all help gratefully received.


#2

Hi @AngryDog

there are minimal 3 errors, two are critical ( https://check-your-website.server-daten.de/?q=mikecert.tmd.tv ).

Host T IP-Address is auth. ∑ Queries ∑ Timeout
mikecert.tmd.tv Name Error yes 1 0
www.mikecert.tmd.tv Name Error yes 1 0

The domain name is unknown -> may be the reason of the NXDOMAIN, because mikecert.tmd.tv doesn’t exist.

tv

You have bad nameservers, they don’t support TCP. Authoritative Nameservers must support TCP. Normally, this is critical, now perhaps not.

But the third is wrong ( https://check-your-website.server-daten.de/?q=tmd.tv ):

You have created an entry

_acme-challenge.tmd.tv.tmd.tv

But the menu you use adds your domain. So create only an entry with

_acme-challenge

as name.


#3

Hi Juan,

Thanks for your reply. Oddly, I managed to get it to work after trying a few different things. Not sure if it was by skill(!) or luck(likely).

I have multiple sites I need to do this for so I have moved onto another one of our IIS servers but it is giving me a different error.

Failed to begin certificate order: JWS has an invalid anti-replay nonce


#4

Then your client is bad.

The ACME-protocol requires that the client fetches a nonce (long random value) and sends this nonce with the next command. But a nonce has a short lifespan.

So if you wait long, normally your client should fetch a new nonce to remove such an error.

If the client doesn’t do that, this is bad.


#5

Thanks - thought I had best update this - I managed to get it to work, it was an issue with my challenge and TXT records.