Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I don't know much about Nginx UI. But, it is using lego as the ACME Client to get the Let's Encrypt cert.
I did not see any docs at Nginx UI about how to configure a DNS Challenge. There was only one small mention for an HTTP Challenge.
Can you describe in more detail how you configured lego?
Is there some reason you need Nginx UI rather than just configuring nginx yourself? I am just curious. Sometimes it is easier to use tools directly.
PS: The Let's Debug test site is excellent for checking HTTP Challenges but there is not much it can test for DNS Challenges. Testing an HTTP Challenge it alerts that the IP for your domain is not a publicly accessible one. That is fine if you are setting up a private site and your choice of DNS Challenge is the only way to get a cert in that case. Just thought you should know its limits in validation DNS Challenges.
Sort of. To get a cert from the Let's Encrypt ACME Server you must use an ACME Client. Certbot is one of those. So is lego. There are many. Nginx UI itself doesn't have its own but relies on lego. Lego's docs are here: Welcome :: Let’s Encrypt client and ACME library written in Go.
This error says there is a comms problem from that IPv6 address ending in 9f85 making a request to the Cloudflare DNS server (IPv6 ending in c31d).
That "from" IP is not Let's Encrypt but rather it belongs to Telecentro. Is that you?
It is likely lego doing a pre-check that the needed TXT record exists before sending the cert request to Let's Encrypt. If so, this is some sort of configuration problem on your system. Since Nginx UI did that configuration for you it might be worth asking them. Otherwise you are left with debugging multiple layers of software now (Nginx UI and lego).
To get you started, what happens with this command?
That dig looks normal. Is that issued from the same "context" as when running Nginx UI?
What I mean is are you in the same VM and/or container or any other subsystem? Sometimes inside VMs or, say, docker containers the ports and access are different.
You will quickly exhaust my knowledge of Nginx UI The above is just general knowledge. Might be worth asking them too.
what kind of problems did you have with certbot? But, yes, there are many other acme clients so if it was something unique to it then maybe a different client would help
I think there is an option to disable the pre-check from Lego so you could try doing that.
Success! I don't know really what happened tbh, but I tried again to gather logs to send to the people at Nginx UI Github and it worked:
2024/08/02 18:41:43 [INFO] [redhorizonit.com] acme: Waiting for DNS record propagation.
2024/08/02 18:41:45 [INFO] [redhorizonit.com] acme: Waiting for DNS record propagation.
2024/08/02 18:41:47 [INFO] [redhorizonit.com] acme: Waiting for DNS record propagation.
2024/08/02 18:41:55 [INFO] [redhorizonit.com] The server validated our request
2024/08/02 18:41:55 [INFO] [redhorizonit.com] acme: Cleaning DNS-01 challenge
2024/08/02 18:41:56 [INFO] [redhorizonit.com] acme: Validations succeeded; requesting certificates
2024/08/02 18:41:57 [INFO] [redhorizonit.com] Server responded with a certificate.
2024/08/02 18:41:57 [INFO] [Nginx UI] Writing certificate to disk
2024/08/02 18:41:57 [INFO] [Nginx UI] Writing certificate private key to disk
2024/08/02 18:41:57 [INFO] [Nginx UI] Reloading nginx
2024/08/02 18:41:57 [INFO] [Nginx UI] Finished
2024/08/02 18:41:59 [INFO] [Nginx UI] Environment variables cleaned
Issued certificate successfully
Certbot was pretty much doing the same, requesting the cert and simply returning an error, unfortunately I don't have any logs on what failed, but it pretty much looked like the one I was getting from Nginx.
I will take a look into Acme.sh, thanks! I will definitely need alternatives in the future in case I run into any issues.
Thanks again Mike for sharing your knowledge and your patience! Wishing you a great weekend
Sure, glad it's working. Cert bot would not have had the same exact error because it does not do a precheck. But, if there were some DNS query issues on that system then Certbot would have failed on various of its https requests
Yes ,I'm super interesting in using Certbot because I believe it does auto renewal for you as well, if I'm not mistaken.
Which would we awesome for me. And since I managed to get the cert I needed for some testing, I have enough time to read through the links you sent me and test Certbot a little bit more.