Can't Install Let's Encrypt - Can't Find DNS Records For Digital Ocean

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ebaykeywordsniperpro.com

I ran this command: Virtualmin Let's Encrypt Installation Process

It produced this output:
I’ve done this once before but don’t remember how I did it since it was a while back.

What I’m trying to do is create a ‘Let’s Encrypt’ SSL certificate, but the certificate will not install from 'Virtualmin’ because I do not have my DNS records properly showing in Digital Oceans DNS records settings.

Here is the error that I keep getting from 'Virtualmin’ & 'Let’s Encrypt’:

Let's Encrypt ..
.. request failed : Web-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for admin.ebaykeywordsniperpro.com
http-01 challenge for ebaykeywordsniperpro.com
http-01 challenge for mail.ebaykeywordsniperpro.com
http-01 challenge for webmail.ebaykeywordsniperpro.com
http-01 challenge for www.ebaykeywordsniperpro.com
Using the webroot path /home/aaronesteban/public_html for all unmatched domains.
Waiting for verification...
Challenge failed for domain admin.ebaykeywordsniperpro.com
Challenge failed for domain ebaykeywordsniperpro.com
Challenge failed for domain mail.ebaykeywordsniperpro.com
http-01 challenge for admin.ebaykeywordsniperpro.com
http-01 challenge for ebaykeywordsniperpro.com
http-01 challenge for mail.ebaykeywordsniperpro.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: admin.ebaykeywordsniperpro.com
   Type:   unauthorized
   Detail: During secondary validation: Invalid response from
   http://admin.ebaykeywordsniperpro.com/.well-known/acme-challenge/OvMbskvj1_2eAjq1_NOhdI8cv9N2xxul6yvbTtvhtyU
   [157.230.66.135]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   Domain: ebaykeywordsniperpro.com
   Type:   unauthorized
   Detail: Invalid response from
   http://ebaykeywordsniperpro.com/.well-known/acme-challenge/5vWFTq5Qa1Rfuulj91C1Y301XyKxwPZ1rfy7YC0Rpk0
   [157.230.66.135]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   Domain: mail.ebaykeywordsniperpro.com
   Type:   unauthorized
   Detail: Invalid response from
   http://mail.ebaykeywordsniperpro.com/.well-known/acme-challenge/B9EBuWJK6YeXpRm0c_yd-IjEXBNWM4rl5OPXq1Q_kdg
   [157.230.66.135]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
, DNS-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for admin.ebaykeywordsniperpro.com
dns-01 challenge for ebaykeywordsniperpro.com
dns-01 challenge for mail.ebaykeywordsniperpro.com
Running manual-auth-hook command: /etc/webmin/webmin/letsencrypt-dns.pl
Running manual-auth-hook command: /etc/webmin/webmin/letsencrypt-dns.pl
Running manual-auth-hook command: /etc/webmin/webmin/letsencrypt-dns.pl
Waiting for verification...
Challenge failed for domain admin.ebaykeywordsniperpro.com
Challenge failed for domain ebaykeywordsniperpro.com
Challenge failed for domain mail.ebaykeywordsniperpro.com
dns-01 challenge for admin.ebaykeywordsniperpro.com
dns-01 challenge for ebaykeywordsniperpro.com
dns-01 challenge for mail.ebaykeywordsniperpro.com
Cleaning up challenges
Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
Some challenges have failed.
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: admin.ebaykeywordsniperpro.com
   Type:   unauthorized
   Detail: No TXT record found at
   _acme-challenge.admin.ebaykeywordsniperpro.com

   Domain: ebaykeywordsniperpro.com
   Type:   unauthorized
   Detail: No TXT record found at
   _acme-challenge.ebaykeywordsniperpro.com

   Domain: mail.ebaykeywordsniperpro.com
   Type:   unauthorized
   Detail: No TXT record found at
   _acme-challenge.mail.ebaykeywordsniperpro.com

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): VPS

The operating system my web server runs on is (include version): Linux Ubuntu

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

1 Like

Welcome Back to the Let's Encrypt Community, Aaron :slightly_smiling_face:

Your certificate history can be found here:

Having looked over the information you've provided, let me first state that I'm not familiar with Virtualmin. That said, my experience with ACME clients leads me to a few observations:

  • Only 3 out of the 5 domain names are mentioned as failing http-01 challenges with webroot authentication
  • The same 3 out of 5 domain names are then mentioned as failing dns-01 challenges with manual (dns) authentication

It seems unusual to try to authenticate two different ways for the same domain names. Were the logs you reported from different runs?

You may find these helpful:

1 Like

2 posts were split to a new topic: Timeout during connect (likely firewall problem)

Hello Griffin ,
I managed to figure it out and it worked

Thank you very much

2 Likes

Here is what the message is showing now:

And my DNS records looks like this:

I had to destroy my droplet because I originally built it with manually installing the LAMP Stack on this Linux Ubuntu server and I wasn't able to create email addresses easily without Virtualmin. So I decided to delete the droplet on Digital Ocean and start over with a new server droplet and install Virtualmin as my WHM software to handle all installations of the LAMP stack and Let's Encrypt SSL certificate.

After reinstalling Virtualmin, this is when I started experiencing the errors during the Let's Encrypt installation.

I'm taking a look. Just a moment...

Okay, thanks again Griffin.

ebaykeywordsniperpro.com. 3599 IN A 67.205.129.99
ebaykeywordsniperpro.com. 1799 IN NS ns1.digitalocean.com.
ebaykeywordsniperpro.com. 1799 IN NS ns2.digitalocean.com.
ebaykeywordsniperpro.com. 1799 IN NS ns3.digitalocean.com.
ebaykeywordsniperpro.com. 1799 IN SOA ns1.digitalocean.com.
hostmaster.ebaykeywordsniperpro.com. 1602177949 10800 3600 604800 1800
ebaykeywordsniperpro.com. 3599 IN TXT "_acme-challenge.ebaykeywordsniperpro.com"
ebaykeywordsniperpro.com. 3599 IN TXT "_acme-challenge.admin.ebaykeywordsniperpro.com"
ebaykeywordsniperpro.com. 3599 IN TXT "_acme-challenge.mail.ebaykeywordsniperpro.com"

*.ebaykeywordsniperpro.com. 3599 IN A 67.205.129.99

A few notes to start:

  • This information is not secret, so you have no need to hide it. Anyone accessing your website knows your IP address.
  • ACME dns-01 challenges require the creation of TXT records with a hostname of _acme-challenge.domainname and unique values encoded in base 64 that can be deleted once they are authenticated
  • You are currently using ACME http-01 challenges first that use files then dns-01 challenges that use TXT records
  • There is no reason to be using both types of challenges for redundancy
  • At present you have hit the failed validation rate limit

There is a Failed Validation limit of 5 failures per account, per hostname, per hour. This limit is higher on our staging environment, so you can use that environment to debug connectivity problems. Exceeding the Failed Validations limit is reported with the error message too many failed authorizations recently.

I will look into the other errors in just a bit. We need the rate limit to clear before having any chance of success.

For that to have any authorization effect, it should have been:

_acme-challenge.ebaykeywordsniperpro.com. 3599 IN TXT "{a-cryptic-value-a}"
_acme-challenge.admin.ebaykeywordsniperpro.com. 3599 IN TXT "{b-cryptic-value-b}"
_acme-challenge.mail.ebaykeywordsniperpro.com. 3599 IN TXT "{c-cryptic-value-c}"

Maybe this shows the mistake/confusion better:

nslookup -q=txt ebaykeywordsniperpro.com

ebaykeywordsniperpro.com        text =
        "_acme-challenge.ebaykeywordsniperpro.com"
ebaykeywordsniperpro.com        text =
        "_acme-challenge.www.ebaykeywordsniperpro.com"
ebaykeywordsniperpro.com        text =
        "_acme-challenge.mail.ebaykeywordsniperpro.com"
ebaykeywordsniperpro.com        text =
        "_acme-challenge.admin.ebaykeywordsniperpro.com"
ebaykeywordsniperpro.com        text =
        "_acme-challenge.webmail.ebaykeywordsniperpro.com"
dig TXT ebaykeywordsniperpro.com @8.8.8.8

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> TXT ebaykeywordsniperpro.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26739
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;ebaykeywordsniperpro.com.      IN      TXT

;; ANSWER SECTION:
ebaykeywordsniperpro.com. 3599  IN      TXT     "_acme-challenge.admin.ebaykeywordsniperpro.com"
ebaykeywordsniperpro.com. 3599  IN      TXT     "_acme-challenge.mail.ebaykeywordsniperpro.com"
ebaykeywordsniperpro.com. 3599  IN      TXT     "_acme-challenge.webmail.ebaykeywordsniperpro.com"
ebaykeywordsniperpro.com. 3599  IN      TXT     "_acme-challenge.www.ebaykeywordsniperpro.com"
ebaykeywordsniperpro.com. 3599  IN      TXT     "_acme-challenge.ebaykeywordsniperpro.com"

;; Query time: 121 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Oct 08 19:14:41 UTC 2020
;; MSG SIZE  rcvd: 341