Can't renew as I am behind a port forward through a webproxy


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: clarkmorelsmith.family (clarkmorelsmith.family:1987)

I ran this command: any of the certbot commands

It produced this output: Please deploy a DNS TXT record under the name
_acme-challenge.clarkmorelsmith.family with the following value:

Hhd0bFvxUNfvZzwZQuccs7rUYQv3_TcWiqmMaN5cC3E

Before continuing, verify the record is deployed.


Press Enter to Continue
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. clarkmorelsmith.family (dns-01): urn:ietf:params:acme
:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.clarkmorelsmit
h.family

IMPORTANT NOTES:

  • The following errors were reported by the server:

  Domain: clarkmorelsmith.family
  Type:   None
  Detail: DNS problem: NXDOMAIN looking up TXT for
  _acme-challenge.clarkmorelsmith.family

My web server is (include version): VirtualBox 5 on CentOS 7 on IBM ThinkStation

The operating system my web server runs on is (include version): CentOS x86_64 7.5.1804

My hosting provider, if applicable, is: self-hosted

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Linux specialist using command line - my life is a bash shell

I have added the DNS TXT entries (2 so far) and they both fail, assuming a lookup of DNS timing proliferation perhaps?

Is there a way to bury the (:1987) bit behind this in the configs so your software cert process actually reaches the right server behind the webproxy? This will solve this for sure.


#2

Where did you create these TXT records? You need to create them in your GoDaddy DNS hosting. Can you take a screenshot?

If you’re using DNS validation, then the port of your web server is not relevant to the validation process.


#3

Created them in the DNS Zone setup on the GoDaddy site. Now just trying to retry and getting too many failed authorizations, so will try to find out how to reset that and try again.

Will wait till a bit later to retry now I have poked the angry koala bear.


#4

Have you deleted them? They don’t exist in the DNS. Either GoDaddy’s DNS servers are updating really slowly right now, or they really don’t exist.

The rate limit is a 1 hour sliding window, so you can try again soon.


#5

When you create the entry be sure NOT to add the domain (again) in.
LIKE:
_acme-challenge.domain.tld
NOT LIKE:
_acme-challenge.domain.tld.domain.tld


#6

Thank you.

Finally got back to this and I can happily report all is good.

In Australia I am using godaddy.com for the Zone setup. I have added an
‘A record’ for “_acme-challenge” and then added the TXT record just
pointing to the ‘_acme-challenge’ host name without the domain name as
recommended.

So for examples for others what I ended up doing, where:

  • mydomain = is the domain name I am using
  • My_External_IP_Goes_Here = my external IP address for the server, as
    in my Internet connection external IP address
  • cerbot_Code_Goes_Here = the code generated by the ‘cerbot’ command line

Command line executed as root user:

certbot certonly --manual -d mydomain --preferred-challenges “dns,http”

My Zone entries look like:

A _acme-challenge.mydomain My_External_IP_Goes_Here
TXT _acme-challenge certbot_Code_Goes_Here

… and of course ‘service httpd restart’ for the CentOS server.

I have since deleted the TXT entry from the Zone records but will leave
the A record in place for the next time I renew it all :slight_smile:

Thanks once again to Rudy and all who helped get me ‘secured’.

Could you please mark this as solved with much gratitude for your help.


closed #7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.