Cerbot fails to renew SSL cert via DNS auth

Hi! Certbot's challenge keeps failing and I'm not sure why. I started out with the basic renewal command, but now I'm running a more explicit command and keep hitting the same issue (no TXT record) despite setting up my CNAME redirect record correctly AFAICT. I also tried setting FORCE_REGISTER = True in acme-dns-auth.py to ensure it's trying to use a new CNAME to no avail.

My domain is: squaredle.app

I ran this command:

sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges

It produced this output:

[After it gave me the CNAME record to use, I entered that record and waited ten minutes before pressing Enter. The previous CNAME record had a TTL of 300, as did this one.]

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): squaredle.app
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for squaredle.app

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Running manual-auth-hook command: /etc/letsencrypt/acme-dns-auth.py
Output from manual-auth-hook command acme-dns-auth.py:
Please add the following CNAME record to your main DNS zone:
_acme-challenge.squaredle.app CNAME bcd99878-dd64-4133-ac5e-c7f5b870ab33.auth.acme-dns.io.

Waiting for verification...

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue 
Challenge failed for domain squaredle.app
dns-01 challenge for squaredle.app
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: squaredle.app
   Type:   dns
   Detail: DNS problem: NXDOMAIN looking up TXT for
   _acme-challenge.squaredle.app - check that a DNS record exists for
   this domain

My web server is (include version):

Apache/2.4.41

The operating system my web server runs on is (include version):

Ubuntu 20.04.4 LTS

My hosting provider, if applicable, is:

DigitalOcean

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 0.40.0

Thanks in advance. I've been wrangling with this for a couple hours now. I'll hold off on making more changes so you can verify my DNS records if needed.

Hi @squaredle, and welcome to the LE community forum :slight_smile:

It seems like you are doing the right thing.
But it might just need more time for the authoritative DNS servers to synchronize.

Once you have updated the CNAME entry, check to ensure all of the authoritative DNS servers have that entry before pressing ENTER to continue.

squaredle.app   nameserver = ns1.digitalocean.com
squaredle.app   nameserver = ns2.digitalocean.com
squaredle.app   nameserver = ns3.digitalocean.com

You can check with:

nslookup -q=txt _acme-challenge.squaredle.app ns1.digitalocean.com
nslookup -q=txt _acme-challenge.squaredle.app ns2.digitalocean.com
nslookup -q=txt _acme-challenge.squaredle.app ns3.digitalocean.com
2 Likes

That's what I was afraid of -- that I'm doing everything right. :-/

I tried again, verifying the nameservers were all updated. They seem to update almost instantly. This time, I received a different error:

   Domain: squaredle.app
   Type:   unauthorized
   Detail: During secondary validation: Incorrect TXT record
   "EDerkmxjkn24ItBi47fsQIBLgl1w4t0Str2Z_rgpNHY" found at
   _acme-challenge.squaredle.app

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

I suspect the above is because it's still finding the older CNAME record and thus the older token.

The previous time, I waited over 10 minutes before trying, so it seems like there are only two cases:

  1. Finding the old CNAME record and therefore failing
  2. Finding the new CNAME record and failing for some unknown reason

So I still need help debugging case #2. Thank you!!

I think those acme-dns CNAME entries are rather static, coupled to an account? The TXT RR is being updated using a REST API (I believe) at the acme-dns server.

Currently, the validation server finds the TXT RR without a hitch:

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
  Domain: squaredle.app
  Type:   unauthorized
  Detail: Incorrect TXT record "U-sCnKYaooA8P8FtYN2J3Il_jFNlhnHJRf6EsAGR7VU" found at _acme-challenge.squaredle.app

Of course the TXT RR is incorrect for my attempt, but no issues regarding the CNAME.

2 Likes

After verifying with nslookupp.io that the Authoritative CNAME record has been updated, the challenge succeeded! Now I'm running into the same issues updating www.squaredle.app (with the www subdomain). But in this case, the nslookup command fails with:

** server can't find _acme-challenge.www.squaredle.app: NXDOMAIN

I think normally yes. Since the authentication kept failing (despite me not making any changes since I set this up 2.5 months ago), I set FORCE_REGISTER=True in acme-dns-auth.py to see if the new CNAME it gave me would work where the old one wasn't.

That's because that entry indeed does not exist.

4 Likes

Did you miss a step?

Something like:

Please add the following CNAME record to your main DNS zone:
_acme-challenge.www.squaredle.app CNAME [a bunch of numbers and letters].auth.acme-dns.io.
3 Likes

I've gotten it working after waiting a lot longer than usual after updating CNAME. (It's not enough for all the nameservers I can find, including the "Authoritative" one, to show the updated CNAME; it takes at least an hour.)

Not sure what the problem was in the first place, as I once waited over 24 hours and it still wasn't working.

Anyway, thanks all!

3 Likes