Hi! Certbot's challenge keeps failing and I'm not sure why. I started out with the basic renewal command, but now I'm running a more explicit command and keep hitting the same issue (no TXT record) despite setting up my CNAME redirect record correctly AFAICT. I also tried setting FORCE_REGISTER = True in acme-dns-auth.py to ensure it's trying to use a new CNAME to no avail.
My domain is: squaredle.app
I ran this command:
sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges
It produced this output:
[After it gave me the CNAME record to use, I entered that record and waited ten minutes before pressing Enter. The previous CNAME record had a TTL of 300, as did this one.]
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): squaredle.app
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for squaredle.app
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Running manual-auth-hook command: /etc/letsencrypt/acme-dns-auth.py
Output from manual-auth-hook command acme-dns-auth.py:
Please add the following CNAME record to your main DNS zone:
_acme-challenge.squaredle.app CNAME bcd99878-dd64-4133-ac5e-c7f5b870ab33.auth.acme-dns.io.
Waiting for verification...
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Challenge failed for domain squaredle.app
dns-01 challenge for squaredle.app
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: squaredle.app
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.squaredle.app - check that a DNS record exists for
this domain
My web server is (include version):
Apache/2.4.41
The operating system my web server runs on is (include version):
Ubuntu 20.04.4 LTS
My hosting provider, if applicable, is:
DigitalOcean
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0
Thanks in advance. I've been wrangling with this for a couple hours now. I'll hold off on making more changes so you can verify my DNS records if needed.
That's what I was afraid of -- that I'm doing everything right. :-/
I tried again, verifying the nameservers were all updated. They seem to update almost instantly. This time, I received a different error:
Domain: squaredle.app
Type: unauthorized
Detail: During secondary validation: Incorrect TXT record
"EDerkmxjkn24ItBi47fsQIBLgl1w4t0Str2Z_rgpNHY" found at
_acme-challenge.squaredle.app
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
I suspect the above is because it's still finding the older CNAME record and thus the older token.
The previous time, I waited over 10 minutes before trying, so it seems like there are only two cases:
Finding the old CNAME record and therefore failing
Finding the new CNAME record and failing for some unknown reason
So I still need help debugging case #2. Thank you!!
I think those acme-dns CNAME entries are rather static, coupled to an account? The TXT RR is being updated using a REST API (I believe) at the acme-dns server.
Currently, the validation server finds the TXT RR without a hitch:
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: squaredle.app
Type: unauthorized
Detail: Incorrect TXT record "U-sCnKYaooA8P8FtYN2J3Il_jFNlhnHJRf6EsAGR7VU" found at _acme-challenge.squaredle.app
Of course the TXT RR is incorrect for my attempt, but no issues regarding the CNAME.
After verifying with nslookupp.io that the Authoritative CNAME record has been updated, the challenge succeeded! Now I'm running into the same issues updating www.squaredle.app (with the www subdomain). But in this case, the nslookup command fails with:
** server can't find _acme-challenge.www.squaredle.app: NXDOMAIN
I think normally yes. Since the authentication kept failing (despite me not making any changes since I set this up 2.5 months ago), I set FORCE_REGISTER=True in acme-dns-auth.py to see if the new CNAME it gave me would work where the old one wasn't.
Please add the following CNAME record to your main DNS zone:
_acme-challenge.www.squaredle.app CNAME [a bunch of numbers and letters].auth.acme-dns.io.
I've gotten it working after waiting a lot longer than usual after updating CNAME. (It's not enough for all the nameservers I can find, including the "Authoritative" one, to show the updated CNAME; it takes at least an hour.)
Not sure what the problem was in the first place, as I once waited over 24 hours and it still wasn't working.