Certbot command returning nothing

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ukstudio.world

I ran this command:

certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d *.perimeter.ukstudio.world -d perimeter.ukstudio.world --preconfigured-renewal

It produced this output:

'Literally nothing'

My web server is (include version):
I'm installing it on a Jupyter notebook server so I don't know, this question is not relevant yet.

The operating system my web server runs on is (include version):
Ubuntu 22.04

My hosting provider, if applicable, is:
self hosted

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Doesn't return any output

First I ran this command and it returned no output whatsoever:

certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d *.perimeter.ukstudio.world -d perimeter.ukstudio.world --preconfigured-renewal

I checked the logs and it seemed it wasn't asking me for an email address, so I provided that in the next command:

sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d *.perimeter.ukstudio.world -d perimeter.ukstudio.world --preconfigured-renewal --email my.email@example.com

This was successful and brought me to accept the agreement (I'm currently writing a tutorial for myself so I escaped this step and backed up my LXC container) Then I re ran this command:

sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d *.perimeter.ukstudio.world -d perimeter.ukstudio.world --preconfigured-renewal --email my.email@example.com

but this time again no output whatsoever, so I tried to find the version of certbot using the following command

certbot --version, but again no output whatsoever.

Is this is tty problem? I'm sure if I were asked questions like what my email address in the first place these problems would go away.

Why acme-dns-auth.py is not outputting anything I don't know, before starting to go through the code I thought I'd ask here... :smiley:

Many thanks

PS.
I've got it working if I ssh in instead of using the proxmox terminal, but whilst I've got your attention, how on earth do you add a CNAME of

_acme-challenge.perimeter.ukstudio.world CNAME 3eaf8d29-a630-448d-95ca-7573c02e5d46.auth.acme-dns.io.

An the CNAME data isn't valid??

2

You add a CNAME type record into the zone "ukstudio.world"
using name "_acme-challenge.perimeter"
value "3eaf8d29-a630-448d-95ca-7573c02e5d46.auth.acme-dns.io"

2 Likes
3

And, when you use a CNAME don't have any other types of records for that name

You have both A and AAAA records there

_acme-challenge.perimeter.ukstudio.world. 118 IN AAAA 2606:4700:3033::6815:371c
_acme-challenge.perimeter.ukstudio.world. 118 IN AAAA 2606:4700:3035::ac43:9026
_acme-challenge.perimeter.ukstudio.world. 118 IN A 172.67.144.38
_acme-challenge.perimeter.ukstudio.world. 118 IN A 104.21.55.28
2 Likes
4

I see a strange entry there:

nslookup -q=all _acme-challenge.perimeter.ukstudio.world 8.8.8.8
_acme-challenge.perimeter.ukstudio.world HINFO CPU = RFC8482_acme-challenge.perimeter.ukstudio.world ??? unknown type 46 ???

or this from another DNS server:
_acme-challenge.perimeter.ukstudio.world HINFO CPU = RFC8482

2 Likes
5

Thanks for the replies,
I think this must be something Cloudflare is doing as I haven't made any of those entries myself.

Can I ask what command you used from the command line to check these DNS records?

1 Like
6

switch "8.8.8.8" for any valid dns resolver

4 Likes
7

Did you proxy the _acme-challenge.perimeter.ukstudio.world name in Cloudflare?

2 Likes
8

Yes

I have an A record to my subdomain 'perimeter' (proxied to my WAN IP address)

Then a CNAME _acme-challenge.perimeter.ukstudio.world pointing to 'perimeter.ukstudio.world'

Then I add a TXT record _acme-challenge.perimeter containing whatever value you guys give me.

I wasn't able to get it working yesterday but found if I use the -v option when calling certbot I get asked for a TXT record instead of a CNAME

9

That one should have been a CNAME record [not TXT record] at CloudFlare.

4 Likes
10

I don't see that one :frowning:

3 Likes
11

It does ping...

ping _acme-challenge.perimeter.ukstudio.world

12

Yes, it "resolves".
But it includes some giberish:

nslookup -q=all _acme-challenge.perimeter.ukstudio.world
_acme-challenge.perimeter.ukstudio.world        internet address = 172.67.144.38
_acme-challenge.perimeter.ukstudio.world        internet address = 104.21.55.28
_acme-challenge.perimeter.ukstudio.world        HINFO CPU = RFC8482
_acme-challenge.perimeter.ukstudio.world        AAAA IPv6 address = 2606:4700:3035::ac43:9026
_acme-challenge.perimeter.ukstudio.world        AAAA IPv6 address = 2606:4700:3033::6815:371c
3 Likes
13

Seems to be a couple of IPv4 name servers IP's and a couple of IPv6 name servers

14

image
According to that RFC, it seems there is no CNAME record.

3 Likes
15

You don't want it to ping (means it points to A/AAAA records). You want the _acme-challenge name to return the TXT value.

The CNAME record should not be proxied and simply be as you showed it at bottom of your first post

Oddly, the unboundtest.com site does return the value so it must be somewhere. The odd mix of records you have (probably from the Cloudflare Proxy DNS setting) is messing things up

https://unboundtest.com/m/TXT/_acme-challenge.perimeter.ukstudio.world/TIDQUTW6

2 Likes
16

Thanks so much,

For some reason yesterday when I was trying the CNAME on its own certbot was failing, to the point of driving me bonkers. I was trying til 4:30 this morning to get things working and only got a:

Successfully received certificate.

When I was messing around wit TXT records instead.

1 Like
17

I see. I think I'm getting you. Thanks so much for all your time, really appreciated.

Should I delete the certificates I've generated and start again? I don't mind. I've spent so many years failing at installing ssl certs that now the 'penny is finally dropping' I'm perfectly happy to go through every VM and Container on my network generating new certificates.

1 Like
18

NO.
Keep what you have [until it expires]

4 Likes
19

Humm,

Sorry to be a pain, but if I run certbot more than once (because of a mess up of failure on my part) I notice I don't get given a CNAME or value, is there a way around this?

20

Then you may have run it incorrectly.
Show the entire command used; So that we can review it.

2 Likes