Certbot Manual - Passing DNS Challenge with CloudFlare

juanam · May 31, 2017, 3:14am

I have done the following:

#  certbot -d bristol3.pki.enigmabridge.com --manual --preferred-challenges dns certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for bristol3.pki.enigmabridge.com

-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

 Are you OK with your IP being logged?
 -------------------------------------------------------------------------------
 (Y)es/(N)o: y

 -------------------------------------------------------------------------------
 Please deploy a DNS TXT record under the name
 _acme-challenge.bristol3.pki.enigmabridge.com with the following value:
 PYQOs3dh1QsK5wPGKbPWc3uXHBx9y7_yDtRuUS40Znk

 Once this is deployed,
 -------------------------------------------------------------------------------
 Press Enter to ContinueCleaning up challenges

I do not know how to do what the script asks me to do.
Could you tell me what are all the steps to perform that task that the script requests?

sahsanu · May 31, 2017, 6:38am

Hi @juanam,

You need to do exactly what the message says:

You need to go to your DNS server and add a TXT record for _acme-challenge.bristol3.pki.enigmabridge.com with the content PYQOs3dh1QsK5wPGKbPWc3uXHBx9y7_yDtRuUS40Znk and once done you need to press enter so Let’s Encrypt will validate that TXT record and if it is correct it will issue a cert for the requested domain.

To test it, you can use this command.

$ dig +short TXT _acme-challenge.bristol3.pki.enigmabridge.com
"PYQOs3dh1QsK5wPGKbPWc3uXHBx9y7_yDtRuUS40Znk"

Keep in mind, that every time you run the certbot command, the “random string” will be different and you should update the TXT record with that new “random string”.

Also, DNS challlenge is a manual process so it is a pain to renew it every 90 days. If your DNS servers has some kind of API you could add a script to perform this TXT record creation in an automated way.

As far as I can see, your DNS servers for enigmabridge.com are:

aragorn.ns.cloudflare.com
chloe.ns.cloudflare.com

And cloudflare.com has an API to interact with the DNS records BUT, your DNS servers for pki.enigmabridge.com are not the same, indeed you only have this DNS server ns.enigmabridge.com that is pointing to Amazon but don’t now if you are using your own DNS server or Route 53, if you are using Route 53, it has an API too so you could automate the process.

As I said, you can add a script that will contact to the API of your DNS provider something like

certbot -d bristol3.pki.enigmabridge.com --manual --preferred-challenges dns certonly --manual-auth-hook /path/to/the/script

Of course, you need to create the script that will contact to the DNS server API but in this case, the best approach is to use other acme client, instead of certbot you could use acme.sh client that has a lot of DNS API scripts ready to connect.

Hope this helps,
sahsanu

mnordhoff · May 31, 2017, 3:31pm

Going by the reverse DNS, it's an EC2 instance of some sort. As far as i can tell, Route 53 uses a couple specific IP ranges, and always sets reverse DNS. (E.g. 205.251.193.136 -> ns-392.awsdns-49.com..)

system · June 30, 2017, 3:31pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.