Certbot on MacOS behind a proxy not able to verify domain

Morning everyone,

I have a issue were I can not authenticate the domain because it’s behind a proxy server as we are a school. Ports 80 and 443 are closed to force everything to go through the proxy. We run both a normal proxy and a transparent one so disabling the proxy doesn’t seem to make a difference.

I am running OSX Server 5 which is facing the internet and using the domain osx.tworiversschool.net. OSX Server reachability gives two different IP depending on if I remove the proxy or add it but I presume there both the IPs of the proxy system. The IP which belongs to the domain is which then routes back to a private IP on our LAN.

I was wondering how I can resolve this issue maybe get lets encrypt/certbot look at a domain record instead of looking at the local server. I think with StartSSL I used a domain record which it verified instead.

Any help would be appreciated as our StartSSL has expired and have been advised to stay away from them now.



Do you have relatively easy control over the DNS (to be able to add a text record to it - ideally through an API) ? If so then the DNS-01 challenge would be the easiest method.

1 Like

I do have access to the DNS as we have used it to verify StartSSL and Office365. I am not sure via a API though. We registered the domain with daily.co.uk years ago.

Then you can use the DNS-01 challenge.

Access through API purely makes it easier, since you need to renew the cert every 70 days or so ( it’s valid for 90 currently, but you don’t want to be trying to renew it on the 90th day :wink: )

Certbot now supports the dns-01 challenge ( although I haven’t used it in certbot) You need the “manual” and “–preferred-challenges dns” I believe - see the documentation at https://certbot.eff.org/docs/using.html#command-line

I use one of the alternate clients, which supported the dns challenge at an earlier stage and haven’t tested it with certbot, sorry. I’m sure others have though :slight_smile:

Thanks for your help serverco. I have now switched to the acme.sh application which allows DNS challenge.

My next issue is that I get the following error osx.tworiversschool.net:Verify error:DNS problem: NXDOMAIN looking up TXT for _acme-challenge.osx.tworiversschool.net

Have you added the token as a TXT record to your authoritative nameservers ? for me I can’t see it either

$ nslookup -type=txt  _acme-challenge.osx.tworiversschool.net ns1.daily.co.uk
Server:        ns1.daily.co.uk

** server cant find _acme-challenge.osx.tworiversschool.net: NXDOMAIN

if I look up a level I can see some text records

$ nslookup -type=txt  tworiversschool.net ns1.daily.co.uk
Server:        ns1.daily.co.uk

tworiversschool.net    text = "google-site-verification=4Gt9UiH83adyfDzZbA_HPL92hlAeETURWX0P3xlSP6o"
tworiversschool.net    text = "MS=ms12141988"
tworiversschool.net    text = "v=spf1 include:spf.protection.outlook.com -all"

Unless I have put them in the wrong way around I have added them.

You have too many “.tworiversschool.net” in there :wink: I suspect your DNS system will automatically add .tworiversschool.net to the end of whatever you place in the left hand box. So you just need “_acme-challenge.osx” in there.

I can get a response from your server if I double up the .tworiversschool.net domain name.

$ nslookup -type=txt  _acme-challenge.osx.tworiversschool.net.tworiversschool.net ns1.daily.co.uk
Server:        ns1.daily.co.uk

_acme-challenge.osx.tworiversschool.net.tworiversschool.net    text = "WxRJnVFzWu9NV0oBANCxAiWbtvixfDMYpAxTTTbsHrM"
1 Like

Thanks for all your help serverco! I appreciate it. I now have my certificated validated.

I wouldn’t of gotten the double osx.tworiversschool.net part I just kept deleting the folder and trying to issue them again with a new verification code.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.