Certbot on MacOS behind a proxy not able to verify domain


#1

Morning everyone,

I have a issue were I can not authenticate the domain because it’s behind a proxy server as we are a school. Ports 80 and 443 are closed to force everything to go through the proxy. We run both a normal proxy and a transparent one so disabling the proxy doesn’t seem to make a difference.

I am running OSX Server 5 which is facing the internet and using the domain osx.tworiversschool.net. OSX Server reachability gives two different IP depending on if I remove the proxy or add it but I presume there both the IPs of the proxy system. The IP which belongs to the domain is 194.08.54.64 which then routes back to a private IP on our LAN.

I was wondering how I can resolve this issue maybe get lets encrypt/certbot look at a domain record instead of looking at the local server. I think with StartSSL I used a domain record which it verified instead.

Any help would be appreciated as our StartSSL has expired and have been advised to stay away from them now.

Regards

Corey


#2

Do you have relatively easy control over the DNS (to be able to add a text record to it - ideally through an API) ? If so then the DNS-01 challenge would be the easiest method.


#3

I do have access to the DNS as we have used it to verify StartSSL and Office365. I am not sure via a API though. We registered the domain with daily.co.uk years ago.


#4

Then you can use the DNS-01 challenge.

Access through API purely makes it easier, since you need to renew the cert every 70 days or so ( it’s valid for 90 currently, but you don’t want to be trying to renew it on the 90th day :wink: )

Certbot now supports the dns-01 challenge ( although I haven’t used it in certbot) You need the “manual” and “–preferred-challenges dns” I believe - see the documentation at https://certbot.eff.org/docs/using.html#command-line

I use one of the alternate clients, which supported the dns challenge at an earlier stage and haven’t tested it with certbot, sorry. I’m sure others have though :slight_smile:


#5

Thanks for your help serverco. I have now switched to the acme.sh application which allows DNS challenge.

My next issue is that I get the following error osx.tworiversschool.net:Verify error:DNS problem: NXDOMAIN looking up TXT for _acme-challenge.osx.tworiversschool.net


#6

Have you added the token as a TXT record to your authoritative nameservers ? for me I can’t see it either

$ nslookup -type=txt  _acme-challenge.osx.tworiversschool.net ns1.daily.co.uk
Server:        ns1.daily.co.uk
Address:    195.26.90.11#53

** server cant find _acme-challenge.osx.tworiversschool.net: NXDOMAIN

if I look up a level I can see some text records

$ nslookup -type=txt  tworiversschool.net ns1.daily.co.uk
Server:        ns1.daily.co.uk
Address:    195.26.90.11#53

tworiversschool.net    text = "google-site-verification=4Gt9UiH83adyfDzZbA_HPL92hlAeETURWX0P3xlSP6o"
tworiversschool.net    text = "MS=ms12141988"
tworiversschool.net    text = "v=spf1 include:spf.protection.outlook.com -all"

#7

Unless I have put them in the wrong way around I have added them.


#8

You have too many “.tworiversschool.net” in there :wink: I suspect your DNS system will automatically add .tworiversschool.net to the end of whatever you place in the left hand box. So you just need “_acme-challenge.osx” in there.

I can get a response from your server if I double up the .tworiversschool.net domain name.

$ nslookup -type=txt  _acme-challenge.osx.tworiversschool.net.tworiversschool.net ns1.daily.co.uk
Server:        ns1.daily.co.uk
Address:    195.26.90.11#53

_acme-challenge.osx.tworiversschool.net.tworiversschool.net    text = "WxRJnVFzWu9NV0oBANCxAiWbtvixfDMYpAxTTTbsHrM"

#9

Thanks for all your help serverco! I appreciate it. I now have my certificated validated.

I wouldn’t of gotten the double osx.tworiversschool.net part I just kept deleting the folder and trying to issue them again with a new verification code.


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.