Certbot probs / DNS


#1

Hello,

right now I want to have a letsencrypt - certificate for my website myownsite.cn.
Server OS: Debian
Webserver: apache2

So tried to to run the certbot and got authorization probs

certbot certonly --webroot -w /var/www/html/ -d myownsite.cn
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for myownsite.cn
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Incomplete authorizations

So I came to know, that it hinges on the DNS:

root@myserver:/etc/letsencrypt# certbot -d myownsite.cn --manual --preferred-challenges dns certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for myownsite.cn


NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.

Are you OK with your IP being logged?

(Y)es/(N)o: Y


Please deploy a DNS TXT record under the name
_acme-challenge.myownsite.cn with the following value:

xt0NhjNdw9NGZFXxFDdcIPg3UxmTg6fLErsfVDQp2IQ

Before continuing, verify the record is deployed.

Press Enter to Continue
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. myownsite.cn (dns-01): urn:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.myownsite.cn

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: myownsite.cn
    Type: None
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.myownsite.cn
    root@myserver:/etc/letsencrypt#

What needs to be done here ?
How to deploy a DNS TXT record ?

Thanks for your help.

Best,
Swantje


#2

By editing the zone file of your domain names DNS service. Most DNS hosting services have some kind of web panel to edit the zone.

But I’m not sure why you choose to do DNS authorization instead of the http-01 challenge? Do you have a particular reason to do so?


#3

Hi @swantje

what says the letsencrypt.log? Why doesn’t http-01 - validation work?

http-01 - validation is easy to automate because only a file must be copied.


#4

Hi Osiris,
thanks for your hints and sorry for my belated response. …Had to close from work earlier yesterday…
I just need a certificate. There is no reason for DNS. …sorry…
can you tell me the necessary steps for http-01 challenge or a site where the
process is explained ? Shell commands etc.

…would be very greatful!

Best,
Swantje


#5

Hi Jürgen,

Thanks for your response. As I mentioned before I just need a way to get a certificate-

here are my logs:
----log1 ----
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1123
Link: https://acme-v01.api.letsencrypt.org/acme/new-cert;rel=“next”
Replay-Nonce: 8OwojEkKz0BJG90C98U_BfrJs-JG85DBI1Q9eETKC2Q
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Fri, 17 Aug 2018 08:00:05 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 17 Aug 2018 08:00:05 GMT
Connection: keep-alive

b’{\n “identifier”: {\n “type”: “dns”,\n “value”: “mysitecn”\n },\n “status”: “pending”,\n “expires”: “2018-08-24T07:59:15Z”,\n “challenges”: [\n {\n “type”: “tls-alpn-01”,\n “status”: “pending”,\n “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/fl77LItCIXJ9bkJuY_fU4S__S4AThR0R2SlYImS_N_0/6548047015”,\n “token”: “oE9eoxwUrL4nunrMjevgqMzUZYk-rVj7RnHMf7Yhf7I”\n },\n {\n “type”: “http-01”,\n “status”: “pending”,\n “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/fl77LItCIXJ9bkJuY_fU4S__S4AThR0R2SlYImS_N_0/6548047016”,\n “token”: “xD3a-gdF0ojMb_XxE_SCEaDH-U6Dr70_ub97IZURKZ4”,\n “keyAuthorization”: “xD3a-gdF0ojMb_XxE_SCEaDH-U6Dr70_ub97IZURKZ4.AFyvukgCnbpoYbD8qK80P28_41NnFpvzR4EAZnPS-b4”\n },\n {\n “type”: “dns-01”,\n “status”: “pending”,\n “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/fl77LItCIXJ9bkJuY_fU4S__S4AThR0R2SlYImS_N_0/6548047017”,\n “token”: “Wb5CO_DMYm9JYnhMEUehojc3rOwsX2Grmq2rVHKLOJ0”\n }\n ],\n “combinations”: [\n [\n 1\n ],\n [\n 0\n ],\n [\n 2\n ]\n ]\n}’
----log2 ----
2018-08-17 08:00:05,739:DEBUG:acme.challenges:tls-alpn-01 was not recognized, full message: {‘status’: ‘pending’, ‘type’: ‘tls-alpn-01’, ‘token’: ‘oE9eoxwUrL4nunrMjevgqMzUZYk-rVj7RnHMf7Yhf7I’, ‘uri’: ‘https://acme-v01.api.letsencrypt.org/acme/challenge/fl77LItCIXJ9bkJuY_fU4S__S4AThR0R2SlYImS_N_0/6548047015’}
2018-08-17 08:00:05,740:INFO:certbot.auth_handler:Cleaning up challenges
2018-08-17 08:00:05,740:DEBUG:certbot.plugins.webroot:Removing /var/www/html/.well-known/acme-challenge/xD3a-gdF0ojMb_XxE_SCEaDH-U6Dr70_ub97IZURKZ4
2018-08-17 08:00:05,741:DEBUG:certbot.plugins.webroot:All challenges cleaned up, removing /var/www/html/.well-known/acme-challenge
2018-08-17 08:00:05,741:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.21.1’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1240, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1120, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 118, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 357, in obtain_and_enroll_certificate
certr, chain, key, _ = self.obtain_certificate(domains)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 318, in obtain_certificate
self.config.allow_subset_of_names)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 84, in get_authorizations
self.verify_authzr_complete()
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 298, in verify_authzr_complete
raise errors.AuthorizationError(“Incomplete authorizations”)
certbot.errors.AuthorizationError: Incomplete authorizations

I get log2 when I try run certbot:

certbot certonly --webroot -w /var/www/html/ -d myownsite.cn http://myownsite.cn/

Best and happy weekend to you all,
Swantje


#6

Your website doesn’t send a response:

https://acme-v01.api.letsencrypt.org/acme/challenge/fl77LItCIXJ9bkJuY_fU4S__S4AThR0R2SlYImS_N_0/6548047016

http://staging-shc-neo.usst.edu.cn/.well-known/acme-challenge/xD3a-gdF0ojMb_XxE_SCEaDH-U6Dr70_ub97IZURKZ4

This page isn’t working
staging-shc-neo.usst.edu.cn didn’t send any data.

Chrome says:

ERR_EMPTY_RESPONSE

Maybe a firewall problem. If you want to use http-01 - challenge, certbot creates a file under /.well-known/acme-challenge/, Letsencrypt must be able to load this file per port 80.


#7

Hi Jürgen,

too blind … I apologize!
Thx for your help!
…think I know, what to do next.

Greets!

Swantje


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.