Certbot via Ubuntu 20.04 terminal having DNS challenge failed for LOCALLY HOSTED domain

My parent domain is "martekservers.com", which is locally hosted via a Domain controller based on Windows Server 2008. I am creating a NextCloud instance with the intention of it not being visible on the internet, but usable on the local domain with a domain name via IPv4 called "nextcloud.martekservers.com", otherwise I would assign it a domain name via bluehost.

I ran "certbot --apache". It prompts me to select the domain to give SSL/HTTPS, I select "nextcloud.martekservers.com".

It produced this output: "Challenge failed for domain nextcloud.martekservers.com
http-01 challenge for nextcloud.martekservers.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: nextcloud.martekservers.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for
nextcloud.martekservers.com - check that a DNS record exists for
this domain".

My web server is Apache version 2.4.41, running on an Ubuntu 20.04 LTS, and as previously stated, the Domain Controller is on Windows Server 2008. I am also an administrator of this network.

NextCloud, as far as I'm aware, doesn't have a control panel for DNS issues.

I am using Certbot 0.40.0.

Notes on issue:
1.) I have gone into the server, and manually edited DNS. I created a Host (A) forward lookup zone for the Ubuntu server. It is registered on the network as a static IP of 192.168.1.38, and it has two CNAMEs, one being nextcloud.martekservers.com, and one being openoffice.martekservers.com (the goal is to run both on one box, openoffice will also need an SSL certificate, though if I can figure out the nextcloud issue, I can figure that out as well.)
2.) I have also created a PTR record that points 192.168.1.38 to the Ubuntu server.
3.) For whatever reason, Ubuntu most definitely does not play as nicely with my domain controller as the windows boxes I have connected to the domain. Everything regarding DNS has been manually set since the day I installed Linux onto that box.

1 Like

If you want a certificate for a domain which isn't visible on the internet, then you'll need to use the DNS Challenge. This means certbot --apache isn't an option for you, because it uses the HTTP challenge.

You could try install Certbot via pip and then install the third party certbot-dns-godaddy plugin to do this:

sudo /opt/certbot/bin/pip install certbot-dns-godaddy
sudo certbot run --authenticator dns-godaddy --installer apache \
--dns-godaddy-credentials ~/.secrets/certbot/godaddy.ini  \
-d nextcloud.martekservers.com

You can also try another client like acme.sh which supports GoDaddy DNS challenges out of the box.

3 Likes

Hello, I forgot to mention that I had tried this.

I ran this command: sudo certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d 'nextcloud.martekservers.com, nextcloud.martekservers.com'

I deployed the TXT record under the name "_acme-challenge.nextcloud.martekservers.com" with the value given, and it gave me a similar error, stating "NXDOMAIN looking up TXT for _acme-challenge.nextcloud.martekservers.com - check that a DNS record exists for this domain"

A bit confused, as I did what was stated. I tried two more times, listing the record differently each time to see if it was some sort of user error, though none of them worked.

1 Like

In the first line of what you sent here, I am prompted with "command not found." Should I just run "sudo install certbot-dns-godaddy" ?

1 Like

The record needs to be created on the GoDaddy side.

The certificate authority checks the globally authoritative nameservers in order to validate your control of your domain.

If you are creating the DNS TXT record on your local network only, that's not going to work.

Keep in mind also that using --manual in this way won't support autorenewal.

5 Likes

If you want to go with this option, you'll need to go through the instructions on the page I linked to first ( install Certbot via pip).

3 Likes

Thank you for the speedy replies yesterday, by the way. I'm very appreciative.

I was looking into everything you sent me, which I'd like to thank you again for, as those resources were very informative, but I'm a bit stuck on the creation of the GoDaddy credentials INI file, and where I must store it. The help page for certbot-dns-godaddy states "Certbot will emit a warning if it detects that the credentials file can be accessed by other users on your system," though I am unaware of how to make a file inaccessible by others on Linux, as this is my first time using Linux.

1 Like

I'd like to add that I created an account on developer.godaddy.com, and have created an API Key there, so I have the "secret" and the "key" that they are asking to put in the file, or at least this is true as far as I understand it.

1 Like

You can put the credentials file in any location of your choosing.

I would typically save it somewhere like /etc/letsencrypt/godaddy.ini.

Once you have created the file, you can restrict it to only be accessible by the root user:

sudo chown root:root /etc/letsencrypt/godaddy.ini
sudo chmod 0600 /etc/letsencrypt/godaddy.ini
3 Likes

I created the file in the terminal using these commands:

1.) cd /etc/letsencrypt
2.) sudo nano godaddy.ini

within this second step, I wrote the file as follows (these are not my keys, simply the example keys from the github page)


dns_godaddy_secret = 0123456789abcdef0123456789abcdef01234567
dns_godaddy_key = abcdef0123456789abcdef01234567abcdef0123

I saved and exited, then ran both the sudo chown and sudo chmod commands you sent, in order, and ran this command

sudo certbot --dns-godaddy-credentials /etc/letsencrypt/godaddy.ini

The output is the same as the initial error I received, stating DNS Problem: NXDOMAIN looking up A for nextcloud.martekservers.com.

Any thoughts? Is the problem actually my DNS setup?

1 Like

The command _az suggested is above. Did you try that format? Of course, change the path for the credentials for the actual path you placed them.

The error you are receiving looks like it was trying http challenge.

If none of this helps, please show the entire command you tried.

4 Likes

You are correct. The previous command DID show "some challenges have failed."

I ran the command that @_az suggested in his initial response. Here is what is shown in the terminal, in its entirety, as you asked.

root@ubuntop:/etc/letsencrypt# sudo certbot run --authenticator dns-godaddy --installer apache --dns-godaddy-credentials /etc/letsencrypt/godaddy.ini -d nextcloud.martekservers.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for nextcloud.martekservers.com
Waiting 30 seconds for DNS changes to propagate

Certbot failed to authenticate some domains (authenticator: dns-godaddy). The Certificate Authority reported these problems:
Domain: nextcloud.martekservers.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.nextcloud.martekservers.com - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-godaddy. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-godaddy-propagation-seconds (currently 30 seconds).

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

1 Like

Note:

In the link @_az shows in his initial response regarding using the godaddy plugin for certbot, they recommend a propogation time of >=600, so I will run that and try the command I just tried and showed the results for here again.

They list the command as an argument on certbot's command line as follows:
--dns-godaddy-propogation-seconds NUM ,
so I tried the running the command
sudo certbot --dns-godaddy-propogation-seconds 600
and it told me that I was using an unrecognized argument. What is the correct way to write the argument?

1 Like

Maybe spelling it like this:

--dns-godaddy-propagation-seconds
2 Likes

LOL. That's embarrassing. Regardless,

I realized after running it that I simply need to add this argument to the one mentioned in the initial response from @_az, again. I wrote it out, without using the Bash (I think that's what the backslashes are referred to as?), as follows:

sudo certbot run --authenticator dns-godaddy --installer apache --dns-godaddy-propagation-seconds 600 --dns-godaddy-credentials /etc/letsencrypt/godaddy.ini -d nextcloud.martekservers.com

I received another error, this time saying that the challenge has failed. Here is what was shown in the terminal.

Requesting a certificate for nextcloud.martekservers.com
Waiting 600 seconds for DNS changes to propagate

Certbot failed to authenticate some domains (authenticator: dns-godaddy). The Certificate Authority reported these problems:
  Domain: nextcloud.martekservers.com
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.nextcloud.martekservers.com - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-godaddy. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-godaddy-propagation-seconds (currently 600 seconds).

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.```
1 Like

That seems like it should have worked.

Are you able to post a screenshot of the DNS records for this domain in your GoDaddy control panel?

1 Like

I do not know what GoDaddy control panel you're talking about. My domain is local. I created an account for developer.godaddy to create an API key, not an account for web server hosting. Is there still a control panel there? Am I not able to use the API keys this way, without a paid GoDaddy account?

1 Like

OK. I think I need to check some of my assumptions.

martekservers.com is a public domain name registered with GoDaddy.

Are you the domain registrant? i.e. Do you own it?

3 Likes

I thought I had been transparent about this. In my original post, I stated " My parent domain is "martekservers.com", which is locally hosted via a Domain controller based on Windows Server 2008." On premise, local to this network, there is that domain controller. martekservers.com is owned by me.

The title of this thread has "LOCALLY HOSTED" in it as well

1 Like

Regardless of whether you plan to host a local copy of the DNS zone for martekservers.com, there must still exist a public copy owned and controlled by whoever purchased the domain (we've been assuming this is you). This is also where the TXT records ultimately need to be created...not in your local copy on your private domain controller.

The public NS records for that domain imply it was registered and hosted with GoDaddy which is why folks have been suggesting you setup API access to modify the records there.

If you're not the actual owner of martekservers.com (or don't have control over its public DNS hosting), you won't be able to get a Let's Encrypt certificate for names within that domain.

6 Likes