Certbot via Ubuntu 20.04 terminal having DNS challenge failed for LOCALLY HOSTED domain

It was to my understanding that I could use letsencrypt for SSL for a local domain. Thank you for clarifying that this is not the case.

I also have a bluehost domain, martekprober.com. Should I use that instead? Is there a way for me to make a subdomain of it, say nextcloud.martekprober.com, only viewable on my LAN, or as part of my local domain? I wanted this for security reasons.

Edit: I'm aware of how to make the subdomain, I simply am unaware of if I can make it private. Just wanted to clarify.

1 Like

You very much can as long as you own or control the real public copy of that domain as well.

Obtaining a publicly trusted certificate from a public Certificate Authority such as Let's Encrypt requires proving control of a real ICANN registered domain regardless of whether you only ever intend to use it privately.

You still haven't answered the question about whether you own/control martekservers.com. It sounds like you do though considering you said you own martekprober.com. This is still doable for martekservers.com if you control the public DNS zone for it.

6 Likes

I own and have access to control martekservers.com, though it is not viewable through the internet, aka it is not public. I do control the "real public copy" of martekprober.com, as well.

1 Like

But it (the DNS zone, not the services you're using it with) is indeed viewable through the Internet. Take a look at this basic DNS domain query tool:

It shows your nameservers are set to ns71.domaincontrol.com and ns72.domaincontrol.com which are GoDaddy nameservers (though its possible you purchased this domain through a GoDaddy reseller). It shows an A record to a public IP address for martekservers.com and a CNAME for www.martekservers.com pointing to the domain apex which is all pretty standard.

So when certbot asks you to create a TXT record, this is the zone that record needs to go in. We just need to understand how you modify DNS records in this public zone. Is it GoDaddy directly? Is it another hosting provider?

6 Likes

Before I say anything more, I'd like to establish this:

I am the owner of martekservers.com, though I did not set it up. It was set up in 2012, used as a VPN service of some sort (as far as I'm aware), and was eventually used for other things, with the initial use as said VPN server no longer being the case. I have been in charge of martekservers.com since 2021.

The link to intoDNS that you sent was very informative. I spent some time reading it. I'm unaware of what the correct zone to put the TXT record into would be, based on what you said. Here is a screenshot from my Domain Controller that shows (circled in red) where I had been making all of my changes, hopefully that points us in the correct direction. (I apologize for the poor resolution, though it's still legible.)

Edit: By "changes", I mean where I put the TXT record manually when following one of the prior processes, and where I had set the A record for the computer, CNAMEs for the computer, and the PTR record for the computer. I'm still an amateur when it comes to DNS, so any advice is appreciated. Thank you again.

Crop

2 Likes

That looks like a local AD DNS server.
The domain zone that needs to update the DNS TXT record is the zone on the Internet:

nslookup -q=ns martekservers.com
martekservers.com       nameserver = ns71.domaincontrol.com
martekservers.com       nameserver = ns72.domaincontrol.com
1 Like

Oh! I didn't know that there are different kinds of DNS servers. You show a command here. Are you showing me an example of the output you receive, or is this a command I should run on my Windows Server or Linux Server?

1 Like

That output is what the Internet sees - what LE will see.

If you are going to run that from within your private network, specify a public DNS server, like:
nslookup -q=ns martekservers.com 8.8.8.8
nslookup -q=ns martekservers.com 1.1.1.1
nslookup -q=ns martekservers.com 9.9.9.9
nslookup -q=ns martekservers.com 4.2.2.2

1 Like

so, as @rmbolger and you have stated, ns71.domaincontrol.com and ns72.domaincontrol.com are the nameservers which my DNS is using, somehow in relation to GoDaddy. How am I supposed to put a TXT record into that zone? Where would said zone reside?

1 Like

It would likely be in the web control panel of the registrar where martekservers.com was purchased. If it was purchased directly from godaddy.com, it would be there. But there are also web hosts who are just resellers of GoDaddy domains and services. So if it was purchased from a reseller, you'd likely login to the reseller's portal instead.

4 Likes

Thank all of you. I've been looking into this a bit myself, I'll get back to you if I have any updates.

3 Likes

Update: It took me a little while to look through old accounting information, as well as not working on this over the weekend or on Friday, but I found that we were paying a company called "Cheap Cheap Domain Names", who appears to be a domain name reseller. Their website is cheapcheapdomainnames.com , and they have a control panel there with the ability to add DNS records. I'm going to try what we have mentioned in this thread here.

Edit: This company appears to be using GoDaddy nameservers. This explains why it appears as such on the whois sites.

Side note: I haven't seen this company mentioned before literally anywhere before seeing them in old accounting documentation, but it seems as though this domain is registered until September of 2022. I will transfer everything over to Bluehost around that time, as I do some web hosting through there already, and it would be convenient to have everything in one place. I'm unaware of what I'll have to do with anything associated with my domains as a result of the move, though that's not relevant right now.

2 Likes

I implemented in the DNS records section of the control panel of cheapcheapdomainnames.com the A record that I had put on my AD server, as well as an AAAA record that contains the IPv6 address of the Linux box I am running Certbot for, as I figure that since my nameservers are not local to me, it will need it. TTL is set to the minimum/standard that this host provides, at 600 seconds.

I tried running the previous command we used, specifically
sudo certbot run --authenticator dns-godaddy --installer apache --dns-godaddy-propagation-seconds 600 --dns-godaddy-credentials /etc/letsencrypt/godaddy.ini -d nextcloud.martekservers.com

The result was as follows:
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.nextcloud.martekservers.com

I remembered that I had used this command to allow me to manually obtain the certificate, and the TXT record, as clearly, "sudo certbot --apache" wasn't working
sudo certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d 'nextcloud.martekservers.com

The result was that it worked, and the certificate was obtained. It saved the certificate at /etc/letsencrypt/live/nextcloud.martekservers.com/fullchain.pem, with the key being saved at /etc/letsencrypt/live/nextcloud.martekservers.com/privkey.pem It also tells me that the certificate expires on 2022-04-18, and that this certificate will not renew automatically, which leaves me with a few questions:

Where may I obtain a script to renew this automatically? How do I apply the certificate to my local site?

Again, thank you all for the help. This community is awesome. I feel like I've learned so much.

2 Likes

Sorry, you post has confused me...
If it only worked when you manually added the TXT record, then that can't be automated.

You should ask those cheap cheap admins if they support DNS API updates (and how?).

1 Like

This may be slightly unuseful (is that a word?)
I just logged in to cheapcheap (secureserver.net) with my go daddy creds.
maybe @Evenimous can log in to goda ddy with his creds and configure the API there.

5 Likes

"unuseful" = useless.

4 Likes

I tried this, and it did not work. Thank you for the idea, though.

It clearly states that there is a way to set up autorenewal after I ran the command. It says this in the terminal under the success window.

NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.

What this means to me is that I may find or create a script that may set up autorenewal. I only mean to ask to be pointed to resources related to scripting with certbot.

Then it wasn't clear enough OR you misunderstood it.
There is NO way to automate a manual requirement.

2 Likes

Well, it's kinda counterintuitive, as the manual plugin can be automated, if hook scripts are used.

Certbot will run any executable as a hook script. The only issue is that most likely you'd need to script the code which will add (and remove) the authorization token yourself.

3 Likes