I ran this command: certbot certonly --dns-rfc2136 --dns-rfc2136-credentials ~/certbot.ini -d wcl.net
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-rfc2136, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for wcl.net
Waiting 60 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. wcl.net (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.wcl.net - check that a DNS record exists for this domain
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: wcl.net
Type: None
Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.wcl.net - check that a DNS record exists for this
domain
My web server is (include version): certonly
The operating system my web server runs on is (include version): Debian
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is 0.31.0
In the logs and “dig” I can see that acme_challenge txt is added successfully, however, certbot is still failing. Is it a bug or I am doing something wrong?
Have you delegated the _acme-challenge.wcl.net zone from the ns{1,2,3}.livedns.co.uk nameservers to your ns{1,2}.wcl.net nameservers somehow? I can’t see it.
Thank you very much for quick response. Since I am not very experienced with dns and stuff… can you please clarify how can I delegate my internal dns ns to livedns? Thank you
Well, what I mean is, according to your domain registrar, your domain’s nameservers are:
wcl.net. 172800 IN NS ns1.livedns.co.uk.
wcl.net. 172800 IN NS ns2.livedns.co.uk.
wcl.net. 172800 IN NS ns3.livedns.co.uk.
When Let’s Encrypt looks up the _acme-challenge.wcl.net domain, it’s going to ask those nameservers for the record.
Of course, those nameservers weren’t told about the record you just created, so predictably, they say the record doesn’t exist.
Question is, what do you want to do? You obviously had some plan going into this, could you elaborate upon what it was?
It’s sort of hard to read what your intention was because there’s a lot of private hosts and IPs involved.
I guess the immediate issue is: the record is not found because the DNS lookup is done from the public internet (via livedns), not from your internal network (via ns1,ns2.wcl.net).
My intention was very simple - I implemented bind9 dns server on my bare metal machine and wanted to generate proper ssl certs using certbot with rfc plugin & dns challenge… To use for my internal domains lol which I will be able to access via vpn … but as I understood, that’s not what you can actually do that simple