Certificate is not being generated


#1

I have installed Certbot on Mac to generate the certificate/key. I am able to install Certbot on my Mac successfully. Now I need to generate a certificate which I will distribute to different clients or companies which are authorised to connect my server. My server is made node.js.

But I am not able to generate the certificate for the domain ‘network.lemoney.in’.

I ran the following command and got the respective response:

sudo certbot --apache

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for network.lemoney.in
Cleaning up challenges
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

IMPORTANT NOTES:
** Your account credentials have been saved in your Certbot**
** configuration directory at /etc/letsencrypt. You should make a**
** secure backup of this folder now. This configuration directory will**
** also contain certificates and private keys obtained by Certbot so**
** making regular backups of this folder is ideal.**

But I did not see any certificate in the /etc/letsencrypt folder.

Then I ran the following command with all 3 (1,2 and 3) options

sudo certbot certonly

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for network.lemoney.in
Cleaning up challenges
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

Then I ran the following command:

sudo certbot certonly --webroot -w /etc/letsencrypt -d network.lemoney.in -w /etc/letsencrypt -d network.lemoney.in

I got the following output:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for network.lemoney.in
Using the webroot path /etc/letsencrypt for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. network.lemoney.in (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://network.lemoney.in/.well-known/acme-challenge/qwZjntTjkZbrxdPnPi0xANFd-D_m-VKv0jdiiKxRM6U: Connection refused

IMPORTANT NOTES:
** - The following errors were reported by the server:**

** Domain: network.lemoney.in**
** Type: connection**
** Detail: Fetching**
** http://network.lemoney.in/.well-known/acme-challenge/qwZjntTjkZbrxdPnPi0xANFd-D_m-VKv0jdiiKxRM6U:**
** Connection refused**

** To fix these errors, please make sure that your domain name was**
** entered correctly and the DNS A/AAAA record(s) for that domain**
** contain(s) the right IP address. Additionally, please check that**
** your computer has a publicly routable IP address and that no**
** firewalls are preventing the server from communicating with the**
** client. If you’re using the webroot plugin, you should also verify**
** that you are serving files from the webroot path you provided.**

Note: I did not find the log file in the

/var/log/letsencrypt/letsencrypt.log

One of friend suggest to put https in place http in the following line:

http://network.lemoney.in/.well-known/acme-challenge/qwZjntTjkZbrxdPnPi0xANFd-D_m-VKv0jdiiKxRM6U


#2

$ telnet network.lemoney.in 80
Trying 13.127.78.237…
Trying 52.66.174.74…
telnet: Unable to connect to remote host: Connection refused

Connections to port 80 seem to be blocked.
Furthermore, there seems to be AWS load balancing involved. Maybe you did not configure the LB to pass through http traffic?


#3

Yes, there is an AWS load balancing involved and we won’t pass through http traffic.


#4

Then you cannot use http-01 authorization, use dns-01 auth instead.


#5

Where I need to change? which command I need to change?


#6

Please have a look into the official documentation:


#7

Ok, I will go through this document one more time. Can you please tell me which command I should use?


#8

If you want to use DNS-01 authentication with certbot, this is a good guide.

Alternatively you could change your mind and decide to pass through HTTP traffic on port 80.


#9

Yes, I want to continue with DNS-01 authentication with Certbot. I made a ‘credentials’ file in which I put the aws_access_key_id and aws_secret_access_key as follows:

aws_access_key_id = AKID1234567890
aws_secret_access_key = MY-SECRET-KEY

I also made the lexicon-provider_route53.sh file with the following details:

/opt/eff.org/certbot/venv/bin/pip install dns-lexicon
/opt/eff.org/certbot/venv/bin/pip install dns-lexicon[route53]
/opt/eff.org/certbot/venv/bin/lexicon route53
–auth-access=/Users/amitraj/Documents/.aws/credentials --auth-token=/Users/amitraj/Documents/.aws/credentials --auth-username=/Users/amitraj/Documents/.aws/credentials
“$1” “${CERTBOT_DOMAIN}” TXT
–name “_acme-challenge.${CERTBOT_DOMAIN}”
–content “${CERTBOT_VALIDATION}” || exit 255

if [ “$1” == “create” ]; then
sleep 1200
fi

I ran the following command:

sudo certbot certonly --manual --manual-public-ip-logging-ok --manual-auth-hook “/etc/letsencrypt/lexicon-provider_route53.sh create” --manual-cleanup-hook “/etc/letsencrypt/lexicon-provider_route53.sh delete” --preferred-challenges dns -d network.lemoney.in

I got the following error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for network.lemoney.in
Hook command “/etc/letsencrypt/lexicon-provider_route53.sh create” returned error code 255
Error output from lexicon-provider_route53.sh:
/etc/letsencrypt/lexicon-provider_route53.sh: line 1: /opt/eff.org/certbot/venv/bin/pip: No such file or directory
/etc/letsencrypt/lexicon-provider_route53.sh: line 2: /opt/eff.org/certbot/venv/bin/pip: No such file or directory
/etc/letsencrypt/lexicon-provider_route53.sh: line 3: /opt/eff.org/certbot/venv/bin/lexicon: No such file or directory

Waiting for verification…
Cleaning up challenges
Hook command “/etc/letsencrypt/lexicon-provider_route53.sh delete” returned error code 255
Error output from lexicon-provider_route53.sh:
/etc/letsencrypt/lexicon-provider_route53.sh: line 1: /opt/eff.org/certbot/venv/bin/pip: No such file or directory
/etc/letsencrypt/lexicon-provider_route53.sh: line 2: /opt/eff.org/certbot/venv/bin/pip: No such file or directory
/etc/letsencrypt/lexicon-provider_route53.sh: line 3: /opt/eff.org/certbot/venv/bin/lexicon: No such file or directory

Failed authorization procedure. network.lemoney.in (dns-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.network.lemoney.in

Please let me know how can I correct this?


#10

The guide is written for certbot-auto.

If you want to use it for certbot, then you have to get rid of any references to /opt/eff.org/..., and instead just refer to pip and lexicon without any particular path.

It also doesn’t use the credentials file.

e.g.

#!/usr/bin/env bash
pip install dns-lexicon
pip install dns-lexicon[route53]
lexicon route53 \
--auth-access-key YOUR_AWS_ACCESS_KEY --auth-access-secret YOUR_AWS_ACCESS_SECRET \
"$1" "${CERTBOT_DOMAIN}" TXT \
--name "_acme-challenge.${CERTBOT_DOMAIN}" \
--content "${CERTBOT_VALIDATION}" || exit 255

if [ "$1" == "create" ]; then
  sleep 30
fi

#11

I made changes in the file and got the following error:

2018-03-08 08:34:14,501:DEBUG:certbot.main:certbot version: 0.21.1
2018-03-08 08:34:14,503:DEBUG:certbot.main:Arguments: [’–manual’, ‘–manual-public-ip-logging-ok’, ‘–manual-auth-hook’, ‘/etc/letsencrypt/lexicon-provider_route53.sh create’, ‘–manual-cleanup-hook’, ‘/etc/letsencrypt/lexicon-provider_route53.sh delete’, ‘–preferred-challenges’, ‘dns’, ‘-d’, ‘network.lemoney.in’]
2018-03-08 08:34:14,504:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2018-03-08 08:34:14,553:DEBUG:certbot.log:Root logging level set at 20
2018-03-08 08:34:14,555:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-03-08 08:34:14,556:DEBUG:certbot.plugins.selection:Requested authenticator manual and installer None
2018-03-08 08:34:14,560:DEBUG:certbot.plugins.selection:Single candidate plugin: * manual
Description: Manual configuration or run your own shell scripts
Interfaces: IAuthenticator, IPlugin
Entry point: manual = certbot.plugins.manual:Authenticator
Initialized: <certbot.plugins.manual.Authenticator object at 0x10bef5208>
Prep: True
2018-03-08 08:34:14,561:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.manual.Authenticator object at 0x10bef5208> and installer None
2018-03-08 08:34:14,562:INFO:certbot.plugins.selection:Plugins selected: Authenticator manual, Installer None
2018-03-08 08:34:14,569:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x10e1ceb00>)>), contact=(‘mailto:amitraj@languageindia.com’,), agreement=‘https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf’, status=‘valid’), uri=‘https://acme-v01.api.letsencrypt.org/acme/reg/30671455’, new_authzr_uri=‘https://acme-v01.api.letsencrypt.org/acme/new-authz’, terms_of_service=‘https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf’), c5fc51df65cecfa7d73262fe8d3fb55e, Meta(creation_dt=datetime.datetime(2018, 3, 7, 6, 28, 30, tzinfo=), creation_host=‘Amits-MacBook-Pro.local’))>
2018-03-08 08:34:14,590:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2018-03-08 08:34:14,757:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2018-03-08 08:34:15,630:DEBUG:urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 “GET /directory HTTP/1.1” 200 562
2018-03-08 08:34:15,631:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 562
Replay-Nonce: brRHLKF4aoRUQdT1WjIAGMVBA3QLaiqI9mnBb6EJgBY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 08 Mar 2018 08:34:15 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 08 Mar 2018 08:34:15 GMT
Connection: keep-alive

b’{\n “ioun85GesSM”: “Adding random entries to the directory”,\n “key-change”: “https://acme-v01.api.letsencrypt.org/acme/key-change”,\n “meta”: {\n “terms-of-service”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”\n },\n “new-authz”: “https://acme-v01.api.letsencrypt.org/acme/new-authz”,\n “new-cert”: “https://acme-v01.api.letsencrypt.org/acme/new-cert”,\n “new-reg”: “https://acme-v01.api.letsencrypt.org/acme/new-reg”,\n “revoke-cert”: “https://acme-v01.api.letsencrypt.org/acme/revoke-cert”\n}'
2018-03-08 08:34:15,633:INFO:certbot.main:Obtaining a new certificate
2018-03-08 08:34:15,633:DEBUG:acme.client:Requesting fresh nonce
2018-03-08 08:34:15,633:DEBUG:acme.client:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz.
2018-03-08 08:34:15,995:DEBUG:urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 “HEAD /acme/new-authz HTTP/1.1” 405 0
2018-03-08 08:34:15,996:DEBUG:acme.client:Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 91
Allow: POST
Replay-Nonce: YIzzOXYgoKHUOV9UFV0CRLLIK6SRwGdpYKFr54NJSB4
Expires: Thu, 08 Mar 2018 08:34:15 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 08 Mar 2018 08:34:15 GMT
Connection: keep-alive

b’‘
2018-03-08 08:34:15,997:DEBUG:acme.client:Storing nonce: YIzzOXYgoKHUOV9UFV0CRLLIK6SRwGdpYKFr54NJSB4
2018-03-08 08:34:15,997:DEBUG:acme.client:JWS payload:
b’{\n “identifier”: {\n “type”: “dns”,\n “value”: “network.lemoney.in”\n },\n “resource”: “new-authz”\n}'
2018-03-08 08:34:16,003:DEBUG:acme.client:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz:
{
“protected”: “",
“signature”: "
**”,
“payload”: “************************”
}
2018-03-08 08:34:16,690:DEBUG:urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 “POST /acme/new-authz HTTP/1.1” 201 733
2018-03-08 08:34:16,691:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 733
Boulder-Requester: 30671455
Link: https://acme-v01.api.letsencrypt.org/acme/new-cert;rel="next"
Location: https://acme-v01.api.letsencrypt.org/acme/authz/K3iKKGyzg-YDFBIt4Vqfccm8gjK1MdJIOmd_XBPyyX4
Replay-Nonce: ItpUX4QHJabXaDv00Mf7Wu5PXv9k28hXWDQI51aruKo
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 08 Mar 2018 08:34:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 08 Mar 2018 08:34:16 GMT
Connection: keep-alive

b’{\n “identifier”: {\n “type”: “dns”,\n “value”: “network.lemoney.in”\n },\n “status”: “pending”,\n “expires”: “2018-03-15T08:34:16.479077358Z”,\n “challenges”: [\n {\n “type”: “http-01”,\n “status”: “pending”,\n “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/K3iKKGyzg-YDFBIt4Vqfccm8gjK1MdJIOmd_XBPyyX4/3735111077”,\n “token”: “UIRMbp01mzDbYOsI-37FoMwus_TgCjGwx4vqpW0ovWE”\n },\n {\n “type”: “dns-01”,\n “status”: “pending”,\n “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/K3iKKGyzg-YDFBIt4Vqfccm8gjK1MdJIOmd_XBPyyX4/3735111078”,\n “token”: “d3hy6DGrFvvX1aGNn0yPmChixUuUutka4o1rcnp2UoQ”\n }\n ],\n “combinations”: [\n [\n 0\n ],\n [\n 1\n ]\n ]\n}‘
2018-03-08 08:34:16,691:DEBUG:acme.client:Storing nonce: ItpUX4QHJabXaDv00Mf7Wu5PXv9k28hXWDQI51aruKo
2018-03-08 08:34:16,692:INFO:certbot.auth_handler:Performing the following challenges:
2018-03-08 08:34:16,692:INFO:certbot.auth_handler:dns-01 challenge for network.lemoney.in
2018-03-08 08:34:23,125:INFO:certbot.hooks:Output from lexicon-provider_route53.sh:
Requirement already satisfied: dns-lexicon in /usr/local/lib/python3.6/site-packages
Requirement already satisfied: requests in /usr/local/lib/python3.6/site-packages (from dns-lexicon)
Requirement already satisfied: tldextract in /usr/local/lib/python3.6/site-packages (from dns-lexicon)
Requirement already satisfied: future in /usr/local/lib/python3.6/site-packages (from dns-lexicon)
Requirement already satisfied: certifi>=2017.4.17 in /usr/local/lib/python3.6/site-packages (from requests->dns-lexicon)
Requirement already satisfied: chardet<3.1.0,>=3.0.2 in /usr/local/lib/python3.6/site-packages (from requests->dns-lexicon)
Requirement already satisfied: urllib3<1.23,>=1.21.1 in /usr/local/lib/python3.6/site-packages (from requests->dns-lexicon)
Requirement already satisfied: idna<2.7,>=2.5 in /usr/local/lib/python3.6/site-packages (from requests->dns-lexicon)
Requirement already satisfied: requests-file>=1.4 in /usr/local/lib/python3.6/site-packages (from tldextract->dns-lexicon)
Requirement already satisfied: setuptools in /usr/local/lib/python3.6/site-packages (from tldextract->dns-lexicon)
Requirement already satisfied: six in /usr/local/lib/python3.6/site-packages (from requests-file>=1.4->tldextract->dns-lexicon)
Requirement already satisfied: dns-lexicon[route53] in /usr/local/lib/python3.6/site-packages
Requirement already satisfied: requests in /usr/local/lib/python3.6/site-packages (from dns-lexicon[route53])
Requirement already satisfied: tldextract in /usr/local/lib/python3.6/site-packages (from dns-lexicon[route53])
Requirement already satisfied: future in /usr/local/lib/python3.6/site-packages (from dns-lexicon[route53])
Requirement already satisfied: boto3 in /usr/local/lib/python3.6/site-packages (from dns-lexicon[route53])
Requirement already satisfied: certifi>=2017.4.17 in /usr/local/lib/python3.6/site-packages (from requests->dns-lexicon[route53])
Requirement already satisfied: idna<2.7,>=2.5 in /usr/local/lib/python3.6/site-packages (from requests->dns-lexicon[route53])
Requirement already satisfied: chardet<3.1.0,>=3.0.2 in /usr/local/lib/python3.6/site-packages (from requests->dns-lexicon[route53])
Requirement already satisfied: urllib3<1.23,>=1.21.1 in /usr/local/lib/python3.6/site-packages (from requests->dns-lexicon[route53])
Requirement already satisfied: setuptools in /usr/local/lib/python3.6/site-packages (from tldextract->dns-lexicon[route53])
Requirement already satisfied: requests-file>=1.4 in /usr/local/lib/python3.6/site-packages (from tldextract->dns-lexicon[route53])
Requirement already satisfied: jmespath<1.0.0,>=0.7.1 in /usr/local/lib/python3.6/site-packages (from boto3->dns-lexicon[route53])
Requirement already satisfied: s3transfer<0.2.0,>=0.1.10 in /usr/local/lib/python3.6/site-packages (from boto3->dns-lexicon[route53])
Requirement already satisfied: botocore<1.10.0,>=1.9.5 in /usr/local/lib/python3.6/site-packages (from boto3->dns-lexicon[route53])
Requirement already satisfied: six in /usr/local/lib/python3.6/site-packages (from requests-file>=1.4->tldextract->dns-lexicon[route53])
Requirement already satisfied: python-dateutil<3.0.0,>=2.1 in /usr/local/lib/python3.6/site-packages (from botocore<1.10.0,>=1.9.5->boto3->dns-lexicon[route53])
Requirement already satisfied: docutils>=0.10 in /usr/local/lib/python3.6/site-packages (from botocore<1.10.0,>=1.9.5->boto3->dns-lexicon[route53])
Arguments: Namespace(action=‘create’, auth_access_key=‘XXXXXXXXXXXXXXXXXXXX’, auth_access_secret=‘YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY’, auth_token=None, auth_username=None, content=‘EZF5WlpXnFPsmQ97UGFk2XdHCOeEa54f8VQqVllv55E’, delegated=None, domain=‘network.lemoney.in’, identifier=None, log_level=‘DEBUG’, name=’_acme-challenge.network.lemoney.in’, priority=None, private_zone=None, provider_name=‘route53’, ttl=None, type=‘TXT’)
Loading variable profile from defaults.
Loading variable config_file from defaults.
Loading variable credentials_file from defaults.
Loading variable data_path from defaults.
Loading variable profile from defaults.
Loading variable region from defaults.
Loading variable profile from defaults.
Loading variable ca_bundle from defaults.
Loading variable profile from defaults.
Loading variable api_versions from defaults.
Loading JSON file: /usr/local/lib/python3.6/site-packages/botocore/data/endpoints.json
Loading variable profile from defaults.
Event choose-service-name: calling handler <function handle_service_name_alias at 0x10f07e8c8>
Loading JSON file: /usr/local/lib/python3.6/site-packages/botocore/data/route53/2013-04-01/service-2.json
Event creating-client-class.route53: calling handler <function add_generate_presigned_url at 0x10f05b400>
The s3 config key is not a dictionary type, ignoring its value of: None
Setting route53 timeout as (60, 60)
Loading JSON file: /usr/local/lib/python3.6/site-packages/botocore/data/_retry.json
Registering retry handlers for service: route53
Event before-parameter-build.route53.ListHostedZonesByName: calling handler <function fix_route53_ids at 0x10f097048>
Event before-parameter-build.route53.ListHostedZonesByName: calling handler <function generate_idempotent_uuid at 0x10f091ea0>
Making request for OperationModel(name=ListHostedZonesByName) (verify_ssl=True) with params: {‘url_path’: ‘/2013-04-01/hostedzonesbyname’, ‘query_string’: {}, ‘method’: ‘GET’, ‘headers’: {‘User-Agent’: ‘Boto3/1.6.5 Python/3.6.4 Darwin/17.3.0 Botocore/1.9.5’}, ‘body’: b’’, ‘url’: ‘https://route53.amazonaws.com/2013-04-01/hostedzonesbyname’, ‘context’: {‘client_region’: ‘aws-global’, ‘client_config’: <botocore.config.Config object at 0x10f534780>, ‘has_streaming_input’: False, ‘auth_type’: None}}
Event request-created.route53.ListHostedZonesByName: calling handler <bound method RequestSigner.handler of <botocore.signers.RequestSigner object at 0x10f534710>>
Event choose-signer.route53.ListHostedZonesByName: calling handler <function set_operation_specific_signer at 0x10f091d90>
Calculating signature using v4 auth.
CanonicalRequest:
GET
/2013-04-01/hostedzonesbyname

host:route53.amazonaws.com
x-amz-date:20180308T083421Z

host;x-amz-date
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
StringToSign:
AWS4-HMAC-SHA256
20180308T083421Z
20180308/us-east-1/route53/aws4_request
1bc31affa78f9086a6aa6f588fd3ad20549c5e934e7ee8b2eae99cfb295c85c6
Signature:
7af6c098343c182e7b0612667daa02bfba79aac75c4ccebdca675b44556db595
Sending http request: <PreparedRequest [GET]>
Starting new HTTPS connection (1): route53.amazonaws.com
"GET /2013-04-01/hostedzonesbyname HTTP/1.1" 200 209
Response headers: {‘x-amzn-requestid’: ‘80bafc32-22ab-11e8-b504-2977d671c702’, ‘content-type’: ‘text/xml’, ‘content-length’: ‘209’, ‘date’: ‘Thu, 08 Mar 2018 08:34:22 GMT’}
Response body:
b’<?xml version="1.0"?>\nfalse100’
Event needs-retry.route53.ListHostedZonesByName: calling handler <botocore.retryhandler.RetryHandler object at 0x10f534b00>
No retry needed.

2018-03-08 08:34:23,125:ERROR:certbot.hooks:Hook command “/etc/letsencrypt/lexicon-provider_route53.sh create” returned error code 255
2018-03-08 08:34:23,126:ERROR:certbot.hooks:Error output from lexicon-provider_route53.sh:
The directory ‘/Users/amitraj/Library/Caches/pip/http’ or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo’s -H flag.
The directory ‘/Users/amitraj/Library/Caches/pip’ or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo’s -H flag.
The directory ‘/Users/amitraj/Library/Caches/pip/http’ or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo’s -H flag.
The directory ‘/Users/amitraj/Library/Caches/pip’ or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo’s -H flag.
Traceback (most recent call last):
File “/usr/local/lib/python3.6/site-packages/lexicon/providers/route53.py”, line 115, in authenticate
hz for hz in hosted_zones
StopIteration

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/local/bin/lexicon”, line 11, in
load_entry_point(‘dns-lexicon==2.1.21’, ‘console_scripts’, ‘lexicon’)()
File “/usr/local/lib/python3.6/site-packages/lexicon/main.py”, line 72, in main
client.execute()
File “/usr/local/lib/python3.6/site-packages/lexicon/client.py”, line 38, in execute
self.provider.authenticate()
File “/usr/local/lib/python3.6/site-packages/lexicon/providers/route53.py”, line 120, in authenticate
raise Exception(‘No domain found’)
Exception: No domain found

2018-03-08 08:34:32,716:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/local/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.21.1’, ‘console_scripts’, ‘certbot’)()
File “/usr/local/Cellar/certbot/0.21.1_1/libexec/lib/python3.6/site-packages/certbot/main.py”, line 1240, in main
return config.func(config, plugins)
File “/usr/local/Cellar/certbot/0.21.1_1/libexec/lib/python3.6/site-packages/certbot/main.py”, line 1120, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File “/usr/local/Cellar/certbot/0.21.1_1/libexec/lib/python3.6/site-packages/certbot/main.py”, line 118, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/usr/local/Cellar/certbot/0.21.1_1/libexec/lib/python3.6/site-packages/certbot/client.py”, line 357, in obtain_and_enroll_certificate
certr, chain, key, _ = self.obtain_certificate(domains)
File “/usr/local/Cellar/certbot/0.21.1_1/libexec/lib/python3.6/site-packages/certbot/client.py”, line 318, in obtain_certificate
self.config.allow_subset_of_names)
File “/usr/local/Cellar/certbot/0.21.1_1/libexec/lib/python3.6/site-packages/certbot/auth_handler.py”, line 81, in get_authorizations
self._respond(resp, best_effort)
File “/usr/local/Cellar/certbot/0.21.1_1/libexec/lib/python3.6/site-packages/certbot/auth_handler.py”, line 138, in _respond
self._poll_challenges(chall_update, best_effort)
File “/usr/local/Cellar/certbot/0.21.1_1/libexec/lib/python3.6/site-packages/certbot/auth_handler.py”, line 202, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. network.lemoney.in (dns-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.network.lemoney.in

Can I use Cerbot-auto on Mac? If yes then how?


#12

Well, it seems to be working fine, except that it can’t find your DNS zone/domain in your AWS account.

Hmm.

lemoney.in.             86400   IN      NS      dns2.bigrock.in.
lemoney.in.             86400   IN      NS      dns3.bigrock.in.
lemoney.in.             86400   IN      NS      dns1.bigrock.in.
lemoney.in.             86400   IN      NS      dns4.bigrock.in.

You’re not using Route53 for this domain … so I’m not sure why you are trying to use the Route53 DNS challenge :confused:


#13

What should I change to make it work?

What should I change for this?


#14

It might help to take a step back and think about what you’re trying to achieve.

  1. We’ve excluded using the HTTP challenge because you don’t want to open port 80.
  2. The only current alternative to the HTTP challenge is the DNS challenge.
  3. In order to use the DNS challenge successfully, you need to be able to update the TXT records on your domain.
  4. In order to enable automatic renewal using the DNS challenge, you need to integrate your DNS provider with the Let’s Encrypt client software you use (e.g. Certbot)
  5. The guide you used assumes that your nameservers are operated by one of the providers in the displayed list (e.g. Route53). However, you do not appear to use any of the supported providers.

You need to figure out how you can automatically update the TXT records on your nameservers (e.g. dns1.bigrock.in). We, on this forum, don’t know how those nameservers work or who owns them, so you need to come up with this answer.

You can manually issue a certificate using Certbot, which will ask you to manually setup the TXT records, but you would need to repeat this process every 60-90 days, which is why it is ideal to automate it.

certbot -i apache -a manual --preferred-challenges dns -d network.lemoney.in

#15

Thanks for your wonderful response!! If I will add a TXT record in my domain then can I generate a certificate which will work for 60-90 days?


#16

Yes, that’s correct. The certificate has a 90 day duration, and it is considered a best practice to renew it 30 days prior to expiration (= every 60 days).

When you go to renew the certificate, you will be required to change the TXT record to another value.


#17

There is a CNAME with network.lemoney.in, they don’t allow to add TXT record. How can I add TXT record for this domain or How can we generate certificate for this?

I have generated a new domain name network2.lemoney.in and add TXT record for it. I have added which was given after the following:

Please deploy a DNS TXT record under the name
_acme-challenge.network2.lemoney.in with the following value:

XXXXXXXXXXXXXXXXXXXXXXXXXXXXX

But still I am getting the following error:

Domain: network2.lemoney.in
Type: connection
Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.network2.lemoney.in

As it takes time for DNS propagation to complete so that changes reflect globally. How can I use this value next time?


#18

The CNAMEnetwork.lemoney.in.” and the TXT_acme-challenge.network.lemoney.in.” are completely separate. The DNS provider shouldn’t stop you from creating one because the other exists. If they do… that’s a problem.

Unfortunately, you can’t. Next time, the TXT record will have a different value.


#19

Then how can I generate the certificate?


#20

You have to set the new TXT record value, wait long enough for the DNS provider to start serving it, and then have Let’s Encrypt check it.

Hopefully it only takes a few seconds or a few minutes, but I don’t know how BigRock’s systems work.