Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I ran this command: certbot renew / certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns -d zygou.ddns.net
It produced this output:
Incorrect TXT record "xxx" found at _acme-challenge.zygou.ddns.net
My web server is (include version): apache
The operating system my web server runs on is (include version): Fedora 41
My hosting provider, if applicable, is: noip
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 3.2.0
Hello everyone and thank you in advance for the help, i followed the form but i'll try to provide some context.
I use a homemade fedora 41 server to host some services like immich for self hosted pictures for instance. no-ip.com is providing me the domain zygou.ddns.net
I issued a certificate in November following some post from this forum using the command certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns -d zygou.ddns.net
It generated a TXT record that i entered inside no-ip.com interface and it worked as expected
the certificate just expired, i tried to renew it using certbot renew command but it failled with an error saying something like : `Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: zygou.ddns.net
Type: unauthorized
Detail: Incorrect TXT record "xxx" found at _acme-challenge.zygou.ddns.net
Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.`
I tried running the certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns -d zygou.ddns.net but it recognized that it had to renew the previous certificate and ended with the same error
So I tried removing the certificate with certbot delete and yet i was still having the same issue saying that the TXT record saved in no-ip is incorect
So I tried to delete the TXT record in no-ip interface.
but now the certonly command is issuing this error:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for zygou.ddns.net
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: zygou.ddns.net
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.zygou.ddns.net - check that a DNS record exists for this domain
Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.
I don't understand much about this ...
Thank you all very much in advance for the help
What's the reason you're using the dns-01 challenge? I notice a timeout on HTTP port 80, but on your HTTPS port 443 I get a "connection refused" reply, which suggests that port isn't blocked by your ISP or something like that. Maybe you could use an ACME client which supports the tls-alpn-01 challenge if the http-01 challenge on port 80 is being blocked?
You're using an acme-dns authenticator script, but your method doesn't seem to include acme-dns at all. What's going on there?
I just tried again with removing the --manual-auth-hook and it worked.
It issued a new TXT record that I was able to save into no-ip.
But this way i understand that i will never be able to have an automatic renewal ... so all the help is always welcome
for both point the response is quite simple.
I don't really understand well how it work so I followed some thread here to manage to have something working ...
I have nothing against using an ACME client but I don't know any and I also don't really now how it works ^^'
Tanks to you I was able to understand a tiny little bit better my issue.
Following immich recommandation, i use caddy as a reverse proxy.
If I understand correctly, caddy can also be used as an ACME client, and the port 80 that certbot try to use is probably already in use by caddy, causing certbot renewal to fail ?
Also if I understand correctly I should use caddy as my ACME client ? following Caddy's recommendation, I should do it by installing a Caddy's dns provider plugin ? Unfortunatly, no-ip doesn't seems to be in the list of available dns provider pluggins ...
So, my options would be to :
change my dns provider ?
renew my certificate manually ?
use nginx instead of caddy to do both the reverse proxy and the acme client ?
Do you see any other way for me to :
keep my domain provided by no-ip
keep caddy as my reverse proxy for my self hosting picture application
Caddy indeed includes a built-in ACME client. It should be able to take care of all things certificate related.
The error you've shown is Certbot using the dns-01 challenge, as you've instructed it to do so. It does not have anything to do with port 80.
That's most likely the best method forward, yes.
Or just use the tls-alpn-01 challenge?
Also: currently Caddy already is sending out a perfectly fine Let's Encrypt certificate, issued a few hours ago. So not sure what you did or what you changed, but everything seems to be set up fine now. As I got a connection refused on port 443, maybe you didn't have Caddy running yet at that moment. Caddy automatically gets certificates et c., so maybe you didn't know it was working already?
That said, your port 80 is still timing out, so there's no HTTP to HTTPS redirect currently.
Yes. As described in the preceding reply, you can use ACME DNS to accomplish that. You should be able to use Caddy without ACME DNS if you use an HTTP-01 or a TLS-ALPN-01 challenge if you want to keep it simpler.
I think Caddy automatically takes care of that. And showing that OP currently has a perfectly fine certificate on port 443 served by Caddy, I guess there's no need for further manipulation.
As I said previously, I managed to generate a certificate using certbot manually:
certbot certonly --manual --preferred-challenges dns -d zygou.ddns.net
but without any auth-hook so i understand that the certificate will not be renewed automatically
I then serve the certificate to my caddy configuration :
So In 3 month, I will have to issue the certificate manually again. My goal would be to renew the certificate automatically.
The only way I found to achieve that was to use certbot with the manual-auth-hook from ACME DNS and to add certbot renew to my crontab.
Obviously it didn't worked out pretty well for me ^^'
from what i understand, i can install ACME DNS directly on my server instead of using the hook with certbot ?
Once ACME DNS is installed on the server, what should i do to generate the certificates and renew them automatically ?
I'm sorry i don't understand this things very well, but your help is really appreciated
I am not an expert in Caddy but its general idea is that it gets certs automatically. You normally don't have to specify anything for it to handle HTTPS for you.
If you have custom needs you can modify what it does but this should be rarely needed.
I think if you just remove the tls directive line from that domain group definition Caddy will get the cert and serve HTTPS. It then forwards the request from the user-agent to your reverse_proxy as you describe.
worked !
it seems the reason it was not working and i had to provide the tls certificate was because i used my local ip instead of "localhost"
thats great ! so i don't have to issue the certificate at all. (I mean caddy is doing it for me) thank you very much
