Challenge failed DuckDNS/nginx/Ubuntu

I am close to success - trying to stay positive :wink: - but have met a few obstacles.

Here’s my setup:

  • Ubuntu 19.10
  • Nginx 1.16.1
  • Sagemcom router from my cable provider
  • Certbot 0.40.1

What I’ve done so far:

Running manual-auth-hook command: /usr/local/bin/auth.sh
manual-auth-hook command "/usr/local/bin/auth.sh" returned error code 1
Waiting for verification...
Challenge failed for domain tanghus.duckdns.org
dns-01 challenge for tanghus.duckdns.org
Cleaning up challenges
Running manual-cleanup-hook command: /usr/local/bin/cleanup.sh
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: tanghus.duckdns.org
   Type:   unauthorized
   Detail: Incorrect TXT record "" found at
   _acme-challenge.tanghus.duckdns.org

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

I must admit that I can’t really grasp how this _acme-challenge and DNS records is supposed to work :frowning:

/etc/nginx/sites-available/tanghus.net (linked to /etc/nginx/sites-enabled/tanghus.net):

server {
        listen 80;
        #listen [::]:443 ssl;
        root /var/www/tanghus;
        index index.html;
        server_name tanghus.duckdns.org;
}

From /var/log/letsencrypt/letsencrypt.log:

2019-11-19 12:47:56,819:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/1308657188 HTTP/1.1" 200 996
2019-11-19 12:47:56,821:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 19 Nov 2019 11:47:56 GMT
Content-Type: application/json
Content-Length: 996
Connection: keep-alive
Boulder-Requester: 72092529
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0001dxX7J-B2EcJoe-IdEFu694VBpqXQdJr3ogVLeR-4_zc
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "tanghus.duckdns.org"
  },
  "status": "invalid",
  "expires": "2019-11-26T11:47:37Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/1308657188/vJW1nA",
      "token": "r_2Sx0iulCL_vOKxdlbOoX-AqQuqnXq7PW0n8YWoC0o"
    },
    {
      "type": "dns-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Incorrect TXT record \"\" found at _acme-challenge.tanghus.duckdns.org",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/1308657188/WVL9XQ",
      "token": "r_2Sx0iulCL_vOKxdlbOoX-AqQuqnXq7PW0n8YWoC0o"
    },
    {
      "type": "tls-alpn-01",
      "status": "invalid",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/1308657188/epRg5Q",
      "token": "r_2Sx0iulCL_vOKxdlbOoX-AqQuqnXq7PW0n8YWoC0o"
    }
  ]
}
2019-11-19 12:47:56,822:DEBUG:acme.client:Storing nonce: 0001dxX7J-B2EcJoe-IdEFu694VBpqXQdJr3ogVLeR-4_zc
2019-11-19 12:47:56,824:WARNING:certbot.auth_handler:Challenge failed for domain tanghus.duckdns.org
2019-11-19 12:47:56,826:INFO:certbot.auth_handler:dns-01 challenge for tanghus.duckdns.org
2019-11-19 12:47:56,827:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:
Domain: tanghus.duckdns.org
Type:   unauthorized
Detail: Incorrect TXT record "" found at _acme-challenge.tanghus.duckdns.org

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2019-11-19 12:47:56,828:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
AuthorizationError: Some challenges have failed.

2019-11-19 12:47:56,828:DEBUG:certbot.error_handler:Calling registered functions
2019-11-19 12:47:56,828:INFO:certbot.auth_handler:Cleaning up challenges
2019-11-19 12:47:56,830:INFO:certbot.hooks:Running manual-cleanup-hook command: /usr/local/bin/cleanup.sh
2019-11-19 12:47:57,701:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 1378, in main
    return config.func(config, plugins)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 1265, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py", line 417, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py", line 348, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py", line 396, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
AuthorizationError: Some challenges have failed.

Have I missed anything relevant?

Maybe:

; <<>> DiG 9.12.3-P4 <<>> tanghus.duckdns.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47633
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 09eebc52674c9a854cd9dbbb5dd3eb3e6365618c921fe128 (good)
;; QUESTION SECTION:
;tanghus.duckdns.org.           IN      A

;; ANSWER SECTION:
tanghus.duckdns.org.    60      IN      A       87.50.31.25

;; Query time: 315 msec
;; SERVER: 217.11.48.200#53(217.11.48.200)
;; WHEN: Tue Nov 19 14:16:46 CET 2019
;; MSG SIZE  rcvd: 92

https://dnsspy.io/scan/tanghus.duckdns.org returns:

Oops! No nameservers found.

We tried to query tanghus.duckdns.org for NS records (your nameservers), but couldn’t find any. Does the domain you’ve added have any NS records?

Any advice on how to proceed will be greatly appreciated :slight_smile:

Hi @tanghus

checking your domain that looks bad - https://check-your-website.server-daten.de/?q=tanghus.duckdns.org#txt

First, you didn’t create the correct TXT entries:

There is nothing defined. Should look like

You have to define an entry with the complete name

_acme-challenge.tanghus.duckdns.org

May be you have to create an entry with

_acme-challenge

or

_acme-challenge.tanghus

so the rest is added.

Second (check the output), the name servers of duckdns.org are bad. With timeouts, no TCP support. That may be not relevant, that may be critical.

But first create the correct TXT entry.

Eh, that’s the problem. I have no idea where to create them. Is it the guys at duckdns that go it wrong? Hard to believe, as they have been doing it for many years.

You use ns1.duckdns.org as your primary name server.

There you have an A-entry yourdomain -> 87.50.31.25.

There you have to add a TXT entry.

My apologies, but I’m on totally, for me, unknown territory here.

You use ns1.duckdns.org as your primary name server.

There I would need an IP address to set in the router. dig ns1.duckdns.org returns 54.187.92.222. Should I use that, or:

There you have an A-entry yourdomain -> 87.50.31.25.

Where there?

You have one.

Check your domain management, I have no idea how duckdns works.

Will do. Thanks. Their site isn’t exactly for old novices like me :smile:

Hi, so you’re using my old duckdns auth scripts :slight_smile: They might not be how I would recommend doing things nowadays, but AFAIK they should still work. Are you sure you correctly entered your token in both scripts?

(@JuergenAuer in case you’re curious: duckdns’s UI is very minimal, it only lets you set A and AAAA records. TXT records can only be created via the API)

2 Likes

Ah, thanks, good to know. Nevers used duckdns.

Well, if it ain’t … :wink:

And I had been staring on those scripts without noticing the extra i that slipped in, when I was setting vi in insert mode :expressionless:

But now it worked! Thank you!! Now time to hit the Nginx manual to figure out what to do with the key files. I’ve only ever used Apache, and that’s at least 15 years ago.

Out of curiosity, are you affiliated with duckdns? I find it very hard to figure out who is.

And thanks for your answers @JuergenAuer. Not your fault I didn’t understand them :smiley:

:rofl: dang, hate it when that happens!

Glad you got it working :slight_smile:

Nope, just a fellow user.

OK. You wouldn’t happen to know why their forum is restricted? And then I’ll get out of your hair :wink:

I think they posted an explanation on the old Google+ community before it shut down, but obviously I can’t read that anymore :frowning: Something to do with moderation and spam I think? But I’m not sure.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.