I successfully registered dev2.envari.com using DNS-01 challenge. When I created the cert using certbot, it returned values for a CNAME record. There was already a cert created for dev.envari.com which used http method. When I try to renew, it does not find a CNAME record for dev.envari.com which I know that I did not add as it was originally created by http challenge. Is there a way to retrieve the value for a cname record for dev.envari.com or create a new challenge so it tells me what the CNAMR record is? Not sure how to fix my issue. We prefer the DNS challenge as this server cannot be publically accessible for http challenge.
My domain is: dev.envari.com
I ran this command:
certbot renew --dry-run --debug-challenges -v
It produced this output:
Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.dev.envari.com - check that a DNS record exists for
My web server is (include version): Nginx
The operating system my web server runs on is (include version): AWS Linux 2
I can login to a root shell on my machine (yes or no, or I don't know): yes
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot): certbot 1.11.0
Welcome to the Let's Encrypt Community, Kim
A dns-01 challenge requires creation of a TXT record. It is possible to use a CNAME record to delegate the challenge elsewhere (usually to a subdomain of an entirely different domain name). This is how acme-dns works, which is what you currently have setup. You can see this with dig.
Based on the certificate history for dev2.envari.com, there have been five duplicate certificates created today alone that cover only
dev2.envari.com. This hits the rate limit of 5 duplicate certificates within a rolling week.
The TXT is created by certbot/letsencrypt. When I ran the original certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d dev.envari.com it outputs a CNAME record for which I need to add to my DNS. Letsencrypt controls that TXT record as it is their domain. They just provide me with a CNAME. Common trick by apps such as DKIM. My problem is now I want to renew my other cert which points to a domain that was not used with DNS challenge. If there was a method to force re-authorization, I could probably make it work. I do not know how to force Letsencrypt to generate a TXT record for dev.envari.com. It is also strange that there are 2 TXT records for my dev2 domain.
Correct. It certainly exists in my screenshot above (for dev2).
Nope. That domain (
acme-dns.io) is controlled by @joohoi, one of the certbot developers.
You could just create another CNAME record with
_acme-challenge.dev.envari.com for the host (left side) and the same value (right side) you used for
_acme-challenge.dev2.envari.com. This should allow you to just keep using the same credentials and the same certbot command structure:
certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d dev.envari.com
Probably just didn't get cleaned up properly at some point. Likely the last couple of attempts failed due to hitting the rate limits. Might be related.
If you really want to start over for a certificate in certbot, you can identify the certificate's name using:
I'm assuming that the certificate in question here is probably named
Then you can delete the certificate with:
certbot delete --cert-name name
After that, when you try to acquire a certificate for
dev.envari.com again, it will be as it was the very first time.
Thanks for helping. I had already tried deleting the cert and duplicating the CNAME but using dev. A new cert is always created with no errors using the dns challenge but when I run a certbot renew --dry-run, dev fails on challenges but dev2 is successful.
Detail: Incorrect TXT record
"4GclrWyJdvpgKgv764UvVZX7H43rwVIBuqnSp56txOA" (and 1 more) found at
I suspect that the certbot renewal configuration file for
dev is incorrect. Try comparing it with the file for
Does certbot specify a different CNAME for
dev when you run it?
You might want to run
certbot certificates to see if you have other certificates (that can overlap domain names) that might be interfering. They can most likely just be deleted using
certbot delete per the instructions I already mentioned.
Keep in mind that
certbot renew will try to renew every certificate, including those that are no longer needed.
That is my main problem. I never got a CNAME value for dev.envari.com as it was originally created using http challenge. The renewal conf files are identical for both other than domain. Certbot certificates only shows my 2 certificates. I will try to create a certificate on a new server with dev.envari.com in the hopes it gives me a cname record.
Ok I figured it out. I was able to pull out the CNAME from /etc/letsencrypt/acmedns.json. It is stored in the fulldomain field in that file. I added the CNAME and now it works.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.