I successfully registered dev2.envari.com using DNS-01 challenge. When I created the cert using certbot, it returned values for a CNAME record. There was already a cert created for dev.envari.com which used http method. When I try to renew, it does not find a CNAME record for dev.envari.com which I know that I did not add as it was originally created by http challenge. Is there a way to retrieve the value for a cname record for dev.envari.com or create a new challenge so it tells me what the CNAMR record is? Not sure how to fix my issue. We prefer the DNS challenge as this server cannot be publically accessible for http challenge.
I ran this command:
certbot renew --dry-run --debug-challenges -v
It produced this output:
Domain: dev.envari.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.dev.envari.com - check that a DNS record exists for
this domain
My web server is (include version): Nginx
The operating system my web server runs on is (include version): AWS Linux 2
I can login to a root shell on my machine (yes or no, or I don't know): yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.11.0
A dns-01 challenge requires creation of a TXT record. It is possible to use a CNAME record to delegate the challenge elsewhere (usually to a subdomain of an entirely different domain name). This is how acme-dns works, which is what you currently have setup. You can see this with dig.
The TXT is created by certbot/letsencrypt. When I ran the original certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d dev.envari.com it outputs a CNAME record for which I need to add to my DNS. Letsencrypt controls that TXT record as it is their domain. They just provide me with a CNAME. Common trick by apps such as DKIM. My problem is now I want to renew my other cert which points to a domain that was not used with DNS challenge. If there was a method to force re-authorization, I could probably make it work. I do not know how to force Letsencrypt to generate a TXT record for dev.envari.com. It is also strange that there are 2 TXT records for my dev2 domain.
Correct. It certainly exists in my screenshot above (for dev2).
Nope. That domain (acme-dns.io) is controlled by @joohoi, one of the certbot developers.
You could just create another CNAME record with _acme-challenge.dev.envari.com for the host (left side) and the same value (right side) you used for _acme-challenge.dev2.envari.com. This should allow you to just keep using the same credentials and the same certbot command structure:
certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d dev.envari.com
Probably just didn't get cleaned up properly at some point. Likely the last couple of attempts failed due to hitting the rate limits. Might be related.
If you really want to start over for a certificate in certbot, you can identify the certificate's name using:
certbot certificates
I'm assuming that the certificate in question here is probably named dev.envari.com.
Then you can delete the certificate with:
certbot delete --cert-name name
After that, when you try to acquire a certificate for dev.envari.com again, it will be as it was the very first time.
Thanks for helping. I had already tried deleting the cert and duplicating the CNAME but using dev. A new cert is always created with no errors using the dns challenge but when I run a certbot renew --dry-run, dev fails on challenges but dev2 is successful.
... error
Domain: dev.envari.com
Type: unauthorized
Detail: Incorrect TXT record
"4GclrWyJdvpgKgv764UvVZX7H43rwVIBuqnSp56txOA" (and 1 more) found at
_acme-challenge.dev.envari.com
I suspect that the certbot renewal configuration file for dev is incorrect. Try comparing it with the file for dev2.
Does certbot specify a different CNAME for dev when you run it?
You might want to run certbot certificates to see if you have other certificates (that can overlap domain names) that might be interfering. They can most likely just be deleted using certbot delete per the instructions I already mentioned.
Keep in mind that certbot renew will try to renew every certificate, including those that are no longer needed.
That is my main problem. I never got a CNAME value for dev.envari.com as it was originally created using http challenge. The renewal conf files are identical for both other than domain. Certbot certificates only shows my 2 certificates. I will try to create a certificate on a new server with dev.envari.com in the hopes it gives me a cname record.
Ok I figured it out. I was able to pull out the CNAME from /etc/letsencrypt/acmedns.json. It is stored in the fulldomain field in that file. I added the CNAME and now it works.
