Create certificate by acme.sh / certbot

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:onet.zp.ua *.onet.zp.ua

I ran this command: 1. First step:

acme.sh --issue -d example.com --dns \ --yes-I-know-dns-manual-mode-enough-go-ahead-please

  1. Please add the TXT record to your DNS records. This step is required every time you renew your certificate. With DNS api mode, this step can be automated.
  2. Now retry with --renew command.

acme.sh --renew -d example.com \ --yes-I-know-dns-manual-mode-enough-go-ahead-please
/
certbot -d onet.zp.ua *.onet.zp.ua

It produced this output: (see pics)

My web server is (include version): nginx/1.15.12

The operating system my web server runs on is (include version): Ubuntu 18.04.2 LTS

My hosting provider, if applicable, is: me

I can login to a root shell on my machine (yes or no, or I don’t know): y

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):y

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

after executing the certificate generation commands, I add TXT records to the zone config on my BIND9 DNS server, previously deleting the old ones, but they are not updated and we show old records and accordingly an error

!

DNS conf

Hi @ZayaZ

checking your domain https://check-your-website.server-daten.de/?q=onet.zp.ua - you have two name servers:

onet.zp.ua
	•  ns.secondary.net.ua
	195.149.112.1
Kyiv/Kyiv City/Ukraine (UA) - Olga Soroka	•

	•  ns1.onet.zp.ua
	89.21.77.2
Berdyans'k/Zaporizhia/Ukraine (UA) - TOV BF Express Ltd	

The ns1.onet.zp.ua has the same ip address as your main domain.

Looks like you are doing something wrong. This

_acme-challenge.onet.zp.ua a1JFOB-TdMz4KnWsn3b9EltSpNCrea2_YcnHqrHtwyA looks good, correct length, correct characters 1 0
_acme-challenge.onet.zp.ua fKqPwPWmldWzEjRyrl9vxFiVDVg6Ka2rcoZY8mlAs0Y looks good, correct length, correct characters 1 0

is visible, but that looks these are your old values.

So first step:

Delete all _acme-challenge entries manual, then recheck the domain to see if it has worked.

I manually deleted the old records from the DNS zone file and added new ones that were proposed when generating the certificates, but for some reason they are not updated, I can’t understand where he gets them from

Your bind configuration is buggy / not working. Why do you use an own bind? Use the name server of your provider.

And it’s not helpful if you start Certbot / acme.sh again if you aren’t able to delete your old entries:

D:\temp>nslookup -type=TXT _acme-challenge.onet.zp.ua. ns1.onet.zp.ua.

_acme-challenge.onet.zp.ua text =

    "fKqPwPWmldWzEjRyrl9vxFiVDVg6Ka2rcoZY8mlAs0Y"

_acme-challenge.onet.zp.ua text =

    "a1JFOB-TdMz4KnWsn3b9EltSpNCrea2_YcnHqrHtwyA"

onet.zp.ua nameserver = ns1.onet.zp.ua
onet.zp.ua nameserver = ns.secondary.net.ua
ns1.onet.zp.ua internet address = 89.21.77.2

D:\temp>nslookup -type=TXT _acme-challenge.onet.zp.ua. ns.secondary.net.ua.

_acme-challenge.onet.zp.ua text =

    "fKqPwPWmldWzEjRyrl9vxFiVDVg6Ka2rcoZY8mlAs0Y"

_acme-challenge.onet.zp.ua text =

    "a1JFOB-TdMz4KnWsn3b9EltSpNCrea2_YcnHqrHtwyA"

onet.zp.ua nameserver = ns.secondary.net.ua
onet.zp.ua nameserver = ns1.onet.zp.ua
ns1.onet.zp.ua internet address = 89.21.77.2

1 Like

I am the provider, with the previous generation everything worked, and now such an error, I want to figure out what I’m doing wrong
Can you advise some other way?

The DNS synchronization may be taking longer than you expect.
I would start the renewal process and once the TXT records has been added - in another window check that both DNS servers have the same information (same SOA record) before proceeding.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.