My domain is: diconcloud.onmicrosoft.com
I ran this command: sudo certbot certonly --dns-azure-config ./mycredentials-private.ini -d *.diconcloud.onmicrosoft.com
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Obtain certificates using a DNS TXT record (if you are using Azure for DNS).
(dns-azure)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator dns-azure, Installer None
Requesting a certificate for *.diconcloud.onmicrosoft.com
Performing the following challenges:
dns-01 challenge for diconcloud.onmicrosoft.com
Waiting 10 seconds for DNS changes to propagate
Waiting for verification...
Challenge failed for domain diconcloud.onmicrosoft.com
dns-01 challenge for diconcloud.onmicrosoft.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: diconcloud.onmicrosoft.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.diconcloud.onmicrosoft.com - check that a DNS
record exists for this domain
My web server is (include version): N/A
The operating system my web server runs on is (include version): Ubuntu
My hosting provider, if applicable, is: Azure
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot): certbot 1.14.0
I have an Azure virtual network that I can connect to using a P2S configuration. This is set up for a private intranet. There are multiple VMs on the network that I can access via SSH/RDP. There is a private DNS zone that is used for all the VMs in the virtual network. There is also a dedicated DNS server VM that runs the default Windows DNS server and forwards to Azure's DNS server.
I am trying to run gitlab on one of the VMs, and to do that I need an SSL certificate for HTTPS. Using gitlab's internal LetsEncrypt integration will not work since there is no public IP address. I have been reading that I do not need a public IP address to get a certificate validated through a dns-01 challenge from LetsEncrypt.
I have tried a few different certbot plugins, I have tried using dehydrated, I have tried acme.sh, and nothing seems to work. Everything in this blog post made sense to me and it all tracked up until the point where the challenge failed. These 2 plugins: one, two result in the same end situation/error message. In order to get these plugins to work, I also created a (non-private) Azure DNS zone with the same name, which should result in a split-horizon configuration. Using this plugin with certbot, I am able to see in the Azure portal that the TXT record gets set successfully by certbot in the non-private Azure DNS zone. After that, the challenge fails and the TXT record is deleted successfully.
I would greatly appreciate any help or ideas as to why this challenge is failing.