My domain is:
domesweetdome.us.com
I ran this command:
certbot certonly --dry-run --debug-challenges --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/james/rfc2136.ini --dns-rfc2136-propagation-seconds 5 --preferred-challenges=dns --email redacted@Idontwantbotspam --agree-tos -d domesweetdome.us.com -d www.domesweetdome.us.com -d ftp.domesweetdome.us.com -d mail.domesweetdome.us.com -d smtp.domesweetdome.us.com -d imap.domesweetdome.us.com -d pop3.domesweetdome.us.com
It produced this output:
Saving debug log to /var/log/certbot/letsencrypt.log
Plugins selected: Authenticator dns-rfc2136, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for domesweetdome.us.com
dns-01 challenge for ftp.domesweetdome.us.com
dns-01 challenge for imap.domesweetdome.us.com
dns-01 challenge for mail.domesweetdome.us.com
dns-01 challenge for pop3.domesweetdome.us.com
dns-01 challenge for smtp.domesweetdome.us.com
dns-01 challenge for www.domesweetdome.us.com
Waiting 5 seconds for DNS changes to propagate
Waiting for verificationâŚ
Challenges loaded. Press continue to submit to CA. Pass â-vâ for more info about
challenges.
Press Enter to Continue
Cleaning up challenges
Failed authorization procedure. imap.domesweetdome.us.com (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.imap.domesweetdome.us.com, pop3.domesweetdome.us.com (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.pop3.domesweetdome.us.com, mail.domesweetdome.us.com (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.mail.domesweetdome.us.com, www.domesweetdome.us.com (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.www.domesweetdome.us.com, domesweetdome.us.com (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.domesweetdome.us.com, smtp.domesweetdome.us.com (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.smtp.domesweetdome.us.com, ftp.domesweetdome.us.com (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.ftp.domesweetdome.us.com
IMPORTANT NOTES:
-
The following errors were reported by the server:
Domain: imap.domesweetdome.us.com
Type: None
Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.imap.domesweetdome.us.comDomain: pop3.domesweetdome.us.com
Type: None
Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.pop3.domesweetdome.us.comDomain: mail.domesweetdome.us.com
Type: None
Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.mail.domesweetdome.us.comDomain: www.domesweetdome.us.com
Type: None
Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.www.domesweetdome.us.comDomain: domesweetdome.us.com
Type: None
Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.domesweetdome.us.comDomain: smtp.domesweetdome.us.com
Type: None
Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.smtp.domesweetdome.us.comDomain: ftp.domesweetdome.us.com
Type: None
Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.ftp.domesweetdome.us.com
My web server is (include version):
Apache2 version 2.4.33
Bind version 9.11.2
The operating system my web server runs on is (include version):
OpenSuSE Leap 15.0
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I donât know):
yes
Iâm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if youâre using Certbot):
certbot 0.30.2
When I run certbot in a dry-run to test if I can get a certificate, at the point that is pauses for doing the -debug-challenges I cd into where named is running chrooted and syncâed the journal using the command rndc sync I then looked at the conf file for domesweetdome.us.com and I can see that indeed the TXT records for the challenge are recorded. -
$ORIGIN .
$TTL 172800 ; 2 days
domesweetdome.us.com IN SOA ns1.domesweetdome.us.com. redacted.Idontwantbotspam.com (
2019031222 ; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS ns1.domesweetdome.us.com.
A 205.151.255.18
MX 1 mail.domesweetdome.us.com.
TXT âv=spf1 a mx a:mail.domesweetdome.us.com mx:mail.domesweetdome.us.com ~allâ
$ORIGIN domesweetdome.us.com.
$TTL 120 ; 2 minutes
_acme-challenge TXT âPBqho5qbmiSYzNAEkMbcTnwiPeohDKC3GZ8GXLc4ns4â
$TTL 172800 ; 2 days
_dmarc TXT "v=DMARC1;p=quarantine;sp=quarantine;pct=20;aspf=r;fo=0;ri=86400;rua=mailto:postmaster@domesweetdome.us.com"
ftp CNAME domesweetdome.us.com.
$ORIGIN ftp.domesweetdome.us.com.
$TTL 120 ; 2 minutes
_acme-challenge TXT âRHqJSoREDMeR5Z813dXSwKQNz2Ykz5T5hyvrGGD-zu0â
$ORIGIN domesweetdome.us.com.
$TTL 172800 ; 2 days
imap A 205.151.255.18
$ORIGIN imap.domesweetdome.us.com.
$TTL 120 ; 2 minutes
_acme-challenge TXT ânpsYqsHZ3h9SUVpadI4VkZLPRqJ8jJSKpUm9rXQJcyUâ
$ORIGIN domesweetdome.us.com.
$TTL 172800 ; 2 days
mail A 205.151.255.18
$ORIGIN mail.domesweetdome.us.com.
$TTL 120 ; 2 minutes
_acme-challenge TXT â6j3cfMVAnY1yq-K6xoWQbLTAM9YN-EkpIb5SFUPE1mkâ
$ORIGIN domesweetdome.us.com.
$TTL 172800 ; 2 days
ns1 A 127.0.0.1
pop3 A 205.151.255.18
$ORIGIN pop3.domesweetdome.us.com.
$TTL 120 ; 2 minutes
_acme-challenge TXT â5HSLlb3bSu-iJOEwWLw9dScsbHjAC88tnNmzC7Kb7PYâ
$ORIGIN domesweetdome.us.com.
$TTL 172800 ; 2 days
smtp A 205.151.255.18
$ORIGIN smtp.domesweetdome.us.com.
$TTL 120 ; 2 minutes
_acme-challenge TXT âay53r9suUZCMUqp-UeTR19207PAFcW1RAEdVjaURA8gâ
$ORIGIN domesweetdome.us.com.
$TTL 172800 ; 2 days
test A 205.151.255.18
www CNAME domesweetdome.us.com.
$ORIGIN www.domesweetdome.us.com.
$TTL 120 ; 2 minutes
_acme-challenge TXT â9SgyBSepVasWRB-f99eiBm0q1pB8nHrehMLkItCMkBMâ
The log file for named.d also show that the queries are happening to retrieve the _acme-challenge TXT string. (I will show a representative sample of the log output from just one host -
13-Mar-2019 21:24:36.750 queries: info: client @0x7f0afc2303b0 205.151.255.18#46281 (_acme-challenge.www.domesweetdome.us.com): view localhost_resolver: query: _acme-challenge.www.domesweetdome.us.com IN SOA - (205.151.255.18)
13-Mar-2019 21:24:36.751 queries: info: client @0x7f0afc2303b0 205.151.255.18#42065 (www.domesweetdome.us.com): view localhost_resolver: query: www.domesweetdome.us.com IN SOA - (205.151.255.18)
13-Mar-2019 21:24:36.751 queries: info: client @0x7f0afc2303b0 205.151.255.18#46049 (domesweetdome.us.com): view localhost_resolver: query: domesweetdome.us.com IN SOA - (205.151.255.18)
13-Mar-2019 21:24:36.753 update: info: client @0x7f0afc2953d0 205.151.255.18#57530/key letsencrypt: view localhost_resolver: updating zone âdomesweetdome.us.com/INâ: adding an RR at â_acme-challenge.www.domesweetdome.us.comâ TXT âW-qQO7fqGNKKLFc0UKLm9_jI0X2a2o-dyMKTQsfnsyoâ
âŚ
13-Mar-2019 21:24:47.002 queries: info: client @0x7f0afc2303b0 205.151.255.18#53712 (_acme-challenge.www.domesweetdome.us.com): view localhost_resolver: query: _acme-challenge.www.domesweetdome.us.com IN SOA - (205.151.255.18)
13-Mar-2019 21:24:47.002 queries: info: client @0x7f0afc2303b0 205.151.255.18#55558 (www.domesweetdome.us.com): view localhost_resolver: query: www.domesweetdome.us.com IN SOA - (205.151.255.18)
13-Mar-2019 21:24:47.003 queries: info: client @0x7f0afc2303b0 205.151.255.18#35248 (domesweetdome.us.com): view localhost_resolver: query: domesweetdome.us.com IN SOA - (205.151.255.18)
13-Mar-2019 21:24:47.004 update: info: client @0x7f0ad0015da0 205.151.255.18#57544/key letsencrypt: view localhost_resolver: updating zone âdomesweetdome.us.com/INâ: deleting an RR at _acme-challenge.www.domesweetdome.us.com TXT
So to my untrained eyes, it seems this should be working, yet I am getting a failure and am unable to get/update any certificates. Any kind guru got a light to shed on this and help me find some joy?
MarcâŚ