I ran this command:certbot -d tierraclimate.dev --manual --preferred-challenges dns certonly
It produced this output:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:
_acme-challenge.tierraclimate.dev.
with the following value:
wEtgxxy32aGssvytSqOTU61w9kkdle6UiK--phJLZ1M
Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.tierraclimate.dev.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: tierraclimate.dev
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.tierraclimate.dev - check that a DNS record exists for this domain
Hint: The Certificate Authority failed to verify the manually created DNS TXT records. Ensure that you created these in the correct location, or try waiting longer for DNS propagation on the next attempt.
Some challenges have failed.
My web server is (include version): nginx/1.14.0 (Ubuntu)
The operating system my web server runs on is (include version): 18.04.6 LTS (Bionic Beaver)
My hosting provider, if applicable, is: I'm using google as my domain registrar, and digital ocean as my server provider/nameservers
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.31.0
To summarize my issue: I'm puzzled by the results of certbot (_acme-challenge.tierraclimate.dev). I created a txt record with the specified value and using the google admin tool box dig I see what appears to be the expected result. I'm fairly new to this kind of web development so I may be missing something obvious, but I'm definitely a bit stuck.
The manual approach will require you to repeat these steps every 60-90 days, whereas the DigitalOcean Certbot plugin will do this automatically for you.
It seems likely that you did not wait long enough for the record to propagate to each of the DigitalOcean nameservers. Sometimes one or more nameservers can lag behind. The online tools can sometimes give a misleading result.
But please, please, try the automatic plugin.
If you installed Certbot with snap, you can do:
snap install certbot-dns-digitalocean
and then follow the instructions on the link I posted above.
For future reference, the record's TTL is not related to how long it takes for the DNS provider to propagate the records. That value is only used by normal caching resolvers to determine how long to cache a previous result. But the Let's Encrypt validation servers are only configured to cache for the lesser of either the TTL value or 60 seconds.
As long as the record contains the correct code for the challenge being validated, it can also contain other codes too. In some cases (like certs with both a wildcard and apex domain name), it will actually need to have two different values in the same record.
Also, querying Google's public resolver is not ideal because it can provide stale results. The only thing that matters is that all of your authoritative nameservers are responding correctly. In your case, that would be ns1(2)(3).digitalocean.com. So: