DNS-Challenge Issuance Request Running Long - may Time Out

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: saurian.org

I ran this command:
sudo certbot certonly
–manual
–csr _wildcard__saurian_org_b45d3_7a9e7_8d068caa6d889afe54d97760f90ecf3d.csr
–server https://acme-v02.api.letsencrypt.org/directory
–agree-tos
-d *.saurian.org

It produced this output:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Performing the following challenges:
dns-01 challenge for saurian.org


NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.

Are you OK with your IP being logged?


(Y)es/(N)o: Y


Please deploy a DNS TXT record under the name
_acme-challenge.saurian.org with the following value:

EUfIi0IFGYflu89LHImTx0uB9iyI187u11nLuP2DJw0

Before continuing, verify the record is deployed.


Press Enter to Continue
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

My web server is (include version): Apache 2.4.41

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: UK2.net

I can login to a root shell on my machine (yes or no, or I don’t know): no

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): cpanel Version 82.0.17

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.27.0

OK, brief explanation of concern… I’ve followed the process to use CertBot to submit the CSR as per on-line instructions. That process seems to have worked just fine. However, I’m using the DNS-based challenge as per my ISP instructions and 5+ hours after adding the DNS “TXT” record, the service “dnschecker.org” indicates that, so far, none of the global checker nodes are seeing the TXT record added to my domain.

I appreciate that it might be a bit premature to ask for help now as I’ve still got 6+ hours before CertBot times out… but I don’t think I’m going to be able to stay awake long enough to see if it returns.

I’d like to ask what advice you would give if this submission times out? It seems [from tracking so far] that even though using TXT records is a good idea, the poor performance of DNS record replication might become an issue. May I ask if there is a work-around please? Is there a version of this process where I can “resume” after the TXT record propagates?

Any suggestions as to the best approach here would be gratefully received…

Thank you

Hi @sproggit

checking your domain you have created the correct TXT entry - https://check-your-website.server-daten.de/?q=saurian.org#txt

That’s the correct domain name (if you want to create a certificate *.saurian.org) and the value is correct.

And you didn’t create one of the typical wrong entries.

Your first name server looks a little bit buggy. But rechecked with Unboundtest

https://unboundtest.com/m/TXT/_acme-challenge.saurian.org/G4NA42QZ

there is no problem visible.

There is no error message reportet.

Certbot waits, your confirmation is required.

dnschecker.org sees the value:

All is green.

Juergen,

That is really kind of you to check for me; thank you. I will also make a note of the checker service that you are using for when I come to refresh this certificate.

I really appreciate your kind support.

Thank you

1 Like

Juergen, I am sorry to have to follow up with what is likely a very silly question…

But I went back to CertBot and pressed return so it would continue - which it did, successfully. It has downloaded 3 files to my workstation:-

0000_cert.pem
0000_chain.pem
0001_chain.pem

I must be wrong, but I thought that a *.pem file was a “Privacy Enhanced Mail” file… as opposed to a *.cert, which would be a certificate. Is it safe to use these interchangeably?

Thank you.

Edit: I am wrong… I tried these files and they work perfectly. Juergen, thank you again for your very kind assistance…

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.