DNS Challenge issue

jcrower · February 20, 2023, 5:12am

My domain is: portaugusta.sa.gov.au

I ran this command: certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \civic-mail01.portaugusta.sa.gov.au

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for civic-mail01.portaugusta.sa.gov.au

Challenges loaded. Press continue to submit to CA.
Pass "-v" for more info about challenges.

Press Enter to Continue

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: civic-mail01.portaugusta.sa.gov.au
Type: unauthorized
Detail: No TXT record found at _acme-challenge.civic-mail01.portaugusta.sa.gov.au

Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache 2.4.53

The operating system my web server runs on is (include version): Rocky Linux 9.1

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.1.0

It's confusing as the acme-dns-auth readme says I need to add a CNAME record, but the error says I don't have a TXT record. Which is it I need to use?

Another issue I have is that the console of our DNS provider has a 'feature' that automatically adds our domain name to the end of the data of a CNAME record. I assume the DNS challenge will fail because of this? It is not something I can change. Basically our DNS console sets the data to 8394fcd6-5d82-4108-a586-277ab548302d.auth.acme-dns.io.portaugusta.sa.gov.au

Is there another way to do the dns challenge that avoids using a CNAME record like this?

thanks

jc

Osiris · February 20, 2023, 6:13am

Try adding a dot to the end of the value. I.e.:

8394fcd6-5d82-4108-a586-277ab548302d.auth.acme-dns.io.

jcrower · February 20, 2023, 6:28am

Are you freaking kidding me! Simple as that! Thanks Osiris.

Osiris · February 20, 2023, 7:08am

Yeah, officially all hostnames should end with a dot where the "empty label" right of that last dot resembles the "world wide" root zone. But in practice, nobody does that, so nobody cares, except some DNS related software, such as your DNS zone editor

Without the dot/root zone, the entry is seen as a partial hostname and thus as a subdomain of the original root (i.e. your own domain).

jcrower · February 21, 2023, 11:08pm

Always a good thing when I learn something new! Many thanks @Osiris.

system · March 23, 2023, 11:08pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Acme-DNS Locally Hosted Help	16	2917	September 18, 2021
Certificate issue error Help	6	862	May 5, 2021
Seeking technical clarification on certbot certificate creation using DNS-01 and HTTP-01 challenge Issuance Tech	21	1698	August 18, 2023
Certbot Verification Issue (Challenge failed for domain) Help	5	17928	January 10, 2020
Certbot DNS challenge not generating a challenge Help	5	1435	June 7, 2021

DNS Challenge issue

Related topics