DNS Challenge issue

My domain is: portaugusta.sa.gov.au

I ran this command: certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \civic-mail01.portaugusta.sa.gov.au

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for civic-mail01.portaugusta.sa.gov.au


Challenges loaded. Press continue to submit to CA.
Pass "-v" for more info about challenges.


Press Enter to Continue

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: civic-mail01.portaugusta.sa.gov.au
Type: unauthorized
Detail: No TXT record found at _acme-challenge.civic-mail01.portaugusta.sa.gov.au

Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache 2.4.53

The operating system my web server runs on is (include version): Rocky Linux 9.1

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.1.0

It's confusing as the acme-dns-auth readme says I need to add a CNAME record, but the error says I don't have a TXT record. Which is it I need to use?

Another issue I have is that the console of our DNS provider has a 'feature' that automatically adds our domain name to the end of the data of a CNAME record. I assume the DNS challenge will fail because of this? It is not something I can change. Basically our DNS console sets the data to 8394fcd6-5d82-4108-a586-277ab548302d.auth.acme-dns.io.portaugusta.sa.gov.au

Is there another way to do the dns challenge that avoids using a CNAME record like this?

thanks

jc

1 Like

Try adding a dot to the end of the value. I.e.:

8394fcd6-5d82-4108-a586-277ab548302d.auth.acme-dns.io.
5 Likes

Are you freaking kidding me! Simple as that! Thanks Osiris.

2 Likes

Yeah, officially all hostnames should end with a dot where the "empty label" right of that last dot resembles the "world wide" root zone. But in practice, nobody does that, so nobody cares, except some DNS related software, such as your DNS zone editor :slight_smile:

Without the dot/root zone, the entry is seen as a partial hostname and thus as a subdomain of the original root (i.e. your own domain).

7 Likes

Always a good thing when I learn something new! Many thanks @Osiris.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.