I ran this command:
sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d *.cvtestreg-t.doh.nm.gov -d cvtestreg-t.doh.nm.gov
It produced this output:
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: cvtestreg-t.doh.nm.gov
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.cvtestreg-t.doh.nm.gov - check that a DNS record exists for this domain
Domain: cvtestreg-t.doh.nm.gov
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.cvtestreg-t.doh.nm.gov - check that a DNS record exists for this domain
My web server is (include version): Azure App Proxy
The operating system my web server runs on is (include version): Azure App Proxy
My hosting provider, if applicable, is: Azure tenant
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0
A little background. These certs are for an Azure App Proxy service which is why I am using a DNS challenge to issue the certs. I created this cert without issue awhile ago. The team that handles our DNS must have removed the TXT record we had in there at some point. When it came time to renew the cert, I got an error. I deleted the cert from my local WSL and attempted to recreate the cert but it still fails with the error above. How do I determine what the value of the record is supposed to be? Without this information, I can not complete the DNS challenge.
If our infrastructure team did so, I am not aware. The strange thing is there are several other domains we are doing this same process with and none of those are producing this error. Let's assume that the DNS hosting did move and that the CNAME wasn't brought over. How would we resolve? Additionally, there is a second domain that complains about an incorrect TXT record:
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: vaccinereg-t.doh.nm.gov
Type: unauthorized
Detail: Incorrect TXT record "si1Jjdi0n1BqnsZ56nlkZUV1QbH3TIvkicmd8hS2jhA" found at _acme-challenge.vaccinereg-t.doh.nm.gov
Would this be caused by the missing CNAME too? How does one determine what the CNAME needs to be? Is there a command to output the needed DNS records for the domain I am trying to validate?
In case anyone else gets stuck on this, my solution was to delete the acmedns.json file that the script generates and rerun the command. Voila, it's telling me what CNAME I need in my DNS now.