DNS Challenge Issues

My domain is: cvtestreg-t.doh.nm.gov

I ran this command:
sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d *.cvtestreg-t.doh.nm.gov -d cvtestreg-t.doh.nm.gov

It produced this output:
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: cvtestreg-t.doh.nm.gov
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.cvtestreg-t.doh.nm.gov - check that a DNS record exists for this domain

Domain: cvtestreg-t.doh.nm.gov
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.cvtestreg-t.doh.nm.gov - check that a DNS record exists for this domain

My web server is (include version): Azure App Proxy

The operating system my web server runs on is (include version): Azure App Proxy

My hosting provider, if applicable, is: Azure tenant

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

A little background. These certs are for an Azure App Proxy service which is why I am using a DNS challenge to issue the certs. I created this cert without issue awhile ago. The team that handles our DNS must have removed the TXT record we had in there at some point. When it came time to renew the cert, I got an error. I deleted the cert from my local WSL and attempted to recreate the cert but it still fails with the error above. How do I determine what the value of the record is supposed to be? Without this information, I can not complete the DNS challenge.

Thanks!

1 Like

That script is supposed to add the txt record. Are you sure it's doing so?

When using acme-dns I'd expect a cname on _acme-challenge.cvtestreg-t.doh.nm.gov -- did you move you DNS hosting and forget to bring that cname over?

1 Like

If our infrastructure team did so, I am not aware. The strange thing is there are several other domains we are doing this same process with and none of those are producing this error. Let's assume that the DNS hosting did move and that the CNAME wasn't brought over. How would we resolve? Additionally, there is a second domain that complains about an incorrect TXT record:
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: vaccinereg-t.doh.nm.gov
Type: unauthorized
Detail: Incorrect TXT record "si1Jjdi0n1BqnsZ56nlkZUV1QbH3TIvkicmd8hS2jhA" found at _acme-challenge.vaccinereg-t.doh.nm.gov

Would this be caused by the missing CNAME too? How does one determine what the CNAME needs to be? Is there a command to output the needed DNS records for the domain I am trying to validate?

I'm suspecting our infrastructure team may have been doing some "clean up" in our DNS zones as they often do and removed things they shouldn't have.

1 Like

Yes, I believe so.

Go back and read the instructions for using:

2 Likes

In case anyone else gets stuck on this, my solution was to delete the acmedns.json file that the script generates and rerun the command. Voila, it's telling me what CNAME I need in my DNS now.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.