DNS challenge keeps failing

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
platinum.edu.pl

I ran this command:
certbot certonly --manual --preferred-challenges=dns --email [admin email was here] --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.platinum.edu.pl

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for platinum.edu.pl


NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?


(Y)es/(N)o: y


Please deploy a DNS TXT record under the name
_acme-challenge.platinum.edu.pl with the following value:

rz-16VWoNVzfEmIR4UHZdMgzMPUcg1e0x4Ayg2vOL4M

Before continuing, verify the record is deployed.


Press Enter to Continue
Waiting for verification...
Challenge failed for domain platinum.edu.pl
dns-01 challenge for platinum.edu.pl
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: platinum.edu.pl
    Type: unauthorized
    Detail: No TXT record found at _acme-challenge.platinum.edu.pl

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version):
Apache/2.4.37

The operating system my web server runs on is (include version):
Slackware 14.2+

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
Yes.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.9.0

Tried:
IN TXT "_acme-challenge.platinum.edu.pl rz-16VWoNVzfEmIR4UHZdMgzMPUcg1e0x4Ayg2vOL4M"
and
IN TXT "rz-16VWoNVzfEmIR4UHZdMgzMPUcg1e0x4Ayg2vOL4M"

Both formats fail. Waited long after TTL and checked external DNS server non-related to my project to see if the zone deployed. Nada.

It would be useful if letsencrypt provided information which DNS server they ask for the zone info, so we could check it manually before hitting enter and changing our zones several times.

2 Likes

Welcome to the Let's Encrypt Community, Zuzanna :slightly_smiling_face:

The host for the TXT record should be _acme-challenge.platinum.edu.pl and the value for the TXT record should be rz-16VWoNVzfEmIR4UHZdMgzMPUcg1e0x4Ayg2vOL4M

Be careful when adding TXT records as many interfaces will automatically add the domain name to the end, resulting in duplication. For instance, you may only need to enter _acme-challenge as the host.

You probably want to use the following command to ensure that your apex (platinum.edu.pl) is covered in addition to your subdomains. This will require creating two TXT records, both with _acme-challenge.platinum.edu.pl as the host, but with unique values.

certbot certonly --cert-name platinum.edu.pl --manual --preferred-challenges dns -d "platinum.edu.pl,*.platinum.edu.pl"

3 Likes

IN TXT have just one argument - the string. So I don't understand. Please provide an exact line to enter in a zone file.

My interface to zone records is mcedit. :smiley:

2 Likes

No problem. :slightly_smiling_face:

This is what we currently see (via Dig):
_acme-challenge.platinum.edu.pl. 21599 IN A 137.74.1.182

This is what we need to see:
_acme-challenge.platinum.edu.pl. 300 IN TXT rz-16VWoNVzfEmIR4UHZdMgzMPUcg1e0x4Ayg2vOL4M

Please note that the required token may change after a failed validation. Always use the token(s) currently specified by certbot. You can remove tokens after validation is successful (when you receive your certificate).

3 Likes

Okay, so this _acme-challenge.platinum.edu.pl. is some fake hostname that goes into $ORIGIN. Ok let's try it. Check if it is ok.

2 Likes

Looks great to me. :smiley:

_acme-challenge.platinum.edu.pl. 21599 IN TXT "r59fpymIqxoeJ5zunih2KA9ioyuB13IdWz2jpDKJ9Og"

Your TTL is super long (6 hours), but that shouldn't matter to the Let's Encrypt validation servers.

Please be certain to secure your apex too as the wildcard won't cover it.

2 Likes

I'm seeing some good things! You'll probably need to acquire a certificate to include both platinum.edu.pl and *.platinum.edu.pl though (per the command I gave you).

:partying_face:

Complete Certificate History

3 Likes

Okay, I will update the certs and I hope it will be all good.

3 Likes

Much better! :smiley:

2 Likes

Yes, works like a charm, platinum.edu.pl is also a non-profit Linux based project, so I think we will go along great. Thanks for your help and have a nice day.

3 Likes

You're very welcome. :blush: Glad everything worked out great. If you have any further questions or run into any trouble, you know where to find us. :wave:

2 Likes

One last thought:
I'm noticing a lot of 302 redirects (instead of 301) and no http to https redirects. Might be worth checking into.

2 Likes

True, I didn't configure them, I am running through the config now "SSLing" it. :smiley:

3 Likes

Looking better! :slightly_smiling_face:

2 Likes