DNS Challenge keeps failing

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: robotechmacross.com

I ran this command:
sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d *.robotechmacross.com -d robotechmacross.com

It produced this output:
There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see Failed Validation Limit - Let's Encrypt

My web server is (include version):
Apache2 2.4.41
The operating system my web server runs on is (include version):
Ubuntu 20.04
My hosting provider, if applicable, is:
Self hosted, server is sitting on my dresser
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No control panel is being used
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certbot 0.40.0

I have done a DNS challenge using certbot before. I'm following this tutorial on dns challenge:

One command is:
sudo apt-add-repository ppa:certbot/certbot

The output of that command is:
The PPA has been deprecated

To get up to date instructions on how to get certbot for your systems please see Get Certbot — Certbot 1.30.0 documentation.
More info: https://launched.net/~certbot/+archive/ubuntu/certbot
press [ENTER] to continue or Ctrl-c to cancel adding it.

Then it hits a bunch of http links, gets an error on the 6th one and gets a 404 error. Then says the repository doesn't have a release file, it can't be updated from securely and is therefore disabled by default.

No clue what's going on, I'm just copying commands like it's 1983 and I am programming on a C64 by copying code out of run magazine. so I just proceed. Next command is:
Sudo apt install certbot

Then got acme-dns-certbot w/ this command:
wget https://github.com/joohoi/acme-dns-certbot-joohoi/raw/master/acme-dns-auth.py
Made it executable with:
chmod +x acme-dns-auth.py
Opened that file in Nano and entered 3 at the end of python as instructed
moved the file to the letsencrypt folder

Then I ran the script with this:
sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d *.robotechmacross.com -d robotechmacross.com

When I did that it gave me instructions to setup a cname and gave me a long string. I went to cloudflare DNS and created a cname of _acme.challenge.robotechmacross.com and put the string in the text field. It failed the first time saying incorrect txt file was found. I saw an old dns challenge that used txt instead of cname and it was picking up that code. So I erased that entry completely. Then I ran certbot again. This time it didn't give me a new code so I assumed I'm still using the same one. The instructions clearly say to setup a cname. It failed again and the output looked like it said it was trying to verify a txt not a cname. So I erased it and created a new one under text instead of cname. It failed again. Now when I try it gets the above error. Cloudflare has a proxy that hides your real IP from the real world, I tried with that enabled. When I turned it off it changed from "Proxy" to "DNS Only" but it still fails.

The website it refers you to says there are no overrides. What does that mean? Did I just ruin a URL that can never have SSL because dns challenge is a convoluted mess and my attempts failed too many times? Or do I have to wait for a period of time to elapse before I can try again?

Am I doing something wrong? Did that failure on that repository giving the 404 error an issue? I.E. did I download a different version of certbot from some other repository since the command failed and said it was disabled by default?

All I want to do is get an SSL for my URL and my ISP blocks port 80 "For my protection" (Yeah right) If they didn't block 80, I could just push the make it work button, but since they do I have to do this. It's hard enough to find a decent URL now that everything under .com is either in use or some domain squatter is holding it for ransom.

I don't want to waste any money on a host when these websites are just for testing and I have unlimited resources for the VM running the sites sitting in the next room.

2

Hello @falken, welcome to the Let's Encrypt community. :slightly_smiling_face:

Is very old, I suggest updating it.

Also here you can see the DNS records, including, TXT, for _acme-challenge.robotechmacross.com here:

And testing and debugging are best done using the Staging Environment as the Rate Limits are much higher. Rate Limits are per week (rolling).

And to assist with debugging there is a great place to start is Let's Debug.

1 Like
3

...except for the one OP hit, which is per-hour.

Both are correct. Here's what's supposed to happen when you're using acme-dns:

  • You're running your own acme-dns server, not using auth.acme-dns.io
  • Your own acme-dns instance gives you a hostname like 44255c4e-d669-41f3-a141-672a8bd859e6.acme.yourdomain
  • You create a CNAME record for _acme-challenge.yourdomain pointing to 44255c4e-d669-41f3-a141-672a8bd859e6.acme.yourdomain
  • The hook script updates the DNS TXT record for 44255c4e-d669-41f3-a141-672a8bd859e6.acme.yourdomain to match the validation token
  • Let's Encrypt validation servers query _acme-challenge.yourdomain, find the CNAME record, and follow that to query 44255c4e-d669-41f3-a141-672a8bd859e6.acme.yourdomain for the validation token. Finding it there, validation succeeds, and you get your cert.
6 Likes
5

I hate this forum software, I accidently double clicked and inadvertantly erased my entire response.

I'm just learning linux, everything is always old and outdated. I need to start using the tools on google and marking them as recently as possible or I'll keep getting outdated tutorials. So I had Certbot version .40 and they are now on 1.30? This is never easy. I need to do a DNS challenge obviously, and all I can find are websites that have you click icons about your system and then it's going to attempt to go through port 80 but that isn't going to work because my ISP blocks that port and my server is in my house.

Where can I find the repository so I can just get this through the command line? Will the old dns challenge script work on this new certbot? I am so lost, I can't find anything about a dns chalenge python script for version 1.30. I'm not sure I even need a different version of certbot. I just checked the version of certbot on the vm that already had a successful dns challenge work and that vm is running a website behind ssl right now. That version of certbot on that vm is the same .40 version I have on this one.

Maybe this has something to do with my issue?

image
image1006×276 14.9 KB

In the above image, the top entry is the correct one. I had to change it from a cname to txt. Prior to changing cname to txt it didn't even show up. The other two entries with the question mark are entries I do not recognize at all. Furthermore neither of those entries are appearing on my dns in cloudflare, only the one on top is in the list is there. Where is it pulling these phantom challenges from? I checked all my domains and those numbers are in none of my domains.

6

My god this just gets worse. I made a mistake. So that dns checker says "Enter any valid URL" To get the above images in the screenshot, I put _acme-challenge.robotechmacross.com and the page in the screenshot brought those results. The top one is the correct dns challenge, I don't recognize the others. But the URL that will be used is robotechmacross.com and when enter that into the field on the dnschecker page I get this result:

image

Why isn't it finding the text file on just the domain name?
I looked closer at my working sites.

Heres one of them:

image
image856×208 7.51 KB

The domain name is displayed there

Here is the corresponding screenshot to cloudflare's dns for that url

image
image1026×294 12.3 KB

Notice that record number doesn't match. This is confusing as hell to me.

Here is the entirety of the dns records on the website in question that will not read the code unless I put _acme.challenge before the domain on that dnschecker page.

image
image1032×310 15.5 KB

If this is what certbot is seeing, it's getting nothing back. Why is this happening, how would I fix this?

7

Yes, you do have wait for the rate limits.

The fine details on Rate Limits are here Rate Limits - Let's Encrypt

2 Likes
8

I am not an expert with the DNS-01 Challenge Type Challenge Types - Let's Encrypt
I going to let others that are knowledgeable help.
(I don't want to make things worse for you by giving bad suggestions by accident)

2 Likes
9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.