Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: bencarpenterit.com

I ran this command: dig -t txt _acme-challenge.bencarpenterit.com, dig -t txt 6c0ae496-e557-47c1-bbdc-e39f0b8843e4.auth.bencarpenterit.com, dig -t txt @auth.bencarpenterit.com 6c0ae496-e557-47c1-bbdc-e39f0b8843e4.auth.bencarpenterit.com

It produced this output:

Blockquote

dig -t txt _acme-challenge.bencarpenterit.com

; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> -t txt _acme-challenge.bencarpenterit.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61800
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;_acme-challenge.bencarpenterit.com. IN TXT

;; ANSWER SECTION:
_acme-challenge.bencarpenterit.com. 39 IN CNAME 6c0ae496-e557-47c1-bbdc-e39f0b8843e4.auth.bencarpenterit.com.
6c0ae496-e557-47c1-bbdc-e39f0b8843e4.auth.bencarpenterit.com. 39 IN TXT "google-site-verification=68rsu4RQP4j4W21BsNngspYijOQgeDu8IFie-2d4Scg"
6c0ae496-e557-47c1-bbdc-e39f0b8843e4.auth.bencarpenterit.com. 39 IN TXT "v=spf1 include:spf.mailjet.com ?all"

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Thu Apr 11 05:35:38 UTC 2024
;; MSG SIZE rcvd: 248

dig -t txt 6c0ae496-e557-47c1-bbdc-e39f0b8843e4.auth.bencarpenterit.com

; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> -t txt 6c0ae496-e557-47c1-bbdc-e39f0b8843e4.auth.bencarpenterit.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54841
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;6c0ae496-e557-47c1-bbdc-e39f0b8843e4.auth.bencarpenterit.com. IN TXT

;; ANSWER SECTION:
6c0ae496-e557-47c1-bbdc-e39f0b8843e4.auth.bencarpenterit.com. 265 IN TXT "v=spf1 include:spf.mailjet.com ?all"
6c0ae496-e557-47c1-bbdc-e39f0b8843e4.auth.bencarpenterit.com. 265 IN TXT "google-site-verification=68rsu4RQP4j4W21BsNngspYijOQgeDu8IFie-2d4Scg"

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Thu Apr 11 05:35:51 UTC 2024
;; MSG SIZE rcvd: 218

dig -t txt @auth.bencarpenterit.com 6c0ae496-e557-47c1-bbdc-e39f0b8843e4.auth.bencarpenterit.com

; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> -t txt @auth.bencarpenterit.com 6c0ae496-e557-47c1-bbdc-e39f0b8843e4.auth.bencarpenterit.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49697
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;6c0ae496-e557-47c1-bbdc-e39f0b8843e4.auth.bencarpenterit.com. IN TXT

;; ANSWER SECTION:
6c0ae496-e557-47c1-bbdc-e39f0b8843e4.auth.bencarpenterit.com. 1 IN TXT "rMVQ7EP3tsBoWbNxlVkRfrL0j2FBD8CLYGApqVNnjnA"
6c0ae496-e557-47c1-bbdc-e39f0b8843e4.auth.bencarpenterit.com. 1 IN TXT "XubzG8kOhL24Thqeo0rqDzZSmR_xZdwKhHYQ5_utMKQ"

;; Query time: 0 msec
;; SERVER: 71.88.107.212#53(auth.bencarpenterit.com) (UDP)
;; WHEN: Thu Apr 11 05:36:05 UTC 2024
;; MSG SIZE rcvd: 321

Blockquote

My web server is (include version): apache 2.4.52

The operating system my web server runs on is (include version): ubuntu 22.04.4 LTS

My hosting provider, if applicable, is: no-ip

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): cerbot 2.10.0

The issue I am having is when I try to set up a autorenewal script for my wildcard cert, I have issues getting the dns to properly forward the txt. I am running acme-dns and it seems to be outputting it properly and the CNAME appears to be correct. I am stuck here and I was hoping someone has some insight on what I am missing.

When querying auth.bencarpenterit.com directly you indeed seem to be getting the correct TXT RR, but from the public DNS the queries are not directed to auth.bencarpenterit.com in any way?

Where did you configure a DNS zone to redirect the queries to auth.bencarpenterit.com?

I have ns1.auth.bencarpenterit.com set as a Nameserver on No-IP, and I have acme-dns configed with the following "auth.bencarpenterit.com. NS *.auth.bencarpenterit.com."

For the entire zone it seems, mixed with No-IP nameservers. I'm pretty sure that's not how you're supposed to configure the zone.

How do you mean, "configured acme-dns"?

Further more, please see _acme-challenge.bencarpenterit.com | DNSViz for a visual representation of the query for _acme-challenge.bencarpenterit.com IN TXT: it's quite a mess.

I am running acme-dns
I have changed line 19 of this file config.cfg to read "auth.bencarpenterit.com. NS *.auth.bencarpenterit.com." and line 17 to be "auth.bencarpenterit.com. A (Current Public IP)" As far as the map goes it defiantly looks like a mess and I will see if I cant work on cleaning it up once I get home.

While that might configure acme-dns, you still need to configure the No-IP nameservers accordingly.

Note that if you do:

dig +trace _acme-challenge.bencarpenterit.com TXT

The last No-IP NS answers the CNAME AND immediately the TXT RRs (probably a wildcard) with some Google verification stuff and the SPF record. It never goes to the acme-dns server when a No-IP NS is asked. And No-IP gets asked randomly in 80 % of the queries.

You probably want to remove the ns1.auth.bencarpenterit.com. from the NS RR set for bencarpenterit.com, don't use a CNAME and use a NS RR for ONLY the _acme-challenge label with auth.bencarpenterit.com. as value (or ns1.auth.bencarpenterit.com., doesn't matter much, both point to the same IP address.

Ahh then I believe I may be out of luck, it appears that no-ip only allows NS RR on top level domains and not subdomains, so I don't think I can configure it to do that. But at least I got the map cleaned up a bit lol.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.