DNS problem: NXDOMAIN looking up TXT for _acme-challenge check that a DNS record exists for this domain

I am using this authenticator script:

My domain is:

I ran this command:

certbot certonly --manual --test-cert --email ****@gmail.com --agree-tos --manual-public-ip-logging-ok --preferred-challenges=dns --manual-auth-hook authenticator.py --manual-cleanup-hook cleanup.py -d *.asellus.org -d asellus.org

It produced this output:

Requesting a certificate for *.asellus.org and asellus.org

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
  Domain: asellus.org
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.asellus.org - check that a DNS record exists for this domain

  Domain: asellus.org
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.asellus.org - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.

โ†[31mSome challenges have failed.โ†[0m
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):

idk

The operating system my web server runs on is (include version):

idk

My hosting provider, if applicable, is:

namesilo

I can login to a root shell on my machine (yes or no, or I don't know):

yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.21.0

The authenticator script you're using seems to have a wait parameter in config.py defined. Try increasing it.

Also, while the script is waiting for propogation, you can check yourself if the TXT record exists, e.g. using Googles online version of dig here: Dig (DNS lookup) . If certbot has finished, this checking will have no results due to the cleanup script, so check it when certbot is waiting.

2 Likes

The authenticator script you're using seems to have a wait parameter in config.py defined. Try increasing it.

I saw that - it's set to 25 mins, but the script fails immediately. Would the log be helpful?

Also, while the script is waiting for propogation, you can check yourself if the TXT record exists, e.g. using Googles online version of dig here: Dig (DNS lookup) . If certbot has finished, this checking will have no results due to the cleanup script, so check it when certbot is waiting.

I tried this on my local shell - would that be dig _acme-challenge.asellus.org.asellus.org IN TXT?

No, please see the requested resource record in the actual error message:

1 Like

ah okay - so just _acme-challenge.asellus.org?

In any case, there is no waiting time during which I could check this...

Yep.

That's weird, the script clearly has a waiting period set in its code:

With the option wait being defined in setup.py:

Could you upload the entire letsencrypt.log found in /var/log/letsencrypt/ ?

1 Like

letsencrypt.txt (25.2 KB)

Hm, it's quite weird why your script doesn't actually pause:

2021-11-21 14:36:58,767:INFO:certbot._internal.auth_handler:Performing the following challenges:
2021-11-21 14:36:58,767:INFO:certbot._internal.auth_handler:dns-01 challenge for asellus.org
2021-11-21 14:36:58,767:INFO:certbot._internal.auth_handler:dns-01 challenge for asellus.org
2021-11-21 14:36:58,767:INFO:certbot.compat.misc:Running manual-auth-hook command: authenticator.py
2021-11-21 14:36:58,901:INFO:certbot.compat.misc:Running manual-auth-hook command: authenticator.py
2021-11-21 14:36:59,019:DEBUG:acme.client:JWS payload:

If I test it locally, it would pause, but not when there was an error. But if there was an error, it would have shown up in the log file? I don't get it..

Do you actually require a wildcard certificate? If not, perhaps using the http-01 challenge without that namesilo script would be more successful.

1 Like

Do you actually require a wildcard certificate? If not, perhaps using the http-01 challenge without that namesilo script would be more successful.

I honestly don't know but I'd prefer to make DNS-01 work. I'm investigating a bit more now...

Why do you state "--manual" ?
[if this seems to be automated via those scripts - seems like a contradiction]

1 Like

If this is Certbot for Windows, then the shebang in the Python script would not work, would it? (I'm actually not sure).

If that's the problem, then OP would probably need to do something like

 --manual-auth-hook "/path/to/python.exe /path/to/authenticator.py"

and yeah, it's weird that there's no error output.

I can't dig into this right now but it seems worth an investigation.

1 Like

So could it be the domain itself? I tried with the acme shell script, and after it runs through part of the scripts it terminates with this error:

[Sun Nov 21 19:27:19 CET 2021] displayError='1'
[Sun Nov 21 19:27:19 CET 2021] _CURL='curl --silent --dump-header /home/mluerig/.acme.sh/http.header  -L  -g '
[Sun Nov 21 19:27:20 CET 2021] ret='0'
[Sun Nov 21 19:27:20 CET 2021] _hcode='0'
[Sun Nov 21 19:27:20 CET 2021] host='asellus.org'
[Sun Nov 21 19:27:20 CET 2021] Unable to find domain specified.
[Sun Nov 21 19:27:20 CET 2021] Error add txt for domain:_acme-challenge.asellus.org
[Sun Nov 21 19:27:20 CET 2021] _on_issue_err
[Sun Nov 21 19:27:20 CET 2021] Please add '--debug' or '--log' to check more details.
[Sun Nov 21 19:27:20 CET 2021] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

I mean, the domain is there

or just python if its in the PATH?

I'm not familiar with using scripts on Windows, but you could of course be right..

Very weird!

But the TXT record isn't.

Also, what options did you use for acme.sh?

1 Like

~/.acme.sh/acme.sh --issue --dns dns_namesilo --dnssleep 900 -d asellus.org -d www.asellus.org
as per dnsapi ยท acmesh-official/acme.sh Wiki ยท GitHub

But the TXT record isn't.

but I thought that's what the script is for? not sure whether this error happens before or after DNS record manipulation...

Try using --debug and you may get more opportunity to check such statuses along the way.

1 Like

what I posted above comes from the debug log, but it was just tricky to relate it to the script on GH. but I think it's before its even added:

[Sun Nov 21 19:27:18 CET 2021] d='asellus.org'
[Sun Nov 21 19:27:18 CET 2021] _d_alias
[Sun Nov 21 19:27:18 CET 2021] txtdomain='_acme-challenge.asellus.org'
[Sun Nov 21 19:27:19 CET 2021] txt=****
[Sun Nov 21 19:27:19 CET 2021] d_api='/home/mluerig/.acme.sh/dnsapi/dns_namesilo.sh'
[Sun Nov 21 19:27:19 CET 2021] Found domain api file: /home/mluerig/.acme.sh/dnsapi/dns_namesilo.sh
[Sun Nov 21 19:27:19 CET 2021] Adding txt value: **** for domain:  _acme-challenge.asellus.org
[Sun Nov 21 19:27:19 CET 2021] Retrying GET
[Sun Nov 21 19:27:19 CET 2021] GET
[Sun Nov 21 19:27:19 CET 2021] url='https://www.namesilo.com/api/listDomains?version=1&type=xml&key=****
[Sun Nov 21 19:27:19 CET 2021] timeout=
[Sun Nov 21 19:27:19 CET 2021] displayError='1'
[Sun Nov 21 19:27:19 CET 2021] _CURL='curl --silent --dump-header /home/mluerig/.acme.sh/http.header  -L  -g '
[Sun Nov 21 19:27:20 CET 2021] ret='0'
[Sun Nov 21 19:27:20 CET 2021] _hcode='0'
[Sun Nov 21 19:27:20 CET 2021] host='asellus.org'
[Sun Nov 21 19:27:20 CET 2021] Unable to find domain specified.
[Sun Nov 21 19:27:20 CET 2021] Error add txt for domain:_acme-challenge.asellus.org
[Sun Nov 21 19:27:20 CET 2021] _on_issue_err
[Sun Nov 21 19:27:20 CET 2021] Please add '--debug' or '--log' to check more details.
[Sun Nov 21 19:27:20 CET 2021] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
[Sun Nov 21 19:27:20 CET 2021] payload='{}'
[Sun Nov 21 19:27:20 CET 2021] Retrying post
[Sun Nov 21 19:27:20 CET 2021] POST

Rename or toss that log and generate a fresh one.
Also use the staging environment for such testing (whenever possible).

1 Like
~/.acme.sh/acme.sh --issue --dns dns_namesilo --dnssleep 900 -d asellus.org -d www.asellus.org --log --test --debug

gave

acme_log_masked.txt (10.6 KB)

So much for --dnssleep 900
That whole log is done in less that 7 seconds.

1 Like