Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
It produced this output: None yet. I'm stalled at the "DNS provider" question that's part of the installation process. Out LAN has Bind running on the RPi to handle the internal named function with forwarders pointing to nameservers provided by AT&T.
Our domains are defined/managed by EasyDNS.
I see no mention of either AT&T or EasyDNS in any of the DNS plugin documentation.
How to proceed now?
My web server is (include version): nginx (reverse proxy to apache)
The operating system my web server runs on is (include version): Raspberry Pi/Debian bookworm
My hosting provider, if applicable, is: N/A
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): N/A
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.10.0
What exactly is the reason that you need the dns-01 challenge?
I see your hostnames have a public IP address (AT&T), but aren't reachable on port 80 nor 443. Is that the reason? Could you make the server available on TCP port 80 for the http-01 challenge?
If lego supports EasyDNS than the certbot-dns-multi, which uses lego under the hood, can be used as a DNS plugin for Certbot for EasyDNS.
Everything on port 80 and 443 is being forwarded to nginx at the firewall. It used to work fine that way.
Thanks for the tip about dns-multi. It'd likely have taken a lot of trial and error figuring out that plugin was the one to use. I'm going to proceed using that plugin and see how it goes.
I am no EasyDNS expert (barely know it) but in general you should consider the security of the token or key used for the DNS API. These auth tokens / keys on some DNS systems grant very wide privileges. On others they can be scoped very narrow.
You should review the scope for EasyDNS and take suitable precautions with access to the files that contain these tokens/keys.
Where does one find a.) the ".lego" subdirectory and b.) the values for the API_TOKEN, etc. variables referred to in the Lego documentation. Granted, it's been a long time since I first set up Certbot but I sure don't recall having to jump through this many hoops to get it installed the first time. I'm finding the instructions not clear at all.
Sorry but that page makes little to no sense. A lot of prior background
seems to be needed to the point of making the pages meaningless. I'm not
a REST programmer so when things tell me I need access to the innards of
a REST API, I'm lost. As I said earlier: this wasn't anywhere nearly so
complex when I first used Certbot. A clear start-to-finish example would
be helpful and I sure am not finding it on those pages. (The Cloudflare
example isn't helping.)
Thanks for the link but I need more guidance on what heck it's asking for.
Not sure which page you're looking at, but I'm pretty sure it's not
the page I linked, because that one doesn't mention anything about any
REST API?
If you mean EasyDNS :: Let’s Encrypt client and ACME library written
in Go. https://go-acme.github.io/lego/dns/easydns/ then you can
probably ignore the whole "Additional Configuration" swction as that's
just for finetuning if required.
OK. I'm using the following script ("run_lego") to run the lego command:
$ ./run_lego
2024/06/06 19:24:10 Could not load RSA private key from file
/var/snap/lego/common/.lego/accounts/acme-v02.api.letsencrypt.org/rntu rner@domain1.org/keys/rnturner@domain1.org.key: open
/var/snap/lego/common/.lego/accounts/acme-v02.api.letsencrypt.org/rnturner@dom ain1.org/keys/rnturner@domain1.org.key: permission denied
When running under sudo:
$ sudo ./run_lego
2024/06/06 19:26:08 [INFO] [theturners.org, .theturners.org, systypes.org, .sy stypes.org] acme: Obtaining bundled SAN certificate
2024/06/06 19:26:08 [INFO] [.systypes.org] AuthURL: https://acme-v02.api.letsen crypt.org/acme/authz-v3/360626916557
2024/06/06 19:26:08 [INFO] [.theturners.org] AuthURL: https://acme-v02.api.lets encrypt.org/acme/authz-v3/360626916567
2024/06/06 19:26:08 [INFO] [systypes.org] AuthURL: https://acme-v02.api.letsencr ypt.org/acme/authz-v3/360626916577
2024/06/06 19:26:08 [INFO] [theturners.org] AuthURL: https://acme-v02.api.letsen crypt.org/acme/authz-v3/360626916587
2024/06/06 19:26:08 [INFO] [.systypes.org] acme: use dns-01 solver
2024/06/06 19:26:08 [INFO] [.theturners.org] acme: use dns-01 solver
2024/06/06 19:26:08 [INFO] [systypes.org] acme: Could not find solver
for: tls-a
lpn-01
2024/06/06 19:26:08 [INFO] [systypes.org] acme: Could not find solver
for: http-
01
2024/06/06 19:26:08 [INFO] [systypes.org] acme: use dns-01 solver
2024/06/06 19:26:08 [INFO] [theturners.org] acme: Could not find solver
for: tls
-alpn-01
2024/06/06 19:26:08 [INFO] [theturners.org] acme: Could not find solver
for: htt
p-01
2024/06/06 19:26:08 [INFO] [theturners.org] acme: use dns-01 solver
2024/06/06 19:26:08 [INFO] [.systypes.org] acme: Preparing to solve DNS-01
2024/06/06 19:26:09 [INFO] [.systypes.org] acme: Cleaning DNS-01 challenge
2024/06/06 19:26:09 [INFO] [.theturners.org] acme: Preparing to solve
DNS-01
2024/06/06 19:26:09 [INFO] [.theturners.org] acme: Cleaning DNS-01
challenge
2024/06/06 19:26:09 [INFO] [systypes.org] acme: Preparing to solve DNS-01
2024/06/06 19:26:09 [INFO] [systypes.org] acme: Cleaning DNS-01 challenge
2024/06/06 19:26:09 [INFO] [theturners.org] acme: Preparing to solve DNS-01
2024/06/06 19:26:10 [INFO] [theturners.org] acme: Cleaning DNS-01 challenge
2024/06/06 19:26:10 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.o
rg/acme/authz-v3/360626916557
2024/06/06 19:26:10 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.o
rg/acme/authz-v3/360626916567
2024/06/06 19:26:10 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.o
rg/acme/authz-v3/360626916577
2024/06/06 19:26:10 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.o
rg/acme/authz-v3/360626916587
2024/06/06 19:26:10 Could not obtain certificates:
error: one or more domains had a problem:
[.systypes.org] [.systypes.org] acme: error presenting token: easydns:
code 42
0: Enhance Your Calm. Rate limit exceeded (too many requests) OR you did
NOT pro
vide any credentials with your request!
code 420: Enhance Your Calm. Rate limit exceeded (too many requests) OR
you did
NOT provide any credentials with your request!
[.theturners.org] [.theturners.org] acme: error presenting token:
easydns: cod
e 420: Enhance Your Calm. Rate limit exceeded (too many requests) OR you
did NOT
provide any credentials with your request!
code 420: Enhance Your Calm. Rate limit exceeded (too many requests) OR
you did
NOT provide any credentials with your request!
[systypes.org] [systypes.org] acme: error presenting token: easydns:
code 420: E
nhance Your Calm. Rate limit exceeded (too many requests) OR you did NOT
provide
any credentials with your request!
code 420: Enhance Your Calm. Rate limit exceeded (too many requests) OR
you did
NOT provide any credentials with your request!
[theturners.org] [theturners.org] acme: error presenting token: easydns:
code 42
0: Enhance Your Calm. Rate limit exceeded (too many requests) OR you did
NOT pro
vide any credentials with your request!
code 420: Enhance Your Calm. Rate limit exceeded (too many requests) OR
you did
NOT provide any credentials with your request!
$
So I'm missing credentials. Where should those go and what needs to be
included. I assumed that the key and token were the credentials.
Apparently that's incorrect.
I've given up trying to get Certbot running with the "--dns" method. I fell back on the basic "sudo certbot --nginx" command and things sort of worked. (Once I selected the domains correctly, that is.) Not sure what the "--dns" method is good for. I guess it works for some but the documentation on how to use it, IMHO, needs work.
Anyway... I'm satisfied that this thread could be closed out.
