DNS validation - no CNAME record shows

HI, the problem is that i didn't received this type of message:

Output from acme-dns-auth.py:
Please add the following CNAME record to your main DNS zone:
_acme-challenge.your-domain CNAME a15ce5b2-f170-4c91-97bf-09a5764a88f6.auth.acme-dns.io.

Waiting for verification ...

But after this message:

Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges
Press Enter to Continue

It shows me to manual edit file: acme-dns-auth.py, I don't know what I should edit there. After pressing Enter in cmd, I received message from below:

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
  Domain: e.reportergazeta.pl
  Type: dns
  Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.e.reportergazeta.pl - check that a DNS record exists for this domain...

My domain is:
e.reportergazeta.pl
I ran this command:
certbot certonly --manual --manual-auth-hook /bin/etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d e.reportergazeta.pl
It produced this output:

Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges
Press Enter to Continue

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
  Domain: e.reportergazeta.pl
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.e.reportergazeta.pl - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.

My web server is (include version):
I don't know
The operating system my web server runs on is (include version):
I don't know
My hosting provider, if applicable, is:
nazwa.pl
I can login to a root shell on my machine (yes or no, or I don't know):
YES
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.20.0

Hi @dagerr and welcome to the LE community forum

It seems the problem is within DNS.
I find that "e.reportergazeta.pl" is a CNAME to "gazetareporter.azurewebsites.net".
As such anything left of that should be handled by the DNS servers for the CNAME (not your DNS).

So I'm not sure if this was done by you or if this would even be seen by anyone on the Internet:

Checking for "_acme-challenge.e.reportergazeta.pl" returns NXD.

And to complicate matters even more (yeah, there is more!):
"gazetareporter.azurewebsites.net" is a CNAME to "waws-prod-db3-049.vip.azurewebsites.windows.net"

I'm not entirely sure if a subdomain of a CNAME is allowed. E.g.:

foo.example.com IN CNAME blahblah
bar.foo.example.com IN A 192.0.2.1

Is that even allowed? I think it is, but I'm not entirely sure.

It is correct, it is kind of external service provider.

Ok, so is it possible to generate my SSL, or owner of gazetareporter.azurewebsites.net should do that? I want mention that in ZeroSSL it was possible for me to generate certificate in this way, but I've reach a limit.

What limit have you reached with ZeroSSL?

It should be possible...
It is just a bit confusing to me:

e.reportergazeta.pl is a CNAME to gazetareporter.azurewebsites.net
gazetareporter.azurewebsites.net is a CNAME to waws-prod-db3-049.vip.azurewebsites.windows.net
waws-prod-db3-049.vip.azurewebsites.windows.net is a CNAME to waws-prod-db3-049.cloudapp.net

3 times per domain

I don't know why it is looks like. It should be OK. It working fine.

So 90 days times 3 is their limit?
[if so, that is sad!]

What is working "fine" has nothing to do with the required changes to validate via DNS authentication.
What is working is:

• DNS resolution
  You can get an IP for a name (after following a few CNAMEs)
• HTTP(S) connectivity
  You can establish connections with web services via the IP(s) resolved.

What is NOT working:

• automated DNS updates via API
  You are unable to update _acme-challenge.e.reportergazeta.pl with the required TXT entry to satisfy the DNS authentication.

My question to you is:
Can you even manually create a functional TXT entry for: _acme-challenge.e.reportergazeta.pl ?

I can write it / paste it via terminal in my hosting/domain provider, but I can't create it (certbot can't create it TXT) like I said at the beginning.

If you can make one manually, please do so.
I would like to see it in action.

ok so what i Should write on value field?

value1084×71 10.7 KB

Something simple, like:
"thisIsAtest"

well that was easy:

_acme-challenge.e.reportergazeta.pl     text =
        "thisIsAtest"

_acme-challenge.e.reportergazeta.pl. 3600 IN TXT "thisIsAtest"

It is done

I saw it immediately.
hmm...

So can you test your API?
Have it create an entry for you.
[not via certbot]

And you can delete that test entry - thanks.

I don't know how do that, what is this?

The DNS Service Provider (DSP) should have given you some credentials (API keys).
They might also provide a sample code/program to test those keys with.
Look for that anything related to that on their site.
[maybe written in PHP/PERL/Python or some other scripting language]

So if OP kan manually add a TXT record, why was the following instruction not followed?

It doesn't leave much to imagination I suppose?