Each time I try to copy the _acme-challenge code, I am lost and the procedure quits, now too many attempts

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
fmkortrijk.be
I ran this command:
sudo certbot certonly --manual --agree-tos --preferred-challenges dns -d socan.fmkortrijk.be

It produced this output:
IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: socan.fmkortrijk.be
    Type: dns
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.socan.fmkortrijk.be - check that a DNS record
    exists for this domain
    root@ubuntu-2gb-nbg1-2:~# StrUUuHS-1dDwvfa05-gUZPdD5GIuPf744o2iWSPClc
    StrUUuHS-1dDwvfa05-gUZPdD5GIuPf744o2iWSPClc: command not found
    root@ubuntu-2gb-nbg1-2:~# sudo certbot certonly --manual --agree-tos --preferred-challenges dns -d socan.fmkortrijk.be
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator manual, Installer None
    Obtaining a new certificate
    An unexpected error occurred:
    There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see Failed Validation Limit - Let's Encrypt
    Please see the logfiles in /var/log/letsencrypt for more details.
    root@ubuntu-2gb-nbg1-2:~# sudo certbot certonly --manual --agree-tos --preferred-challenges dns -d socan.fmkortrijk.be
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator manual, Installer None

My web server is (include version):
Apache2 on Ubuntu 20.04

The operating system my web server runs on is (include version):
Linux, Ubuntu 20.04

My hosting provider, if applicable, is:
OVH

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0

2

I don't understand this one. Why are you putting the token into the command line as if it were a command?

Also, your DNS provider seems to be Cloudflare. Is it really necessary to use the manual plugin? Or the dns-01 challenge to begin with?

6 Likes
3

Oops... that will have been a mistake. I used Ctrl-C in Putty, maybe I needed to use just
Enter after selecting. It's on my pc at home, I can try to get into it and see my history..
I copied the whole output

What do you mean, is it different with Cloudflare? Normally, for this I switch off their proxy thing to DNS-only....

image.png
image.png943×29 1.63 KB

So copying that string was the problem, and each time I have to try again it is different that's why I got the text about "too many attempts"

I don't know what you mean with dns-01 challenge
I have always used this method..

Thanks, Tom

1 Like
4

If you really need the dns-01 challenge, there is a DNS authenticator plugin to do it for you instead of doing it manually. See User Guide — Certbot 2.6.0 documentation for more info about DNS plugins.

Usually, when not requiring a wildcard certificate (which requires the dns-01 challenge), one usually uses the http-01 challenge using either a webserver plugin authenticator or the webroot plugin, which just places a text file on a certain location on your webserver. But I see you have two separate IP addresses for your hostname, so possibly you're also using two separate webservers, which complicates the http-01 challenge a little bit. So the dns-01 challenge might be the right choice for you, but usually one knows the reason behind that :wink:

5 Likes
5

...but to your actual issue:

  • Did you in fact create the TXT record with that value? Because the first failure you showed indicated that you hadn't.
  • After that failure (and a few others you didn't show), you hit the rate limit for failed validations--that will reset in an hour.
  • And although it's highly unlikely to be the cause of your problem, you're using a very old version of certbot--the current release is 2.3.something.
6 Likes
6

I see otherwise:

curl -Ii socan.fmkortrijk.be
HTTP/1.1 200 OK
Date: Wed, 01 Mar 2023 12:06:56 GMT
Server: Apache/2.4.6 (CentOS) mpm-itk/2.4.7-04 OpenSSL/1.0.2k-fips PHP/5.4.16

[that looks like CentOS]
Are you even on the right system?

[I see this is using DNS auth - no need to point that out to me - my question still stands]

5 Likes
7

Yes,
thanks,
But the actual issue was that I couldn't copy the TXT value from Putty without getting exited from the setup process.
If you restart it, each time you get a different value.

But now I already uninstalled my certbot version following the instructions of that certbot website tip you gave...
Now must still continue with the OVH provider instructions

The 2 hosts with different IP addresses are probably stream.twinmedia and stream2.twinmedia.be
Or if you mean the www host it is 116.203.94.31 but using it (https) is covered by Cloudflare,
then you see their address, but they take of the SSL certificate..

Regards,
Tom

image003.png

2 Likes
8

This is an issue with PuTTY, and nothing to do with Let's Encrypt, but of course this is possible. Highlight the text and right-click on it, it's copied. Edit--looks like my memory was off (I haven't needed PuTTY for years; Windows 10 includes its own SSH client, and my Macs do as well); see:

6 Likes
9

That should read:

The right click will paste it and that screen is NOT where it should be pasted into.

5 Likes
10

Yeah, hence my edit. Long time since I used PuTTY.

5 Likes
11

Those are Cloudflare proxy IPs. Barring the use of an uncommon load balancing setup, both will normally still connect to the same origin server.

7 Likes
12

Actually socan.fmkortrijk.be is not my server but is a CNAME pointing to a server in Canada : kathy.torontocast.com [51.81.46.118]
Since it is not for web-purposes but for shoutcast streaming,
I think I can store the certificates anywhere , on my webserver 116.203.94.31
or the 2 stream servers,

but the problem probably that the certificate plugin tries to store it in the webserver, which is
www.fmkortrijk.be but this IP-address will be the one of Cloudflare (the closest to your environment), not the one from my VPS server (116.203.94.31)

Tom

13

Yes, and socan.fmkortrijk.be is actually a streaming server kathy.torontocast.com [51.81.46.118]
I want to show my own domain name for the backup stream link on the website www.fmkortrijk.be
Now it shows https://kathy.torontocast.com/fmkortrijk on the screen (this stream works at the office here,
the usual player uses a high port number that doesn't make it through the firewall)

So my trick won't work I guess, unless I can make a wildcard certificate
With the old certbot command I used to use the option -d for adding two hostnames : stream and corsproxy
(but I don't need the corsproxy anymore)

Tom

14

What do you intent to do with the certificate if you get it? I.e., where would you install it? Do you actually have access to kathy.torontocast.com [51.81.46.118]? Because just getting a certificate is the first step, installing and using is the next requirement.

6 Likes
15

Like I said the Kathy of Torontocast is not my server and I can't install anything there.
But if I can't install it on socan.fmkortrijk.be
Isn't it possible to let get the certifcate from www.fmkortrijk.be or another host like cert.fmkortrijk.be that is not proxied by Cloudflare?

Regards,
Tom

16

Then does not seem like there is much you can do, as
socan.fmkortrijk.be canonical name = kathy.torontocast.com.

$ nslookup -q=all socan.fmkortrijk.be cloe.ns.cloudflare.com.
unknown query type: all
Server:         cloe.ns.cloudflare.com.
Address:        172.64.32.86#53

socan.fmkortrijk.be     canonical name = kathy.torontocast.com.

Also please read through what Let's Debug is reporting here: https://letsdebug.net/socan.fmkortrijk.be/1392407

17

SSL Report: kathy.torontocast.com (51.81.46.118) here SSL Server Test: kathy.torontocast.com (Powered by Qualys SSL Labs)
SSL Report: socan.fmkortrijk.be (51.81.46.118) here SSL Server Test: socan.fmkortrijk.be (Powered by Qualys SSL Labs)

Doesn't show a SNI TLS server name https://www.cloudflare.com/learning/ssl/what-is-sni/

18

You are trying to validate using a DNS challenge for a domain you don't control?
If so, how do you expect that to happen?

I mean... I'm confused.
Please explain what you are trying to do [again].

3 Likes
19

Bruce,

Wait a minute,
that CNAME entry is not proxied at Cloudflareose so
where does that 172.x address come from then?

socan.fmkortrijk.be should be able to get its certificate from
www.fmkortrijk.be and that one has my Apache installation,
I then copy the needed entries in those of the Shoutcast config files

Kind regards
Tom

20

That is just the IP of the DNS server being quried:

It has little to do with the output of the DNS request.

4 Likes