Environment validation

My domain is: antoniogarcia.art

I ran this command: sudo certbot certonly --manual --preferred-challenges dns --debug-challenges -d \*.antoniogarcia.art -d antoniogarcia.art

It produced this output:
...
Press Enter to Continue
Cleaning up challenges
Failed authorization procedure. antoniogarcia.art (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.antoniogarcia.art - check that a DNS record exists for this domain, antoniogarcia.art (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.antoniogarcia.art - check that a DNS record exists for this domain

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: antoniogarcia.art
    Type: None
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.antoniogarcia.art - check that a DNS record exists
    for this domain

    Domain: antoniogarcia.art
    Type: None
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.antoniogarcia.art - check that a DNS record exists
    for this domain

My web server is (include version): nginx version: nginx/1.14.2

The operating system my web server runs on is (include version):
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"
NAME="Raspbian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="RaspbianForums - Raspbian"
BUG_REPORT_URL="RaspbianBugs - Raspbian"

My hosting provider, if applicable, is: My own Raspberry Pi Zero W

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

I have tried multiple vias to get the certificate, to no avail. The first one was what I thought was the simplest: sudo certbot --nginx. Failed. Then I tried other procedures that I found in the documentation and in this community. I show here the last one. I do not mind to continue working and searching, but I would like to know whether or not what I intend is possible.
My question: Is it possible to get a certificate for the following environment:
My domain registrar is Namecheap. I have access to the DNS records.
My Raspberry Pi IP address is dynamic
My ISP router includes a No-IP ddns client, then I created a No-IP account and host: puerta01.ddns.net
So the path is: antoniogarcia.art has a DNS URL redirect record for host @ that points to puerta01.ddns.net - puerta01.ddns.net points to whatever IP address my router presents - the router forwards port 80 to my Raspberry Pi.

Can I get a certificate in these conditions?
Thanks a lot, I have already expended a lot of time trying to secure my site. It would be great to know it is feasible.

Yes, maybe, depending on how the redirect works. If you use a CNAME (but you can't use antoniogarcia.art, you'll have to use www.antoniogarcia.art) or ANAME (support depends on DNS provider), then you can in any case and your website will be served under your actual domain and the ddns domain will be hidden to everybody.

But the question is another one. Do you actually need a wildcard certificate?

2 Likes

No, I do not necessarily need a wildcard certificate. My first try was just "sudo certbot --nginx", but failed. With another procedure, I do not remember which one of the many I tried, I was directed to create a CNAME record, I did, but also failed.
Raspberry Pi zero W do not support Snap.
For these reasons I tried manual, and the wildcard asked me to create a TXT record, and I tried.

Thanks a lot for your advice.

1 Like

This seems to be the most easy method, let's focus on that. Can you post the output of that command?

2 Likes

You can use pip, or there are a lot of options... ACME Client Implementations - Let's Encrypt

1 Like

Thank you for your response.
This is the output of the command.

pi@puerta01:~/webfiles $ sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?


1: antoniogarcia.art
2: www.antoniogarcia.art


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.antoniogarcia.art
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.antoniogarcia.art (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.antoniogarcia.art/.well-known/acme-challenge/ao18D8s0Ab5duCjSdJKBhaKPqT2ADb0dk8-HtwzZM_k [192.64.119.109]: "\n\n \n "

IMPORTANT NOTES:

1 Like

Thank you for your response.
I am not an expert in any way, this is why I tried the easiest ways I found.

1 Like

This error is caused by the NameCheap URL forwarder. Your RPi needs to be accessible from the hostname directly. I.e.: the hostname should point to your IP somehow. You can use HTTP redirects using the Location: header or use the DNS using e.g. CNAMEs to point to a different hostname, but you cannot use HTML redirect services such as the NameCheap URL forwarder. (It's using a HTML <frameset> to show your website at http://puerta01.ddns.net/ in their HTML page.. This is not compatible with ACME.)

Best way to solve this IMO is for antoniogarcia.art and www.antoniogarcia.art to be a CNAME to puerta01.ddns.net.

3 Likes

I created a CNAME for www.antoniogarcia.art (not yet for antoniogarcia.art) and it worked. GREAT!
Now I will try to get a certificate for antoniogarcia.art. Do I need to repeat the procedure for antoniogarcia.art or can I extend the existing certificate?

Thanks A LOT.

2 Likes

Very good!

I recommend to expand the existing certificate. Just use both hostnames with two separate -d options (or both hostnames separated with a comma after a single -d option, your choice) and use the --expand option. And I believe you need to add the --nginx option again too :roll_eyes:

So it would become:

sudo certbot --nginx --expand -d antoniogarcia.art -d www.antoniogarcia.art

3 Likes

It worked fine. GREAT HELP! Thanks again.
Best regards.

3 Likes

You cannot create a CNAME on the apex domain. See if your DNS provider has an ANAME record.

1 Like

Thank you for your response.
the command I got from Osiris's help:
sudo certbot --nginx --expand -d antoniogarcia.art -d www.antoniogarcia.art
worked without errors but you are right, antoniogarcia.art did not work with the CNAME record.
I used a URL redirect record pointing @ to www.antoniogarcia.art, that was working, and now antoniogarcia.art works as well. Not that I really know what I am doing but it seems to work for me by now. Any other advice for a better configuration that I should use would be appreciated.

Thank you both.
Best regards.

Oops! I said too quickly antoniogarcia.art worked. It does not. I need to study further what I am doing, and probably will need to come back here with a more precise question.

1 Like

I do not know if you see my reply to 9peppe (I am not very much familiar with the community yet). This is only to keep you informed.

1 Like

About your www.antoniogarcia.art please note: if you use a CNAME, you cannot use any other record.

Don't add a CNAME and an A record at the same time.

2 Likes

Thank you for your help.

Not that I very much know what I am doing, but what I have now in my Namecheap Advanced DNS panel is:

Type Host Value TTL
ALIAS Record @ www.antoniogarcia.art. 5 min
CNAME Record www puerta01.ddns.net. Automatic

I added the CNAME record according to Osiris advice. It worked fine. Then, because your comment about the ANAME record, I added the ALIAS record (I think it may be how Namecheap names the ANAME records), pointing to the www.antoniogarcia.art that was already working. All seems to work for me now.
Best regards.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.