I ran this command: sudo certbot certonly --manual --preferred-challenges dns --debug-challenges -d \*.antoniogarcia.art -d antoniogarcia.art
It produced this output:
...
Press Enter to Continue
Cleaning up challenges
Failed authorization procedure. antoniogarcia.art (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.antoniogarcia.art - check that a DNS record exists for this domain, antoniogarcia.art (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.antoniogarcia.art - check that a DNS record exists for this domain
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: antoniogarcia.art
Type: None
Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.antoniogarcia.art - check that a DNS record exists
for this domain
Domain: antoniogarcia.art
Type: None
Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.antoniogarcia.art - check that a DNS record exists
for this domain
My web server is (include version): nginx version: nginx/1.14.2
The operating system my web server runs on is (include version):
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"
NAME="Raspbian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="RaspbianForums - Raspbian"
BUG_REPORT_URL="RaspbianBugs - Raspbian"
My hosting provider, if applicable, is: My own Raspberry Pi Zero W
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0
I have tried multiple vias to get the certificate, to no avail. The first one was what I thought was the simplest: sudo certbot --nginx. Failed. Then I tried other procedures that I found in the documentation and in this community. I show here the last one. I do not mind to continue working and searching, but I would like to know whether or not what I intend is possible. My question: Is it possible to get a certificate for the following environment:
My domain registrar is Namecheap. I have access to the DNS records.
My Raspberry Pi IP address is dynamic
My ISP router includes a No-IP ddns client, then I created a No-IP account and host: puerta01.ddns.net
So the path is: antoniogarcia.art has a DNS URL redirect record for host @ that points to puerta01.ddns.net - puerta01.ddns.net points to whatever IP address my router presents - the router forwards port 80 to my Raspberry Pi.
Can I get a certificate in these conditions?
Thanks a lot, I have already expended a lot of time trying to secure my site. It would be great to know it is feasible.
Yes, maybe, depending on how the redirect works. If you use a CNAME (but you can't use antoniogarcia.art, you'll have to use www.antoniogarcia.art) or ANAME (support depends on DNS provider), then you can in any case and your website will be served under your actual domain and the ddns domain will be hidden to everybody.
But the question is another one. Do you actually need a wildcard certificate?
No, I do not necessarily need a wildcard certificate. My first try was just "sudo certbot --nginx", but failed. With another procedure, I do not remember which one of the many I tried, I was directed to create a CNAME record, I did, but also failed.
Raspberry Pi zero W do not support Snap.
For these reasons I tried manual, and the wildcard asked me to create a TXT record, and I tried.
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.antoniogarcia.art
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.antoniogarcia.art (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.antoniogarcia.art/.well-known/acme-challenge/ao18D8s0Ab5duCjSdJKBhaKPqT2ADb0dk8-HtwzZM_k [192.64.119.109]: "\n\n \n "
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
This error is caused by the NameCheap URL forwarder. Your RPi needs to be accessible from the hostname directly. I.e.: the hostname should point to your IP somehow. You can use HTTP redirects using the Location: header or use the DNS using e.g. CNAMEs to point to a different hostname, but you cannot use HTML redirect services such as the NameCheap URL forwarder. (It's using a HTML <frameset> to show your website at http://puerta01.ddns.net/ in their HTML page.. This is not compatible with ACME.)
Best way to solve this IMO is for antoniogarcia.art and www.antoniogarcia.art to be a CNAME to puerta01.ddns.net.
I created a CNAME for www.antoniogarcia.art (not yet for antoniogarcia.art) and it worked. GREAT!
Now I will try to get a certificate for antoniogarcia.art. Do I need to repeat the procedure for antoniogarcia.art or can I extend the existing certificate?
I recommend to expand the existing certificate. Just use both hostnames with two separate -d options (or both hostnames separated with a comma after a single -d option, your choice) and use the --expand option. And I believe you need to add the --nginx option again too
Thank you for your response.
the command I got from Osiris's help:
sudo certbot --nginx --expand -d antoniogarcia.art -d www.antoniogarcia.art
worked without errors but you are right, antoniogarcia.art did not work with the CNAME record.
I used a URL redirect record pointing @ to www.antoniogarcia.art, that was working, and now antoniogarcia.art works as well. Not that I really know what I am doing but it seems to work for me by now. Any other advice for a better configuration that I should use would be appreciated.
Thank you both.
Best regards.
Oops! I said too quickly antoniogarcia.art worked. It does not. I need to study further what I am doing, and probably will need to come back here with a more precise question.
Not that I very much know what I am doing, but what I have now in my Namecheap Advanced DNS panel is:
Type Host Value TTL
ALIAS Record @ www.antoniogarcia.art. 5 min
CNAME Record www puerta01.ddns.net. Automatic
I added the CNAME record according to Osiris advice. It worked fine. Then, because your comment about the ANAME record, I added the ALIAS record (I think it may be how Namecheap names the ANAME records), pointing to the www.antoniogarcia.art that was already working. All seems to work for me now.
Best regards.