Error registering for certificate using DNS

Help
1

Hello, im quite new to this and need some help :slight_smile:

My domain is:
gauderskins.trade

I ran this command:
sudo certbot certonly --manual --preferred-challenges dns -d gauderskins.trade

It produced this output:
root@gauderskins:~# sudo certbot certonly --manual --preferred-challenges dns -d gauderskins.trade
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for gauderskins.trade

NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.

Are you OK with your IP being logged?

(Y)es/(N)o: y

Please deploy a DNS TXT record under the name
_acme-challenge.gauderskins.trade with the following value:

IV1cxXxXxXxXxXxXxXxXTH4WKpfw9kBAFxXxXxXxXxXxXxX

Before continuing, verify the record is deployed.

Press Enter to Continue
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. gauderskins.trade (dns-01): urn:ietf:params:acme :error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.gauderski ns.trade

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: gauderskins.trade
    Type: None
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.gauderskins.trade
    root@gauderskins:~#

My web server is (include version):
Ubuntu 16.04.6 x64

The operating system my web server runs on is (include version):
?

My hosting provider, if applicable, is:
DigitalOcean

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
PuTTY 64-bit 0.71

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

I did add a TXT DNS to my server on DigitalOcean before continuing the registration, like asked to in PuTTY.

TXT _acme-challenge.gauderskins.trade returns
IV1cxXxXxXxXxXxXxXxXTH4WKpfw9kBAFxXxXxXxXxXxXxX
3600

Thanks for helping, im stuck. Been trying for 2 days… =/ Do i have to wait 3600 seconds after adding the TXT before continuing receiving the certificate in PuTTY?

2

The domain uses these two nameservers:

gauderskins.trade.      3600    IN      NS      ns.datacenter.no.
gauderskins.trade.      3600    IN      NS      ns2.datacenter.no.

Are you adding the record on those nameservers?

Currently, no _acme-challenge.gauderskins.trade record exists, but you might have deleted it.

You have to wait as long as it takes for the authoritative nameservers to update. Often that's a few seconds or a few minutes.

3

Thank you for your reply mnordhoff!

I have finally resolved the above issue, it was my own mistake. I was sure the TXT DNS had to be written on my DigitalOcean server. After you reply i saw you were listing nameservers from my domain provider, it finally came to me that thats where i have to do it!

So thats that!
I finally got the congratulations message and a etc/letsencrypt/live/gauderskins.trade folder with files in FileZilla.

The website is still not secure when trying to visit it by entering the url https://gauderskins.trade
Im guessing it will work/show within 24 hours(?).

Also, while i got you here…is there a command to have certbot auto renew my certificate? I see theres some people whom have done it with ngnix, but im not quite sure i have that installed on my system.

Cheers!

4

This is only part of an answer, but...

It'll work as soon as you set it up. When you use "certbot certonly", you have to configure your web server software to use the certificate.

(Certbot also supports automatically configuring Apache or Nginx, but it shouldn't be hard to do on your own.)

Certbot can usually automatically renew certificates, but not when manual validation is used. You have to run the same Certbot command every 2-3 months and manually update your DNS records and manually reload your web server or whatever.

It looks like your website uses Express, and someone else will have to suggest which way forward to take. You certainly have options, including:

  • Configure the web server to serve static files for http://gauderskins.trade/.well-known/acme-challenge/ and use Certbot's webroot plugin.

  • Switch to DigitalOcean's DNS service and use Certbot's dns-digitalocean plugin.

  • Run a separate web server in front of Express, like Nginx, and manage HTTPS through that.

1 Like
5

Hello!

Ive rebuilt my droplet on digitalocean and uploaded my website again and installed apache2 and certbot. I have received my certificates and added the dns verification with my domain provider. When running the command in PuTTY, i didnt get the option to pick “2” redirect all HTTP traffic to HTTPS. I recieved this message instead of being able to continue redirecting process.

Before continuing, verify the record is deployed.

Press Enter to Continue
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.gauderskins.trade (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.www.gauderskins.trade

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.gauderskins.trade
    Type: None
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.www.gauderskins.trade
    root@gauderskins:~# sudo certbot certonly --manual --preferred-challenges dns -d gauderskins.trade
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator manual, Installer None
    Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
    Attempting to parse the version 0.33.1 renewal configuration file found at /etc/letsencrypt/renewal/gauderskins.trade.conf with version 0.31.0 of Certbot. This might not work.
    Cert not yet due for renewal

6

Now I have requested certificate too many times and cant continue, im kinda stuck. Anyone know what im missing? =(

7

Hi @MoenTV

your non-www looks good:

TXT - Entries

Domainname TXT Entry Status ∑ Queries ∑ Timeout
gauderskins.trade v=spf1 include:spf.webhuset.no -all ok 1 0
gauderskins.trade google-site-verification=fA_-NZVxymS1eb9k-NBrEcrx2SLfUBqKW5yzn2osm_s ok 1 0
www.gauderskins.trade google-site-verification=fA_-NZVxymS1eb9k-NBrEcrx2SLfUBqKW5yzn2osm_s ok 1 0
_acme-challenge.gauderskins.trade HYI7rs4kOY3Zma4GGvzFcpAY4m8Woco7tj17y74RgwM looks good 1 0
_acme-challenge.www.gauderskins.trade Name Error - The domain name does not exist 1 0

But your www - version isn't visible.

If you want to create one certificate with both domain names

gauderskins.trade
www.gauderskins.trade

you have to create two new dns entries:

_acme-challenge.gauderskins.trade
_acme-challenge.www.gauderskins.trade

Both entries must be online.

PS: Use --test-cert.

8

Thanks for pointing that out! DNS verification for www - version added.

Ran certbot --test-cert command and got this answer after adding my email adress for urgent renewal and security notices:

An unexpected error occurred:
UnicodeDecodeError: ‘utf-8’ codec can’t decode byte 0xc2 in position 7: invalid continuation byte
Please see the logfiles

9

Looks like your mail address has non-ascii characters.

Use --test-cert with your other parameters. Then you use the test system. The certificate isn't valid. But the test system has it's own (higher) limits.

10

My email has no non-ascii characters, it worked fine before :slight_smile:

Heres a copy of the last part of my letsencrypt.log:

Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in
load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1111, in run
le_client = _init_le_client(config, authenticator, installer)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 605, in _init_le_client
acc, acme = _determine_account(config)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 518, in _determine_account
config.email = display_ops.get_email()
File "/usr/lib/python3/dist-packages/certbot/display/ops.py", line 53, in get_email
force_interactive=True)
File "/usr/lib/python3/dist-packages/certbot/display/util.py", line 180, in input
ans = input_with_timeout(message)
File "/usr/lib/python3/dist-packages/certbot/display/util.py", line 82, in input_with_timeout
line = compat.readline_with_timeout(timeout, prompt)
File "/usr/lib/python3/dist-packages/certbot/compat.py", line 111, in readline_with_timeout
return rlist[0].readline()
File "/usr/lib/python3.5/codecs.py", line 321, in decode
(result, consumed) = self._buffer_decode(data, self.errors, final)
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xc2 in position 7: invalid continuation byte
2019-04-07 19:16:49,047:ERROR:certbot.log:An unexpected error occurred:

11

0xc2 is Â, that's a non-ascii character. Or your terminal has curious settings.

PS: Looks like a typo - ^ + A = Â

12

I took a step back and deleted my TXT DNS and redid the verification. Added the DNS string again for my domain.

Before continuing, verify the record is deployed.

Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/gauderskins.trade/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/gauderskins.trade/privkey.pem
    Your cert will expire on 2019-07-06. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    "certbot renew"

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
    Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

root@gauderskins:~#

That looks good? But i still didnt get the option in the command window to redirect all traffic to HTTPS, i sense i have seen that option during the verification process at one point.

How do i now go on about it, as it seems the certificate verification process is OK?

When i enter my website with http it works fine, but with https it still shows as

ERR_CONNECTION_REFUSED

13

Exactly what Certbot command did you run?

14

certbot -d gauderskins.trade -d www.gauderskins.trade --manual --preferred-challenges dns certonly

15

“certbot certonly --manual” doesn’t configure your web server automatically. That’s left to you.

“certbot -a manual -i apache” or “-i nginx” would use the manual authenticator and apache or nginx installer.

Or you can just configure the web server by hand.

Edit: But if the web server is Express, Certbot doesn’t know how to configure it, and you have to do it by hand.

16

What would it look like for it to configure it automatically? I have no issues configuring it myself aswell, if a guide exists.

Im using DigitalOcean, so that end is fine :slight_smile:

EDIT: I have found so many guides online, that im not quite sure which one to choose anymore.

17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.