Failed authorization - DNS problem: NXDOMAIN looking up TXT

Help
1

My domain is: pywise.co.uk

I ran this command:
sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d *.pywise.co.uk -d pywise.co.uk

It produced this output:

Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.

Press Enter to Continue
Cleaning up challenges
Failed authorization procedure. pywise.co.uk (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.pywise.co.uk - check that a DNS record exists for this domain, pywise.co.uk (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.pywise.co.uk - check that a DNS record exists for this domain

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: pywise.co.uk
    Type: None
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.pywise.co.uk - check that a DNS record exists for
    this domain

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:
google domains
I can login to a root shell on my machine (yes or no, or I don't know):
yes. I use a local VM to run above commangs and I am root user
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

Background:
I did try to use lets encrypt an year ago, and I got help here . Issue was when creating custom record, automatically domain name gets suffixed . So I have to enter only _acme-challenge ( not _acme-challenge.pywise.co.uk)
As i moved to a system that gave me certificate by default. I no longer used this feature.

Now:
I have a new machine and need to manage certificate myself.

I forgot all the key steps. I did remove custom record from domain, assuming that the command will create. SO now not sure of the type - TXT or CNAME

I do see this
Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for pywise.co.uk
dns-01 challenge for pywise.co.uk

but I do not remember how txt file comes, where it will get created and next steps.

Please can you help with the steps.

2

image
certbot certificates gives INVALID expired

3

The first time you ran the acme-dns-auth.py script, it would have instructed you to set up a specific CNAME record for _acme-challenge.pywise.co.uk. Somehow this is not there. Perhaps it was, but it's gone now.

I'm not familiar with the acme-dns-auth.py script myself, but looking at the code it seems to store some info in the file /etc/letsencrypt/acmedns.json (default location, unless you manually changed it). Perhaps you can find out there what the CNAME destination should be? Ah yes, it's stored in the variable "fulldomain". You should set up a CNAME resource record for _acme-challenge.pywise.co.uk. with value you found in the fulldomain" variable from acmedns.json`.

4 Likes
4

Thank you @Osiris for your reply.

2 things - (1) certbot certificates gives INVALID expired certificate

(2) The json file is there (as you mentioned) , but I don't remember creating TXT record ?

The custom record in domain , has Data column value matching with fulldomain value of acmedns.json

Still the same error

Failed authorization procedure. pywise.co.uk (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.pywise.co.uk

1 Like
5

And it will stay expired, until Certbot is able to renew it, which currently fails.

For succesful use of the acme-dns principle, a CNAME should be made, not a TXT record. The acme-dns service takes care of the TXT record, the user of the CNAME record.

You should put the value of that fulldomain property as the valie of the CNAME record for _acme-challenge.pywise.co.uk. Currently, there still is no such record.

4 Likes
6

Hi, I do see CNAME with acme-challenge in google domain

7

Can you show the screen you see this in?

Because I can't find a CNAME like that. You can check yourself with google dig tool or use unboundtest

3 Likes
8

image
image924Ă—763 44.1 KB

I did delete on Aug 6th or 7th, but I created CNAME record ( as shown ) soon after I noticed TXT error from certbot command.

Note: I use custom name servers

9

Steps 3 in this article

Is the token value of username, password, fulldomain or subdomain of acmedns.json ?

I deleted record now. please can you tell how can I avoid renewal (auto detected) and start from scratch

10

Update:
I did follow the steps in a brand new Ubuntu VM

it said to create CNAME recors with displayed value, did that and continued to validate...again got the same problem

image
image862Ă—875 107 KB

11

There is no such CNAME visible. Please make sure, after adding the CNAME, that it's actually there. You can use online dig tools such as @MikeMcQ already linked to above.

Also, in the screenshot you've shown above it clearly states:

Your domain isn't using these settings

Please make sure your DNS is working properly first. It also says in the tabs above:

Custom name servers (Active)

So it seems you're using custom name servers and not the proper one related to your DNS zone editor.

4 Likes
12

I did run
dig -t CNAME _acme-challenge.pywise.co.uk

I get some response, but cant validate because of my poor knowledge

13

Did you see the ...auth.acme-dns.to value? If not, then it wasn't correct.

Please also see the rest of my post about your DNS zone editor apparently not working properly.

3 Likes
14

Please try the command.

Custom name servers are ACtive - Yes. I tried to hook my domain to Google cloud DNS (and Compute engine behind that). and I have added the 4 entries as it asked (from NS type)

Now i want SSL certificate. Are these mutually exclusive?

15

There's no CNAME record.

So you have custom name servers active, but you're trying to add the CNAME record in the INACTIVE portion of your configuration panel? You surely must understand that's never going to work, right?

If you have custom name servers active, you must change the DNS zone in the zone editor of those custom name servers.

4 Likes
16

Sorry, can you please explain more on this point. How to do

I gave the reason why custom name servers are active (with screenshot of my google domain)
The screenshot is what I see in the name server tab

image
image2332Ă—1493 163 KB

17 
$ dig ns pywise.co.uk +short
ns-cloud-e2.googledomains.com.
ns-cloud-e4.googledomains.com.
ns-cloud-e3.googledomains.com.
ns-cloud-e1.googledomains.com.

Did you set googledomainsʼ NSes as “custom” name servers?

2 Likes
18

Which DNS servers?

Against which DNS server?

3 Likes
19

@nekit yes.

@rg305 Cloud DNS (google)

I dont know what you mean by which DNS server

20

I don't have experience with google hosting stuff, but it sounds like this setup confuses googleĘĽs servers. But itĘĽs weird that it works at all. Like the fact that it's even possible to query for A record(s) seems like a miracle.

Where would you go (which panel would you open) to change your A record for example. If you change it there, would the change actually apply?

1 Like