Failed authorization - DNS problem: NXDOMAIN looking up TXT

kswat · August 7, 2022, 8:51am

I ran this command:
sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d *.pywise.co.uk -d pywise.co.uk

It produced this output:

Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.

Press Enter to Continue
Cleaning up challenges
Failed authorization procedure. pywise.co.uk (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.pywise.co.uk - check that a DNS record exists for this domain, pywise.co.uk (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.pywise.co.uk - check that a DNS record exists for this domain

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: pywise.co.uk
Type: None
Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.pywise.co.uk - check that a DNS record exists for
this domain

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:
google domains
I can login to a root shell on my machine (yes or no, or I don't know):
yes. I use a local VM to run above commangs and I am root user
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

Background:
I did try to use lets encrypt an year ago, and I got help here . Issue was when creating custom record, automatically domain name gets suffixed . So I have to enter only _acme-challenge ( not _acme-challenge.pywise.co.uk)
As i moved to a system that gave me certificate by default. I no longer used this feature.

Now:
I have a new machine and need to manage certificate myself.

I forgot all the key steps. I did remove custom record from domain, assuming that the command will create. SO now not sure of the type - TXT or CNAME

I do see this
Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for pywise.co.uk
dns-01 challenge for pywise.co.uk

but I do not remember how txt file comes, where it will get created and next steps.

Please can you help with the steps.

kswat · August 7, 2022, 12:58pm

certbot certificates gives INVALID expired

Osiris · August 7, 2022, 1:40pm

The first time you ran the acme-dns-auth.py script, it would have instructed you to set up a specific CNAME record for _acme-challenge.pywise.co.uk. Somehow this is not there. Perhaps it was, but it's gone now.

I'm not familiar with the acme-dns-auth.py script myself, but looking at the code it seems to store some info in the file /etc/letsencrypt/acmedns.json (default location, unless you manually changed it). ~~Perhaps you can find out there what the CNAME destination should be?~~ Ah yes, it's stored in the variable "fulldomain". You should set up a CNAME resource record for _acme-challenge.pywise.co.uk. with value you found in the fulldomain" variable from acmedns.json`.

kswat · August 7, 2022, 6:50pm

Thank you @Osiris for your reply.

2 things - (1) certbot certificates gives INVALID expired certificate

(2) The json file is there (as you mentioned) , but I don't remember creating TXT record ?

The custom record in domain , has Data column value matching with fulldomain value of acmedns.json

Still the same error

Failed authorization procedure. pywise.co.uk (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.pywise.co.uk

Osiris · August 7, 2022, 7:17pm

And it will stay expired, until Certbot is able to renew it, which currently fails.

For succesful use of the acme-dns principle, a CNAME should be made, not a TXT record. The acme-dns service takes care of the TXT record, the user of the CNAME record.

You should put the value of that fulldomain property as the valie of the CNAME record for _acme-challenge.pywise.co.uk. Currently, there still is no such record.

kswat · August 7, 2022, 11:08pm

Hi, I do see CNAME with acme-challenge in google domain

MikeMcQ · August 7, 2022, 11:29pm

Can you show the screen you see this in?

Because I can't find a CNAME like that. You can check yourself with google dig tool or use unboundtest

kswat · August 8, 2022, 6:37am

I did delete on Aug 6th or 7th, but I created CNAME record ( as shown ) soon after I noticed TXT error from certbot command.

Note: I use custom name servers

kswat · August 8, 2022, 6:56am

Steps 3 in this article

Is the token value of username, password, fulldomain or subdomain of acmedns.json ?

I deleted record now. please can you tell how can I avoid renewal (auto detected) and start from scratch

kswat · August 8, 2022, 8:22am

Update:
I did follow the steps in a brand new Ubuntu VM

it said to create CNAME recors with displayed value, did that and continued to validate...again got the same problem

Osiris · August 8, 2022, 8:37am

There is no such CNAME visible. Please make sure, after adding the CNAME, that it's actually there. You can use online dig tools such as @MikeMcQ already linked to above.

Also, in the screenshot you've shown above it clearly states:

Your domain isn't using these settings

Please make sure your DNS is working properly first. It also says in the tabs above:

Custom name servers (Active)

So it seems you're using custom name servers and not the proper one related to your DNS zone editor.

kswat · August 8, 2022, 8:44am

I did run
dig -t CNAME _acme-challenge.pywise.co.uk

I get some response, but cant validate because of my poor knowledge

Osiris · August 8, 2022, 8:45am

Did you see the ...auth.acme-dns.to value? If not, then it wasn't correct.

Please also see the rest of my post about your DNS zone editor apparently not working properly.

kswat · August 8, 2022, 8:51am

Please try the command.

Custom name servers are ACtive - Yes. I tried to hook my domain to Google cloud DNS (and Compute engine behind that). and I have added the 4 entries as it asked (from NS type)

Now i want SSL certificate. Are these mutually exclusive?

Osiris · August 8, 2022, 9:06am

There's no CNAME record.

So you have custom name servers active, but you're trying to add the CNAME record in the INACTIVE portion of your configuration panel? You surely must understand that's never going to work, right?

If you have custom name servers active, you must change the DNS zone in the zone editor of those custom name servers.

kswat · August 8, 2022, 12:22pm

Sorry, can you please explain more on this point. How to do

I gave the reason why custom name servers are active (with screenshot of my google domain)
The screenshot is what I see in the name server tab

Nekit · August 8, 2022, 12:47pm

$ dig ns pywise.co.uk +short
ns-cloud-e2.googledomains.com.
ns-cloud-e4.googledomains.com.
ns-cloud-e3.googledomains.com.
ns-cloud-e1.googledomains.com.

Did you set googledomainsʼ NSes as “custom” name servers?

rg305 · August 8, 2022, 12:49pm

Which DNS servers?

Against which DNS server?

kswat · August 8, 2022, 12:51pm

@nekit yes.

@rg305 Cloud DNS (google)

I dont know what you mean by which DNS server

Nekit · August 8, 2022, 12:57pm

I don't have experience with google hosting stuff, but it sounds like this setup confuses googleʼs servers. But itʼs weird that it works at all. Like the fact that it's even possible to query for A record(s) seems like a miracle.

Where would you go (which panel would you open) to change your A record for example. If you change it there, would the change actually apply?