Failed to use Let's Encrypt DNS challenge validation

On Ubuntu 20.04.3 LTS, according to the guidance here, I installed the latest git master version of certbot, and then tried the following operation, but failed:

$ sudo certbot --text --agree-tos --email you@example.com -d bp.hyddns.xyz --manual --preferred-challenges dns --expand --renew-by-default  --manual-public-ip-logging-ok certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for bp.hyddns.xyz

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:

_acme-challenge.bp.hyddns.xyz.

with the following value:

G37d9-rDjaGI98dPd5f45REl8GkJ_wzYpp2R1uJfSgs

Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.bp.hyddns.xyz.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
  Domain: bp.hyddns.xyz
  Type:   unauthorized
  Detail: No TXT record found at _acme-challenge.bp.hyddns.xyz

Hint: The Certificate Authority failed to verify the manually created DNS TXT records. Ensure that you created these in the correct location, or try waiting longer for DNS propagation on the next attempt.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

I also tried the solution 5 described on the above website, but it stuck as follows:

$ apt-get install -y git ruby letsencrypt 
$ git clone https://github.com/lukas2511/dehydrated.git 
$ git clone https://github.com/jbjonesjr/letsencrypt-manual-hook.git dehydrated/hooks/manual 

$ ./dehydrated/dehydrated --register --accept-terms
#
# !! WARNING !! No main config file found, using default config!
#
+ Generating account key...
+ Registering account key with ACME server...
+ Fetching account URL...
+ Done!

$ proxychains-ng-http ./dehydrated/dehydrated -c -t dns-01 -d bp.hyddns.xyz -k ./dehydrated/hooks/manual/manual_hook.rb 
#
# !! WARNING !! No main config file found, using default config!
#
Processing bp.hyddns.xyz
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for bp.hyddns.xyz
 + 1 pending challenge(s)
 + Deploying challenge tokens...
✘ _acme-challenge.bp.hyddns.xyz: Found no TXT record
Create TXT record for the domain: '_acme-challenge.bp.hyddns.xyz'. TXT record:
'VLJla1EaaSPTI7yrS-cf2oVRdKdWURyOwhSo-O5W0z4'
Press enter when DNS has been updated...
1 Like

You seem to be missing the part where you actually create the DNS record.

2 Likes
danb35
December 20

You seem to be missing the part where you actually create the DNS record.

The DNS record has been created, so I really don't understand what you mean. See the following for more details:

$ dig bp.hyddns.xyz

; <<>> DiG 9.16.1-Ubuntu <<>> bp.hyddns.xyz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15923
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;bp.hyddns.xyz. IN A

;; ANSWER SECTION:
bp.hyddns.xyz. 1 IN CNAME www.hyddns.xyz.
www.hyddns.xyz. 0 IN A 106.9.183.31

;; Query time: 4 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Mon Dec 20 10:29:21 CST 2021
;; MSG SIZE rcvd: 76

1 Like

Hi @hongyi-zhao,

"The DNS record" that @danb35 was referring to is not the A record for your web site, but another record that the software asked you to create:

Create TXT record for the domain: '_acme-challenge.bp.hyddns.xyz'. TXT record:
'VLJla1EaaSPTI7yrS-cf2oVRdKdWURyOwhSo-O5W0z4'

Do you see that in the output from dehydrated? Creating this record with this value is required by the Let's Encrypt CA in order to prove that you (as the person requesting the certificate) control your domain. (Also, if you use this method, you will have to repeat this process every 2-3 months, because the TXT required required for proof of this when you renew your certificate is different every time.)

3 Likes
schoen Former Certbot engineer, 2015-2020
December 20

Hi @hongyi-zhao,

"The DNS record" that @danb35 was referring to is not the A record for your web site, but another record that the software asked you to create:

Create TXT record for the domain: '_[acme-challenge.bp.hyddns.xyz](http://acme-challenge.bp.hyddns.xyz)'. TXT record:
'VLJla1EaaSPTI7yrS-cf2oVRdKdWURyOwhSo-O5W0z4'

Do you see that in the output from dehydrated? Creating this record with this value is required by the Let's Encrypt CA in order to prove that you (as the person requesting the certificate) control your domain. (Also, if you use this method, you will have to repeat this process every 2-3 months, because the TXT required required for proof of this when you renew your certificate is different every time.)

Then what's the once for all method which can let me automatically do all things when I renew my certificate?

HZ

1 Like

Each time you renew, domain "control" must be validated.
The ideal solution is to automate the validation process.
Either by HTTP or by DNS.
DNS validation is a bit trickier to automate as it requires the DNS Service Provider (DSP) support updates via API and the ACME client must support a DNS plugin that works with your DSP.
[otherwise you will have to manually enter the required DNS validation TXT record on each renewal request]
HTTP validation is simpler to automate but is still required on each renewal request.

2 Likes

Where and how to manually enter the required DNS validation TXT record in my scenario? In my example discussed here, I really haven't noticed such hint/step/information for me to do so.

1 Like

What did you understand these messages to mean, then?

In what way could those messages have been clearer that you needed to create a DNS record of type TXT, with the name _acme-challenge.bp.hyddns.xyz, and with the specified value?

The reason it doesn't tell you where and how is that it doesn't know--it doesn't know who your DNS host is, nor how you'd do it there. But the "where" is with your DNS host (which appears to be dnspod.cn), and as to the "how", you'd need to ask them.

But this is really intended to be automated, and for that to work, you need a client that can make automated updates to your DNS records. acme.sh appears to be able to do this:

4 Likes

@danb35 Thank you very much for your patient and enlightening explanation on my somewhat naive questions. I must admit, although the answer to my question is in the information posted, it is the first time that I have used this tool and did not try to understand the bunch of prompt information it gives.

Now, I've successfully deployed the required DNS TXT record and received certificate manually as shown below:

$ sudo certbot --text --agree-tos --email you@example.com -d bp.hyddns.xyz --manual --preferred-challenges dns --expand --renew-by-default  --manual-public-ip-logging-ok certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for bp.hyddns.xyz

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:

_acme-challenge.bp.hyddns.xyz.

with the following value:

2K29HzPOBJCeIPXhdbAo1BnnQ1oJxT5CeLFv7EoNOVE

Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.bp.hyddns.xyz.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/bp.hyddns.xyz/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/bp.hyddns.xyz/privkey.pem
This certificate expires on 2022-03-20.
These files will be updated when the certificate renews.

NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Before pressing the Enter key in the above step, first deploy the corresponding DNS TXT record and verify it as follows:

$ dig -t txt _acme-challenge.bp.hyddns.xyz +short
"2K29HzPOBJCeIPXhdbAo1BnnQ1oJxT5CeLFv7EoNOVE"

Also, thank you for letting me know the wonderful acme.sh tool. I'll try to use it in the future.

Regards,
HZ

3 Likes

You can delete the TXT record.
It has served its' purpose.

3 Likes

Thank you again. I don't know what happened, but the reply I just posted disappeared. Anyway, see here for the relevant description of the steps to successfully apply for a certificate based on DNS challenge.

$ sudo certbot --text --agree-tos --email you@example.com -d bp.hyddns.xyz --manual --preferred-challenges dns --expand --renew-by-default  --manual-public-ip-logging-ok certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for bp.hyddns.xyz

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:

_acme-challenge.bp.hyddns.xyz.

with the following value:

2K29HzPOBJCeIPXhdbAo1BnnQ1oJxT5CeLFv7EoNOVE

Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.bp.hyddns.xyz.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/bp.hyddns.xyz/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/bp.hyddns.xyz/privkey.pem
This certificate expires on 2022-03-20.
These files will be updated when the certificate renews.

NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Before pressing the Enter key in the above step, first deploy the corresponding DNS TXT record and verify it as follows:

$ dig -t txt _acme-challenge.bp.hyddns.xyz +short
"2K29HzPOBJCeIPXhdbAo1BnnQ1oJxT5CeLFv7EoNOVE"
1 Like

Got it. Thank you again.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.