Failing DNS challenges, but DNS is okay?

bobbywaz · March 5, 2021, 5:12am

My domain is:
bobbyw.name

I ran this command:
/usr/bin/certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation

and for diagnostics:

[root@docker-9679f6d9acfc:/]# curl ifconfig.me
207.96.108.157

[root@docker-9679f6d9acfc:/]# nslookup code.bobbyw.name
Server: 127.0.0.11
Address: 127.0.0.11:53

Non-authoritative answer:
code.bobbyw.name canonical name = bobbyw.name
Name: bobbyw.name
Address: 207.96.108.157

Non-authoritative answer:
code.bobbyw.name canonical name = bobbyw.name

It produced this output:
Challenge failed for domain code.bobbyw.name
Attempting to renew cert (npm-1) from /etc/letsencrypt/renewal/npm-1.conf produced an unexpected error: Some challenges have failed.. Skipping.

My web server is (include version):
nginx-proxy-manager:latest proxying code-server

The operating system my web server runs on is (include version):
ubuntu 16.04

My hosting provider, if applicable, is:
self-hosted

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
1.4.0

rg305 · March 5, 2021, 6:13am

Hi @bobbywaz, and welcome to the LE community forum

This doesn't show enough detail to understand what is failing:

Please show output of:
cat /etc/letsencrypt/renewal/npm-1.conf

And the related output of:
/usr/bin/certbot certificates

This is also a bit confusing:

schoen · March 5, 2021, 8:18pm

If you remove the --quiet when trying to renew, you should see diagnostics from Certbot that explain more about what went wrong!

Rip · March 6, 2021, 2:57am

So Hey @schoen (Seth)
Isn't there a way to increase the error output of certbot? Forgive me for not reserching this first. something like -vvv ?

schoen · March 6, 2021, 3:00am

Yes, that should work, but just not using --quiet should already help!

Rip · March 6, 2021, 3:05am

Thanks for that. The more data we can get the better. Maybe It can help.

Osiris · March 6, 2021, 7:03am

It should also provide a log in /var/log/letsencrypt/

bobbywaz · March 7, 2021, 3:02am

To clarify, I am using a docker container called nginx-proxy-manager which is supposed to automatically renew certs when they expire, but it is not currently. The reason I am using the particular string "/usr/bin/certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns, http" --disable-hook-validation"
is because that's what the container uses.

When I attempt to remove the "http" and do "dns" I get the follow error:

Attempting to renew cert (npm-1) from /etc/letsencrypt/renewal/npm-1.conf produced an unexpected error: None of the preferred challenges are supported by the selected plugin. Skipping.

When I remove the --quiet I get this as an error:>

Processing /etc/letsencrypt/renewal/npm-41.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for idrac-02.bobbyw.name
Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
Waiting for verification...
Challenge failed for domain idrac-02.bobbyw.name
http-01 challenge for idrac-02.bobbyw.name
Cleaning up challenges
Attempting to renew cert (npm-41) from /etc/letsencrypt/renewal/npm-41.conf produced an unexpected error: Some challenges have failed.. Skipping.

I have attached /var/log/letsencrypt at https://p.bobbyw.name/zekonitefa.cs

It appears to work when I click the "renew' button from the web interface, but not when it boots... which is weird, and probably an issue with nginx-proxy-manager and not letsencrypt....

rg305 · March 7, 2021, 3:35am

system · April 6, 2021, 3:35am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.