Failing DNS challenges, but DNS is okay?

My domain is:
bobbyw.name

I ran this command:
/usr/bin/certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation

and for diagnostics:

[root@docker-9679f6d9acfc:/]# curl ifconfig.me
207.96.108.157

[root@docker-9679f6d9acfc:/]# nslookup code.bobbyw.name
Server: 127.0.0.11
Address: 127.0.0.11:53

Non-authoritative answer:
code.bobbyw.name canonical name = bobbyw.name
Name: bobbyw.name
Address: 207.96.108.157

Non-authoritative answer:
code.bobbyw.name canonical name = bobbyw.name

It produced this output:
Challenge failed for domain code.bobbyw.name
Attempting to renew cert (npm-1) from /etc/letsencrypt/renewal/npm-1.conf produced an unexpected error: Some challenges have failed.. Skipping.

My web server is (include version):
nginx-proxy-manager:latest proxying code-server

The operating system my web server runs on is (include version):
ubuntu 16.04

My hosting provider, if applicable, is:
self-hosted

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
1.4.0

2 Likes

Hi @bobbywaz, and welcome to the LE community forum :slight_smile:

This doesn't show enough detail to understand what is failing:

Please show output of:
cat /etc/letsencrypt/renewal/npm-1.conf

And the related output of:
/usr/bin/certbot certificates

This is also a bit confusing:

2 Likes

If you remove the --quiet when trying to renew, you should see diagnostics from Certbot that explain more about what went wrong!

2 Likes

So Hey @schoen (Seth)
Isn't there a way to increase the error output of certbot? Forgive me for not reserching this first. something like -vvv ?

1 Like

Yes, that should work, but just not using --quiet should already help! :slight_smile:

2 Likes

Thanks for that. The more data we can get the better. Maybe It can help.

2 Likes

It should also provide a log in /var/log/letsencrypt/

1 Like

To clarify, I am using a docker container called nginx-proxy-manager which is supposed to automatically renew certs when they expire, but it is not currently. The reason I am using the particular string "/usr/bin/certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns, http" --disable-hook-validation"
is because that's what the container uses.

When I attempt to remove the "http" and do "dns" I get the follow error:

Attempting to renew cert (npm-1) from /etc/letsencrypt/renewal/npm-1.conf produced an unexpected error: None of the preferred challenges are supported by the selected plugin. Skipping.

When I remove the --quiet I get this as an error:>


Processing /etc/letsencrypt/renewal/npm-41.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for idrac-02.bobbyw.name
Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
Waiting for verification...
Challenge failed for domain idrac-02.bobbyw.name
http-01 challenge for idrac-02.bobbyw.name
Cleaning up challenges
Attempting to renew cert (npm-41) from /etc/letsencrypt/renewal/npm-41.conf produced an unexpected error: Some challenges have failed.. Skipping.


I have attached /var/log/letsencrypt at hastebin

It appears to work when I click the "renew' button from the web interface, but not when it boots... which is weird, and probably an issue with nginx-proxy-manager and not letsencrypt....

1 Like
1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.