I tried to start certbot within podman multiple times but STDIN wasn't attached correctly so the manual verification I was trying to do failed repeatedly. Now it is requiring me to put multiple TXT records with the same name onto the domain but GoDaddy (my registrar) won't allow that. Is there anything I can do short of running my own DNS server instead?
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
ourjourney.space
I ran this command:
(Inside a docker image)
certbot/certbot certonly --manual --agree-tos --preferred-challenges dns -d ourjourney.space -d "*.ourjourney.space"
It produced this output:
(This must be set up in addition to the previous challenges
My web server is (include version):
Not using web server here
I can login to a root shell on my machine (yes or no, or I don't know):
yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Some DNS provider panels require entering a second TXT record. Some allow multiple lines in the same "value" area. I am pretty sure GoDaddy allows some method for multiple TXT. You may need to ask them if this does not help: https://www.godaddy.com/en-in/help/add-a-txt-record-19232
You can let the first attempt fail due to the second TXT RR being absent. But that first time, the first TXT should validate correctly and will be cached for 30 days. Thus you'd only need to add the second TXT RR the second time.
Or perhaps just use a more userfriendly DNS service provider like Cloudflare (which is free). Note that your DNS registar and DNS provider can be different entities.
I didn't quite follow you, you appear to be saying I could validate them one at a time. I tried that, I launched it again and now it wants a third TXT record. I was unaware Cloudflare provided free DNS services. Thank you, I will go with that option and report back once I've got it working.
Yes, the previous failed challenge would not be reused, thus a new value for the second hostname is required. It's simply a new value for the second hostname.
But where the first attempt would ask you for 2 TXT RR, the second attempt should have asked you only for 1.
I set it up using Cloudflare but I have a problem now. I didn't understand that there was no mechanism for auto-renewal with the command I was using. I suppose that's why it's not recommended!
Presumably the hook script would have needed to add new DNS records to be confirmed? Is there no way I can ow automatically authenticate it? I might even try to create a hook script (do you have a good URL for that or possibly one for Cloudflare already exists? I suppose there will be other open source ones I can examine if necessary). Can I change certbot config to somehow use it now.? Alternatively, could I let the current certificate expire, then register with an automatically renewing way?
Modern Certbots should have the reconfigure subcommand, which lets you re-configure (what's in a name..) the settings for a certain certificate. Should include the used authenticator.
Afterwards you can use certbot renew --dry-run to test it.
Thanks! As it's not installed by default, presumably I'll have to get it into the docker image somehow (or install certbot on the host but I'd prefer not to)? Some copy commands might be enough, I expect I can work it out from here.
I was able to get it to work but it tried to renew my other certificate too (I made a single host certificate before needing a wildcard) when I did a --dry-run. Added the renewal to my crontab. Thanks!
I do have one quick question (a bit belts and braces given the behaviour of the automated agent). Can I remove these TXT records once the domain is renewed or obtained? Certbot appears to have automatically deleted any required ones since so I assume yes, but I don't want to break it.
Not sure if you already deleted them, or they've been removed due to your change to Cloudflare, but maybe there are one or more left from your manual attempts. Any Certbot DNS plugin should remove them automatically.
