Hello, i’m trying to register a root domain with about 5 subdomains. As there are various configurations between services, i’m trying to use the manual installation process with dns TXT record verification.
My domain is:
Redacted: using fish.com as an example
I ran this command:
$ sudo certbot certonly --cert-name fish.com -d www.fish.com --manual --preferred-challenges dns
It procuded the following output
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
-------------------------------------------------------------------------------
You are updating certificate fish.com to include domains: www.fish.com
It previously included domains: fish.com
Did you intend to make this change?
-------------------------------------------------------------------------------
(U)pdate cert/(C)ancel: U
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for www.fish.com
-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: Y
-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.www.fish.com with the following value:
XXXXXXXXX
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.fish.com (dns-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.www.fish.com
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: www.fish.com
Type: connection
Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.www.fish.com
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
My hosting provider, if applicable, is:
Digital Ocean has the following entry:
_acme-challenge.www.fish.com
HOWEVER, there is no ANSWER sections:
_acme-challenge.www.fish.com
HOWEVER, there is no ANSWER sections:
$ dig -t txt _acme-challenge.www.fish.com
; <<>> DiG 9.8.3-P1 <<>> -t txt _acme-challenge.www.fish.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46967
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;_acme-challenge.www.fish.com. IN TXT
;; AUTHORITY SECTION:
fish.com. 1800 IN SOA ns1.digitalocean.com. hostmaster.fish.com. 1509646706 10800 3600 604800 1800
;; Query time: 112 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Thu Nov 2 14:29:51 2017
;; MSG SIZE rcvd: 112
I dont think thats a valid TXT record.
What is the proper way to manually generate certs using DNS authentication?