How to get the TXT record from certbot

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:http://mydomainename.com/

I ran this command:certbot -d mydomainename.com --manual --preferred-challenges dns certonly

It produced this output:

My web server is (include version):CentOS Linux 7.9.2009

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:OVH (kimsuffi)

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):Webmin 1.973 Virtualmin 6.16

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):(don't know how to find it but it is more than 2 years old at least)

Hello there,

I am not very good at these sort of things but I used tu just go to my virtualmin panel -> server configuration -> SSL certificate -> Let’s encrypt and request certificate and it was all good, nice and easy my website was in https

Now it does not work and request a dns-01 challenge.

I have access to my domain name DNS and I understand that I need to create an acme challenge record and I need to put a random value in the TXT field that certbot is supposed to give me.

I mainly found that I should run that command to have the TXT output:

certbot -d mydomainename.com --manual --preferred-challenges dns certonly

BUT (I don’t have the screenshot anymore) it just notice me that it did create the certificate in the “letsencrypt/live/mydomaine.com”

But no information about what I should put in the TXT record.

And now if I run the command again it just tells me that the certificate is not yet due for renewal.

I have no idea what to do :-/

If certbot issued a certificate for you (probably due to a cached, valid authorisation from the recent past), you don't need the TXT record any longer: you already got the cert!

But I don't understand why you suddenly need to switch over to using certbot in the first place? Could you please tell us more about why Webmin/Virtualmin stopped working?

1 Like

Hello Osiris and thank you very much for your reply,

Well as said, I am not good at these sort of things and many things I do are very abstract.

So I tried to do as usual in virtualmin and this is the output I had (screenshot and text):

Requesting a certificate for mydomainename.com, *.mydomainename.com from Let's Encrypt ..
.. request failed : Web-based validation failed : Wildcard hostname *.mydomain.com can only be validated in DNS mode DNS-based validation failed :

Use of --manual-public-ip-logging-ok is deprecated.

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator manual, Installer None

Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Use of --manual-public-ip-logging-ok is deprecated.

Renewing an existing certificate for mydomainename.com and *.mydomainename.com

Performing the following challenges:

dns-01 challenge for mydomainename.com

Running manual-auth-hook command: /etc/webmin/webmin/letsencrypt-dns.pl

Waiting for verification...

Challenge failed for domain mydomainename.com

dns-01 challenge for mydomainename.com

Cleaning up challenges

Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl

Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: mydomainename.com

Type: unauthorized

Detail: Incorrect TXT record "91.121.83.157" found at

_acme-challenge.mydomainename.com

To fix these errors, please make sure that your domain name was

entered correctly and the DNS A/AAAA record(s) for that domain

contain(s) the right IP address.

Following that I understood that I had to create the “_acme-challenge.mydomainename.com” DNS

And I did that but as said I have no idea what to put in the TXT value field

So because of that sentence in the output “To fix these errors, please make sure that your domain name was

entered correctly and the DNS A/AAAA record(s) for that domain

contain(s) the right IP address.”

I did put my IP address in the value/target field

Even if I knew it was stupid.

So I did some google research and I found that apparently in that Value field I needed to put a random string that certbot was supposed to generate using that command line:

For reference I found that here (and other websites)

https://qastack.fr/server/750902/how-to-use-lets-encrypt-dns-challenge-validation

So I was expecting something like that as an output “

667drNmQL3vX6bu8YZlgy0wKNBlCny8yrjF1lSaUndc”
 
And to put that in my DNS TXT target value.
 
 
But no luck :-/
 
 
 

I read the posts guidline a bit too fast this morning and missed the command to know which certbot version I am running:

certbot --version

certbot 1.11.0

I hope that everything I wrote makes sense.

Thank you for reading and I hope that you can enlighten me :slight_smile:

Please show the output of:

certbot certificates

I hope i am pasting the correct thing:

[root@ns352512 ~]# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: mydomain.com
Serial Number: 3c116bf03d54cde00d697e43c869286ef58
Key Type: RSA
Domains: mydomain.com
Expiry Date: 2021-12-30 17:40:42+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/mydomain.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mydomain.com/privkey.pem

I just forced the https (that is a wordpress website) and the web browser are not happy and when i click to get more info that is the message:

https://mydomain.com/

The certificate is not trusted because it is self-signed.

HTTP Strict Transport Security: false

HTTP Public Key Pinning: false

Well, yes. Certbot might have a certificate, but as you got it by using the certonly action of certbot when you did, it needs to be installed into your webserver manually.

Also, you got it using the manual plugin, which cannot renew automatically. So in 89 days the certificate will expire and your users will get a certificate expired error.

I'd urge you to get Webmin/Virtualmin fixed, so you can use your regular method of securing your websites.

1 Like

Hi again Osiris,

Thank you for your swift reply, unfortunately i have no idea what to do following to what you wrote.
What do I need to do to install the certificate manually on my webserver ?

I notice that i am missing a ssl.ca file in the root folder of that domain name while that file does exist on my other hosted domain names.

As you're using Webmin/Virtualmin: I don't have the slightest clue.

I have no idea what this is at all.

1 Like

Yes i am using that:

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):Webmin 1.973 Virtualmin 6.16

1 Like

I got it to work !!!!
Not really knowing what I was doing…

I firstly ran that command to remove existing certificate

sudo certbot delete --cert-name mydomain.com

output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


The following certificate(s) are selected for deletion:

  • mydomain.com
    Are you sure you want to delete the above certificate(s)?

(Y)es/(N)o: y
Deleted all files relating to certificate mydomain.com.

I then ran that command in the attempt to obtain that famous value that I needed to put in my TXT record:

sudo certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d 'mydomain.com,*. mydomain.com'

Output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for mydomain.com and *.mydomain.com
Performing the following challenges:
dns-01 challenge for mydomain.com


Please deploy a DNS TXT record under the name
_acme-challenge.mydomain.com with the following value:

zQXLjloL9vVKJoz3ZRulwYpuFOXrZKALNTU8Mv-***

Before continuing, verify the record is deployed.

So I added the value generated that in my DNS record Screenshot by Lightshot

I then pressed enter and here we go:

Waiting for verification...
Resetting dropped connection: acme-v02.api.letsencrypt.org
Cleaning up challenges

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/mydomain.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/mydomain.com/privkey.pem
    Your certificate will expire on 2022-01-01. To obtain a new or
    tweaked version of this certificate in the future, simply run
    certbot again. To non-interactively renew all of your
    certificates, run "certbot renew"

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
    Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

I then refreshed my web browser and it is all good now !!!!

Thanks Osiris for trying to help me out :slight_smile:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.