For some strange reason, my Let's encrypt certificate does not renew automatically so I tried to re-issue a new one using cPanel.
When using dns-01 validation method, an error of the TXT record is shown.
How to know which TXT record to configure?
On the other hand, I have tried several times to issue the certificate and now this error is shown:
Error creating new order: acme: error code 429 "urn:ietf:params:acme:error:rateLimited": Error creating new order :: too many failed authorizations recently: see Rate Limits - Let's Encrypt
Hello @rg305 ... I am the admin, so I should solve this problem. I have updated cPanel and WHM to the last version but the same occurs.
Do you know how to determine which TXT record to add in my name server? My NS is not the same as my cPanel server, so I should add that entry manually.
Well the renewal process is either automated or manually driven.
You can't have it both ways or half and half.
How exactly do you execute the renewal request?
Yes.... I have other certificates in this server for other domains. And in fact, as I told you, the certificate for this same domain was issued before but expired on october 3rd.
That does not happen... cPanel does not provide that information.
I will try to use http authentication instead. This is a Gitlab application so I will find out where I should put the acme challenge file. When using http authentication, I can know which file it is trying to load because Let's Encrypt includes it in the error message. It would be great if the error message when using DNS validation could include which text is trying to find in the NS entry.
When I try to issue the certificate, the challenge TXT entry is modified in the DNS. Let's Encrypt is assuming that the name server is the same server where the domain being protected by SSL is hosted, but this is not the case. So, when the new TXT entry is generated, it does not match the actual TXT entry in the actual name server.
How can I avoid the challenge TXT key to be generated every time I try to issue the certificate?
No, Let's Encrypt does not assume anything. Let's Encrypt looks at your domain's authoritative DNS server for the TXT record. I run my own server, but my DNS is handled by Cloudflare which is where Let's Encrypt goes to look for my TXT entries.
Your client is assuming that cpanel is hosting that authoritative DNS server and is only updating it there.
By authoritative DNS server, I'm referring to what is configured with your registrar
I don't think so. Domain is desytec.com. and according to registrar (whois.com) authoritative name server is Cloudns which is correct.
Let's Encrypt is updating local server, however, when validating DNS challenge it is using the authoritative server, and since it updates local server, of course that information does not match authoritative information.
Besides I notice there is some contradiction on what you are saying. Why is Let's Encrypt capable of updating the TXT record of a remote name server? For security reasons, I am pretty sure it is impossible.
I am wondering if there is possible to avoid Let's Encrypt to update the TXT entry in local server, by mean of a configuration or something .
On the other hand, I asked the hosting technician to give me a hand on this investigation because DNS validation is the only way for me.
If I could use HTTP validation, solution would be easy, but this is not the case.
Your domain and NS1 respond to different servers. Your DNS is hosted by CloudDNS and your website is hosted by Linode. So it makes perfect sense that any DNS changes made on your server at Linode won't affect the actual DNS zone for your domain.
This is the same as the situation I posted, I host my own server, but rely on a 3rd party to run my DNS. I have my ACME client configured to use my DNS providers API to update the TXT record.
This is accurate, your ACME client hasn't been given credentials or information on how to update your authoritative server
It isn't, your ACME client is responsible for updating your DNS server entries, Let's Encrypt just checks the server published by your registrar once the ACME client indicates it has completed updating them.
Probably, You'd have to ask the developer or check the documentation for your ACME client how reconfigure it to update the correct server
So my question is: how did you configure your certbot to do that?
Nevermind, cPanel, not certbot.. Your cPanel is updating the incorrect DNS servers. Please refer to your hosting provider or cPanel assistance or documentation on how to configure your cPanel properly for your application (i.e.: using Cloudflare as DNS server for the challenge record).
