I give up, i need help

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: johnsonmediaserver.xyz

I ran this command: certbot -d johnsonmediaserver.xyz --manual --preferred-challenges dns certonly

It produced this output: Failed authorization procedure. johnsonmediaserver.xyz (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record “v=spf1 include:spf.efwd.registrar-servers.com ~all” found at _acme-challenge.johnsonmediaserver.xyz

My web server is (include version): Apache not sure of version

The operating system my web server runs on is (include version): Debian 10

My hosting provider, if applicable, is: Cox Communications

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

I’m a complete novice when it comes to web servers or networking in general so please excuse the ignorance…
I have tried every possible way I know how to get this certificate but have not had any luck. I tried through webmin, openssl, certbot.eff and with apache and nginx plug-ins and nothing. The information above is from my most recent attempt. I can’t do certbot --apache because my ISP does not support port forwarding of any kind so I’m trying the DNS way but according to everything I read, it can take up to 48 hours for a TXT record to propagate, and from the information above, I can’t do anything about that TXT record. There is a picture of a lock next to it that says it can’t be touched, according to my registrar, namecheap.com. Also, I can’t make a CNAME or NS Record with the information I’m told to put in there from certbot because it says the format is incorrect.

I’m not sure if there is anymore information I can give to make this easier on whoever can help me or if the websites you guys use to diagnose websites is enough but if there is anything I can answer I’ll do my best

1 Like

Well, there’s your problem. You’ve created a TXT record for _acme-challenge.johnsonmediaserver.xyz as you should, but with the wrong contents. You’ve entered the contents of your SPF record (which already exists, as it should, for your root domain). You should instead have entered the token that certbot gave you to enter.

There’s no reason this should be the case; if it is with your DNS host, you need a new one. But it’s most likely that you’re either misunderstanding what you’re reading, or what you’re reading is just incorrect.

…which is correct; Let’s Encrypt needs a TXT record, not a NS or CNAME record.

The probable problem is that you just aren’t using Namecheap’s DNS control panel correctly. This page:
https://www.namecheap.com/support/knowledgebase/article.aspx/317/2237/how-do-i-add-txtspfdkimdmarc-records-for-my-domain
appears to have relevant instructions. You’d follow those instructions to create a new TXT record, set _acme-challenge as the host, and the long string Certbot gave you as the value. Give it a few minutes (maybe 10 minutes) for everything to filter through Namecheap’s servers, and then tell Certbot to proceed.

2 Likes

It seems that you did:

nslookup -q=txt _acme-challenge.johnsonmediaserver.xyz
_acme-challenge.johnsonmediaserver.xyz  canonical name = johnsonmediaserver.xyz

You need to remove the CNAME responding for _acme-challenge.johnsonmediaserver.xyz
And follow the instructions on creating the TXT record.

1 Like

oh i just meant with the code that certbot was telling me to enter. thats when it tells me it isn’t the correct format. that cname above is pretty much me ‘learning by doing’. i read that sometimes a cname or ns record could replace a txt record but i tried making an actual txt record and submitted it, only it isn’t showing up on dnschecker.org. the only records i have on my end are: the a record for my ip address, cname for WWW and the txt record that i cant edit or erase that was in the original post and now my new txt record that certbot told me to create

1 Like

It looks like you subsequently figured it out and now have a valid certificate for this site!

Please note that when you use --manual, you will have to run that same command in order to renew the certificate, and you’ll have to create a new DNS record each time (because the CA wants to check your control over the domain name anew each time). Therefore, you won’t be able to renew this certificate automatically with certbot renew or with any unattended or noninteractive method.

To support automated renewal, you’ll need to use a different validation method, or use a DNS provider that allows updates from software via an API.

3 Likes

ya it turns out it had to do with namecheap’s settings for TTL and i guess i was searching for that record using the wrong domain, i thought using johnsonmediaserver.xyz would be good enough but apparently i need to use _acme-challenge.johnsonmediaserver.xyz but ah well, live and learn!
and im actually glad you brought that up, i actually copied that command from someone having the same issue as me (assuming it would fail, i used it lol) but now that it went through, how can i edit the command to renew on its own? or at least so i can use ‘certbot renew’?
one last thing, do i just edit the virtual host file and put the location of the certificates and then reload the server and then it will start using https?
thank you for the response btw, much appreciated!

To automatically renew DNS authenticated certs, you’ll need a DNS API plugin to “do the work” for you.
[which, of course, requires a DNS provider that has a supported DNS API]

Start here: https://certbot.eff.org/docs/using.html?highlight=dns#dns-plugins

I just want to note - if you are technically inclined and able to do so, acme-dns can be a much easier way to handle dns authentication with namecheap. namecheap had (likely still does) some sort of internal caching going on with their DNS settings that is unrelated to TTL and dns flushes; i often ran into issues where challenges kept failing because stale values got into the cache.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.