I need help with DNS Challenge

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:kb.t4tcookiecutters.com

I ran this command: sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d *.t4tcookiecutters.com

It produced this output: It said to create a CNAME record and gave a long string to copy for the content

My web server is (include version): Apache2 2.4.41

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: Self

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certbot 0.40.0

I'm trying to get an SSL cert for my new site. I already have a wildcard SSL for the domain so I don't know how to really set this up. I have a domain of t4tcookiecutters.com It works and already has an SSL. It is wildcard, so I want to make another site under kb.t4tcookiecutters.com. Do I need another certificate because it has kb before the .t4tcookiecutters.com or should one ssl work for all domains attached to t4tcookiecutters.com?

The first time I ran the command it failed saying it got confused because I put "-d *.t4tcookiecutters.com -d kb.t4tcookiecutters.com. So I erased *.t4tcookiecutters.com. This time it failed saying it couldn't find the record but it was trying on _acme-challenge.kb.t4tcookiecutters.com. So I had to try a 3rd time removing kb.t4tcookiecutters.com and putting back *.t4tcookiecutters.com. This time it was looking in the right place for the record because kb was gone. But then it failed saying that it found a DNS record with this content and it said it found 1 more. I didn't know we were supposed to delete DNS challenges after they were confirmed in the past. The record matched, so I erased the two that were on my DNS. The websites still worked. So I ran the command again. The old entry were txt records. Certbot is telling me to make a CNAME which I did and have deleted a couple of times because it failed. The time I tried it, even though I have --debug-challenges in the command line, it didn't even pause or tell me to create a cname, it didn't give me a string to enter either, it just went through immediately and failed because now it can't find a record. Now it has failed so many times, I don't want to try again because last time I got locked out for over a week I believe. What am I doing wrong? Will it work if this time if certbot actually pauses so I can have time to enter the record?

This is a screenshot of me entering the command the final time, notice it doesn't say to create CNAME anywhere? Why did it skip that? Did that CNAME it had me create on one of the previous failures remain active and I shouldn't have deleted it? I feel like I'm making this way more complicated than it is. What am I doing wrong?

image1205×727 84.7 KB

Hi @falken,

Wildcards only work for one subdomain level. So a certificate for *.example.com will match foo.example.com and bar.example.com, but not foo.bar.example.com.

If you want subdomains of kb.t4tcookiecutters.com and you want a certificate to match those subdomains, you'll need a certificate for *.kb.t4tcookiecutters.com. In that case you'll have to create the associated DNS TXT record at _acme-challenge.kb.t4tcookiecutters.com.

The CNAME method is associated with using acme-dns, which it looks like you're also trying to do?

When you supply a --manual-auth-hook, that is a script that is supposed to complete the challenges for you. In that case there's no prompt for you to create DNS records because the associated DNS records are being given to the auth-hook script you specified, which is the acme-dns authenticator hook script. Certbot assumes that that script will be able to do whatever is necessary to satisfy the challenge.

The differences you're seeing in whether you get prompted to create a TXT record, or a CNAME record, or nothing, probably have to do with (1) whether you specified a --manual-auth-hook on a particular occasion or not, and (2) whether the CNAME record already exists (in which case you wouldn't need to re-create it, because the CNAME record for acme-dns is always the same, unlike the per-challenge TXT records which are always different each time).

It seems like it would also be important for you to decide whether or not you're going to use acme-dns, and follow the appropriate process for either using it or not using it.

You'll get locked out for a week if you successfully create too many identical certificates (although those should still exist on your hard drive in that case, so you can still use them). If you repeatedly fail to create certificates, you'll get locked out for an hour. Different rate limits.

If you use the --dry-run option in your Certbot command line, it will use the staging server (for testing purposes) instead of the production server. This has much higher rate limits. This is a better thing to do while testing and debugging your setup.

Thank you so much for your quick response. I have a wildcard SSL and am really confused about all of this stuff. I'm learning linux at the same time so I'm constantly lost. That SSL goes to t4tcookiecutters.com. As far as I understood, a wildcard ssl would allow me to make several websites tied into the same domain but I could make new sites under names that preceed the .t4tcookiecutters.com. I get confused because I setup a plex server on a windows virtual machine that works with SSL and it is at plex.t4tcookiecutters.com, I didn't have to install any pem or key files on that vm at all, I just had to check the ssl button somewhere in the settings. But on t4tcookiecutters.com I was testing ecommerce software out and I had to put those files on that virtual machine. To add to the confusion, I have this all going through a Virtual Machine running a Kemp Load Balancer and I'm doing this through cloudflare. So I have no idea where the cert is being pulled from. I have certs on the load balancer and on the ecommerce vm. I'm building a knowledge base because I've done this many times with success, but I'm doing so many things at once and following so many tutorials that I can't remember what I did half the time.

The command I pasted in was the same command I entered the first time, I changed nothing on it other than the domain names. Maybe I did it in such quick succession that it still had the CNAME active? I just wish there was a "Make it work" button.

This forum also removed the backslash key from the commands I was putting down. so there is a \ before the *.t4tcookiecutters

What I did to make plex work was just go to cloudflare and add a new a record for plex and pointed to the IP address. Cloudflare saw this as plex.t4tcookiecutters.com. I did the same thing for kb to get kb.t4tcookiecutters.com. I don't even know what these ssl files are doing. Will my old certs for *.t4tcookiecutters just work if I copy them over? I don't understand why plex worked without any need to copy anything over, but the ecommerce did require them.

You've also had a certificate from Google's CA recently:

Maybe that was issued by some other software or by Cloudflare on your behalf?

It's hard to give a generic answer to all your questions, because it sounds like you're jumping in with a fairly complex setup (including the VM, load balancer, and CDN!).

I would advocate for either

(1) trying all of this out with a much simpler setup first (e.g. one single server with no VMs) in order to become more familiar with it, or

(2) taking the process much slower and asking much more specific questions when you get stuck or confused (to try to debug the exact part that you first got stuck on).

Thank you for the help. In all honesty I have no idea what I'm doing. Those google entries are probably there because I had to add MX entries so that the ecommerce site I was messing around with could send email. My ISP blocks ports to send mail so I used google's SMTP servers and in order to do so, they required that I put something on DNS and that's probably what is showing up there.

Yeah I'm trying to do too much at once. It's really because I didn't realize the importance of documenting so I never did, now I'm on here asking for help with certbot syntax to get a DNS challenge to work. All because I didn't document anything when I got it to work before. I've done this several times, but I've bumbled my way through each time. NOW I have a VM dedicated to a knowledge base that's being updated constantly. These posts are also kind of rushed, I should give myself more time. I'm writing them right before I leave for work, or when we have a break in a training class at work.

Thank you for attempting to help, I'll have to look deeper into this so I can ask more direct questions if I need to.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.