However, I run the following commands with the following error.
certbot certonly --manual --preferred-challenges dns -m cora.kwok@ectest.com.tw -d serv.org.com -d *.serv.org.com
Saving debug log to C:\Certbot\log\letsencrypt.log
Requesting a certificate for serv.org.com and *.serv.org.com letsencrypt.log..txt (9.2 KB)
Press Enter to Continue
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: serv.org.com
Type: unauthorized
Detail: Incorrect TXT record "v=spf1 -all" found at _acme-challenge.serv.org.com
Domain: serv.org.com
Type: unauthorized
Detail: Incorrect TXT record "v=spf1 -all" found at _acme-challenge.serv.org.com
Hint: The Certificate Authority failed to verify the manually created DNS TXT records. Ensure that you created these in the correct location, or try waiting longer for DNS propagation on the next attempt.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.
I have add one more txt when the system is request.
You say "local domain". Is that domain name actually in your posession and under your controle? I.e., will remote DNS servers be able to resolve the resource records for this domain?
Yes, I could, so that I could attached a dump screen with DNS name: serv.org.com.
I have a web application that is using the same domain name to show the records at Domino Lotus Notes.
To clarify what Osiris is asking you: is org.com actually registered to you or your organisation? Like, your organisation is the official registrant of the domain, according to ICANN?
It appears to be owned by a domain portfolio company. I am not convinced that you own the domain.
You will be unable to get a Let's Encrypt certificate for this domain, unless you have control this domain on the internet. Having the domain resolve on your internal network is not sufficient.
No. It is just internal domain only, not official registered according to ICANN.
What your meaning that I could not create a Let's Encrypt certificate for the internal testing domain.
What should I do, if I required a trust CA certificate for the testing environment ?
You cannot obtain valid certificates (in the sense of: trusted by browsers without installing your own root CA certificate) from any public CA for an internal domain name. Neither from Let's Encrypt, nor from any other public CA. This is part of the CA/B Forum Baseline Requirements that all browsers and CAs agreed upon (Baseline Requirements | CAB Forum).
Anyone could generate a non-publicly trusted certificate for any hostname. E.g., I could generate a certificate for whitehouse.gov using my own locally generated CA. If my locally generated CA would be trusted by browsers, I could do a Man in the Middle attack for whitehouse.gov!
Luckily, browsers only trust, by default, a certain set of root certificates of publicly trusted CAs. And these CAs need to abide to the rules mentioned earlier to keep the trust in their certificates. Without trust, the whole system collapses.
why I change to use the domain name ectest.com.tw, the result is still failed.
Sure I would have the access rights of ectest.com.tw, since my valid email is [redacted]@ectest.com.tw.
