Internal Server DNS-01 Failing

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: dblenc.net

I ran this command: sudo certbot -d dblenc.net --manual --preferred-challenges dns certonly

It produced this output:Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for dblenc.net

NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.

Are you OK with your IP being logged?

(Y)es/(N)o: y

Please deploy a DNS TXT record under the name
_acme-challenge.dblenc.net with the following value:

Ca_lsuFPMx2ZcJ-ntGOyQ_oGlwtVi1VvI6mQUkXWyuw

Before continuing, verify the record is deployed.

Press Enter to Continue
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. dblenc.net (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.dblenc.net

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: dblenc.net
    Type: None
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.dblenc.net

My web server is (include version): Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04.1 LTS

My hosting provider, if applicable, is: Internal Windows Server 2016 DNS

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

2

Hi @tpatte02

are you the domain owner of dblenc.net?

There are no ip addresses defined ( https://check-your-website.server-daten.de/?q=dblenc.net ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
dblenc.net A yes 1 0
AAAA yes
www.dblenc.net Name Error yes 1 0

The domain uses Amazon name servers:

ns-1061.awsdns-04.org

So you have to change that name server.

Looks like this

is only your internal name server. That's not relevant creating a certificate via dns-01 validation.

3

Thank you Juergen! This makes sense to me as we do have dblenc.net on Amazon, however, we are migrating dblenc.net to wtm.dev on our internal DNS server only. I receive the following output when trying to create a certificate for those sites as well: sudo certbot -d builds.wtm.dev --manual --preferred-challenges dns certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for builds.wtm.dev

NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.

Are you OK with your IP being logged?

(Y)es/(N)o: y

Please deploy a DNS TXT record under the name
_acme-challenge.builds.wtm.dev with the following value:

hjRphxWqKKe8zumfTogFMIfA7s6ytREeR6joJhtELvg

Before continuing, verify the record is deployed.

Press Enter to Continue
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. builds.wtm.dev (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up TXT for _acme-challenge.builds.wtm.dev

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: builds.wtm.dev
    Type: None
    Detail: DNS problem: SERVFAIL looking up TXT for
    _acme-challenge.builds.wtm.dev

4

Where do you create the required TXT entry?

dblenc.net has no TXT entry, so Letsencrypt can't validate the domain:

12. TXT - Entries

Domainname TXT Entry Status ∑ Queries ∑ Timeout
dblenc.net ok 1 0
_acme-challenge.dblenc.net Name Error - The domain name does not exist 1 0
_acme-challenge.dblenc.net.dblenc.net Name Error - The domain name does not exist 1 0

_acme-challenge.dblenc.net must have an entry.

And the wtm - domain - there is a check - https://check-your-website.server-daten.de/?q=wtm.dev

DNSSEC is broken:

Fatal error: Parent zone has a signed DS RR (Algorithm 8, KeyTag 31342, DigestType 2, Digest mJMkRWuW4fFAgP4x2ThvXAGzzA6PlHUUgUf9akXgyYU=), but the destination DNSKEY doesn't exist or doesn't validate the DNSKEY RR set. No chain of trust created.

and the name servers send a refused:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
wtm.dev Refused yes 1 0
www.wtm.dev Refused yes 1 0
5

@JuergenAuer For dblenc.net I was creating them on our internal Windows DNS server and could validate they exist through nslookup: tj@colfax:/var/www/.well-known/acme-challenge$ nslookup -q=TXT _acme-challenge.dblenc.net
Server: 10.40.1.29
Address: 10.40.1.29#53

_acme-challenge.dblenc.net text = “wlhj7rUW2GBdnRVRSJyKgGZCacmCh0FEuQyeT1Y_Ktc”

tj@colfax:/var/www/.well-known/acme-challenge$ nslookup -q=TXT _acme-challenge.dblenc.net
Server: 10.40.1.29
Address: 10.40.1.29#53

_acme-challenge.dblenc.net text = “wlhj7rUW2GBdnRVRSJyKgGZCacmCh0FEuQyeT1Y_Ktc”

tj@colfax:/var/www/.well-known/acme-challenge$ nslookup -q=TXT _acme-challenge.dblenc.net
Server: 10.40.1.29
Address: 10.40.1.29#53

_acme-challenge.dblenc.net text = “Ca_lsuFPMx2ZcJ-ntGOyQ_oGlwtVi1VvI6mQUkXWyuw”

tj@colfax:/var/www/.well-known/acme-challenge$ nslookup -q=TXT _acme-challenge.dblenc.net
Server: 10.40.1.29
Address: 10.40.1.29#53

_acme-challenge.dblenc.net text = “Ca_lsuFPMx2ZcJ-ntGOyQ_oGlwtVi1VvI6mQUkXWyuw”

For wtm.dev - this does not need to be public facing, so we did not create entries on Amazon, but instead just created a primary zone on our internal Windows DNS server. I could also validate these TXT via nslookup

6

But that's the wrong place. Letsencrypt can't check your internal Windows DNS.

You have to use the public name server, so Letsencrypt is able to check your TXT entry.

Read

And your internal nslookup result isn't relevant.

7

Ok, so for an internal only, non-public facing domain, how would I create an SSL certificate?

8

@JuergenAuer For wtm.dev, this is only on our internal DNS server. How would I validate this domain and issue a certificate? Thank you for the help!

9

You can't. Letsencrypt must be able to validate your ownership. You need always a public visible dns entry (TXT or A record).

10

Many thanks for the clarification and help!

1 Like
11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.