Let's Encrypt SSL problem

Hi,
I'm new to all this things and I don't understand it. I'm trying to generate Let's Encrypt certificate. I've tried everything, including steps in Powershell but all I got is "DNS problem: NXDOMAIN looking up A for webserver..." or "DNS problem: NXDOMAIN looking up TXT for _acme-challenge". None of these works and I don't know what to do.
I'm working on Direct Admin - tried to connect it there but "Challenge pre-checks for http://drogeriazoya.pl/.well-known/acme-challenge/letsencrypt_1619696064_4e56f52ca98bb888 failed... Command:
/usr/local/bin/curl --connect-timeout 40 -k --silent --resolve drogeriazoya.pl:80:188.116.40.208 --resolve drogeriazoya.pl:443:188.116.40.208 -I -L -X GET http://drogeriazoya.pl/.well-known/acme-challenge/letsencrypt_1619696064_4e56f52ca98bb888
Exiting."

My domain is: drogeriazoya.pl

My hosting provider, if applicable, is: rapiddc

I can login to a root shell on my machine (yes or no, or I don't know): I don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Yes but there is no option to work with SSL options.

Welcome to the Let's Encrypt Community

I ran several tests on drogeriazoya.pl and did not observe anything that would clearly prevent acquisition of a certificate. I did notice that an nginx webserver responds over the IPv4 address (188.116.40.208) associated with the DNS A records of drogeriazoya.pl and www.drogeriazoya.pl. Given that you mentioned PowerShell, which is usually associated with Microsoft Windows, are you trying to acquire your certificate using your home/work computer rather than the server hosting your website?

Thank you for your answer.

Yes, I'm using my home computer because I found some tips about PowerShell but it doesn't work anyway. I just want a security for my website that I got from my hosting and domain provider. I'm working on Sellingo - eccomerce provider and I'm not sure it's going to work together.

Can you install certbot on your hosting account?

Here's some key information on how Let's Encrypt certificate issuance works:

I've installed certbot and tried by this:
certbot certonly -a manual -d drogeriazoya.pl --preferred-challenges dns

and followed the instruction via Direct Admin but then I got this:
e[31mChallenge failed for domain drogeriazoya.ple[0m
dns-01 challenge for drogeriazoya.pl
Cleaning up challenges
e[31mSome challenges have failed.e[0m
e[1m
IMPORTANT NOTES:
e[0m - The following errors were reported by the server:

Domain: drogeriazoya.pl
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.drogeriazoya.pl - check that a DNS record exists
for this domain

When using manual dns-01 authentication, certbot should ask you to manually create a TXT record in your DNS for each domain name covered by your certificate. Each TXT record will have a unique value (right side) given by certbot. It will look like random garbage.

For drogeriazoya.pl, the TXT record will have a host (left side) of _acme-challenge.drogeriazoya.pl.

For www.drogeriazoya.pl, the TXT record will have a host (left side) of _acme-challenge.www.drogeriazoya.pl.

Sometimes the DNS editor interface will automatically add the domain name (drogeriazoya.pl) to the end of the host. This situation is usually evident when you end up with incorrect hosts like _acme-challenge.drogeriazoya.pl.drogeriazoya.pl. In that case, _acme-challenge.drogeriazoya.pl becomes just _acme-challenge and _acme-challenge.www.drogeriazoya.pl becomes just _acme-challenge.www.

You can check to make sure the TXT records exist (have fully propagated) with dig before proceeding with verification in certbot. You may need to give some time (from 30 seconds to possibly an hour) for them to fully propagate and be seen.

certbot certonly --manual --preferred-challenges dns -d "drogeriazoya.pl,www.drogeriazoya.pl" --keep

Followed your and certbot's instructions, but failed again.
Dig says:

id 57795
opcode QUERY
rcode NOERROR
flags QR RD RA
;QUESTION
drogeriazoya.pl. IN TXT
;ANSWER
drogeriazoya.pl. 99 IN TXT "v=spf1 a mx include:spf.ex4.pl ~all"
;AUTHORITY
;ADDITIONAL

But certbot again:

dns-01 challenge for drogeriazoya.pl
dns-01 challenge for www.drogeriazoya.pl
Cleaning up challenges
e[31mSome challenges have failed.e[0m
e[1m
IMPORTANT NOTES:
e[0m - The following errors were reported by the server:

Domain: drogeriazoya.pl
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.drogeriazoya.pl - check that a DNS record exists
for this domain

Domain: www.drogeriazoya.pl
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.www.drogeriazoya.pl - check that a DNS record
exists for this domain

You searched for TXT records of drogeriazoya.pl, which will not help. You need to search for TXT records of _acme-challenge.drogeriazoya.pl.

Did you add the TXT records to your DNS like certbot instructed? They're not added automatically and must be added manually unless you use a dns plugin.

Yes, I did and followed certbot instructions.

Did you delete the TXT record afterwards? I don't see it at all.

I didn't remove anything.
After I give TXT records from certbot do I have to remove any other TXT records that are on my Direct Admin account since beginning and leave it with certbot's TXT only?

The other TXT records (like the SPF one for email that you posted above) are needed for other things and won't interfere with Let's Encrypt verifying your domain control. I'm not sure that DirectAdmin is the right place to be adding the _acme-challenge TXT records. You need to add them using the account of your domain name registrar (the company through which you registered drogeriazoya.pl).

Through WHOIS, I see the domain registrar listed as:

Sprint S.A.
Sprint Data Center
ul. Kazimierza Jagiellończyka 26
10-062 Olsztyn
+48895221220
info@sprintdatacenter.pl

I am only seing one TXT record (SPF) Unless I'm reading it wrong

dig  TXT drogeriazoya.pl

; <<>> DiG 9.16.1-Ubuntu <<>> TXT drogeriazoya.pl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55656
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;drogeriazoya.pl.		IN	TXT

;; ANSWER SECTION:
drogeriazoya.pl.	100	IN	TXT	"v=spf1 a mx include:spf.ex4.pl ~all"

;; Query time: 273 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Fri Apr 30 09:49:22 PDT 2021
;; MSG SIZE  rcvd: 92

Absolutely correct, @Rip. Try searching _acme-challenge.drogeriazoya.pl and you won't see any.

Unfortunately my domain registrar doesn't let me update anything more than name servers.

ns771×262 20.3 KB

Hi @lindey

Than your registrar will need to update the records for you If you must use a DNS Challenge. They will also need to add the "random string" certbot gives you once you have it.

_acme-challenge.drogeriazoya.pl TXT 

I know nothing about Direct Admin but I think you might find your solution there.

I think it's fairly common for DNS hosting to not actually be associated with the registrar? The registrar needs to let you set what DNS servers you use, but it's quite common for those to be a different company than the registrar itself.

If the nameservers are on ex4.pl, then whatever company owns those (which might be integrated with the hosting) is what needs to get updated.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.