Lost TXT Records

I am trying to incorporate Let's Encrypt with my AWS Lightsail instance. I have done this successfully twice before, but this time I mistakenly deleted my TXT records while trying to troubleshoot the connection.

My domain is: blakelein.com

I ran this command: certbot -d blakelein.com -d *.blakelein.com --manual --preferred-challenges dns certonly

My web server is (include version): Apache 2.4.56

The operating system my web server runs on is (include version): Debian 5.10.197

My hosting provider, if applicable, is: AWS Lightsail

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): N/A

The version of my client is: certbot 1.12.0

When I ran the command initially it gave me the TXT Records (one at a time) for the two domain arguments I gave it. I plugged them into the AWS Lightsail interface on my AWS Console. It seemed like everything was good so I closed the shell and tested the SSL cert by visiting the website. I waited a while and it still was not a secure connection. I figured maybe I messed up and needed to try again, so I deleted the TXT records, ran "certbot delete" to delete the certificates on my machine and tried to generate another one for the domain.

It just said "Success!" Without giving me the TXT Records again.

Eventually, it locked me out for a week for trying to request more than 5 records. Is there a way to retrieve the TXT Records to put back into my AWS Console, or do I have to wait until that ticket would have expired (May 2024)?

Any help is greatly appreciated!

Then it issued the cert. And then you apparently issued four more, not realizing that you already had what you needed.

When it's time to renew the cert, you'll need to create new TXT records, and certbot will tell you what they are.

5 Likes

The TXT RR is only valid for one specific authorization. Once a TXT RR has been used, it's not useful any longer. Valid authorizations are cached for 30 days and won't require a new TXT RR.

You have issued 5 perfectly fine certificates which you could have used. Hopefully you have backed them up before deleting them?

4 Likes

Thank you for the responses! I am new to this type of thing, so bear with me while I try to understand and figure this out.

As far as I understand it, I issue the cert in the command line, it gives me TXT Records, and then the SSL is set for that/those domains. The reason I issued 4 more was because I didn't have the TXT Records for the cert to plug into my AWS Console; I was trying to get it to send them to me again.

I deleted all but one of them...

Are you saying I don't need to have the TXT Records actively tied into my Lightsail server's DNS Records? If that's not the case, how do I tie the SSL to that Domain?

1 Like

Please tell me you're not using a bitnami image and followed a random tutorial.

2 Likes

The TXT RR is just part of the issuance process and is ephemeral. The TXT RR is NOT the same as a TLS certificate used to "set" "SSL" (SSL is an ancient term for older versions of the now modern TLS protocol).

You need to use the certificate to "set SSL", not the TXT RR.

What does "tie the SSL to a domain" even mean?

2 Likes

You don't tie a cert to a domain. The cert is used by a TLS/SSL service which is Apache in your case. Apache has config lines that refer to the cert files. You could use that same cert in any number of services that handle the domain names in the cert such as mail servers, backend proxies or other.

3 Likes

That was a step in the wrong direction.
One should never delete perfectly good certs.

2 Likes

Thanks again for the responses - like I said, I'm new and trying to learn (even if it's the hard way).

Yes it's a bitnami image, but I would not call the tutorial "random." Here is the process I have been following:

(https://docs.aws.amazon.com/en_us/lightsail/latest/userguide/amazon-lightsail-using-lets-encrypt-certificates-with-lamp.html)

Maybe this will help communicate the gaps in my explanation.

Mike - does this mean I can still link the SSL/TSL to the domain by adjusting the Apache config files you mentioned?

If you have not deleted the all the certs, one can be used [by any program within your server (including Apache)].

3 Likes

With Bitnami, it's often better to use the included tools from Bitnami itself, as in the following tutorial: Generate and Install a Let's Encrypt SSL Certificate for a Bitnami Application

That said, that tutorial won't help at this exact moment, as you're rate limited.

You should however be perfectly capable to use the already issued certificate. You can view the certificate with the command sudo certbot certificates.

Also note that Let's Encrypt provides documentation about their service and how it works et cetera: Documentation - Let's Encrypt

4 Likes

Oh, now that I see the tutorial you used you just follow it from step 7. That links your Apache with the certs you got from Certbot.

3 Likes