Make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address

Help
#1

I have a vps slefmanaged server from godaddy running Ubuntu. I installed Mosquitto MQTT Broker and it is running just fine. However, when I tried to install certbot let's encrypt I run into the following issue. Then I tried to run this command:
sudo certbot -d mqtt.burooq.com --manual --preferred-challenges dns certonly
then I added a TXT record to my domain with the following:
Host:
_acme-challenge.mqtt.burooq.com
Value:
eP7vZDXtO9-faQbgZ7sYVXS1B8Oqx9qvoINpahAWA1U
TTL:
1 hour
My domain
I also added a dns record for my subdomain:
Type:
a
Host:
mqtt
Value:
148.66.131.56 (Pointing to my server)
TTL:
1/2 Hour

The domain is pointing to share hosting right now through A records, I tried to point to my server ip address earlier but didn't work where I ran into the same issue.

My domain is:
mqtt.burooq.com
I ran this command:
sudo certbot certonly --standalone --standalone-supported-challenges http-01 -d mqtt.burooq.com
It produced this output:
The standalone specific supported challenges flag is deprecated. Please use the --preferred-challenges flag instead.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mqtt.burooq.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. mqtt.burooq.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mqtt.burooq.com/.well-known/acme-challenge/US4bpFoP9hSSBQKog0PwGm30FLZgzWQCtQG5zQeulNM: Error getting validation data

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: mqtt.burooq.com
    Type: connection
    Detail: Fetching
    http://mqtt.burooq.com/.well-known/acme-challenge/US4bpFoP9hSSBQKog0PwGm30FLZgzWQCtQG5zQeulNM:
    Error getting validation data

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.
    My web server is (include version):

The operating system my web server runs on is (include version):
Ubuntu
My hosting provider, if applicable, is:
Godaddy
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

1 Like
#2

Hi @matrixall

you have created the wrong entry, see your check https://check-your-website.server-daten.de/?q=mqtt.burooq.com#txt - ~~30 minutes old:

2020-12-19.mqtt.burooq.com
2020-12-19.mqtt.burooq.com1144×251 8.43 KB

Your menu adds your domain name, so your domain name is duplicated.

Create one entry only with _acme-challenge as domain name, then it should work.

PS: Should look like

server-daten.de.correct.txt.definition
server-daten.de.correct.txt.definition1127×409 14.8 KB

1 Like
#3

I have only one record of TXT with _acme-challenge.mqtt.burooq.com

I'm not sure why it shows multiple in check dns.

1 Like
#4

Depending on the DNS zone editor you're required to end a complete FQDN with a dot, otherwise the entry will be appended with the zone root, most of the time the domain name with TLD.

E.g. a zone file for example.com with entries and the result:

foo.example.com. -> foo.example.com.
bar.example.com -> bar.example.com.example.com.

Note that officially all FQDN end with a dot, but in 99.9999999 % when a FQDN is posted, this dot is missing, as its presence is implicit. However, when dealing with DNS zone editors, this isn't the case.

2 Likes
#5

it looks good now. However, the first issue presists. Failed authorization procedure

1 Like
#6

Please post the entire error message.

#7

The standalone specific supported challenges flag is deprecated. Please use the --preferred-challenges flag instead.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mqtt.burooq.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. mqtt.burooq.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mqtt.burooq.com/.well-known/acme-challenge/8IHxI6_GD1I5jhn8wxD6UzYn4QpyBt2-7rFk3-qXvWE: Error getting validation data

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: mqtt.burooq.com
    Type: connection
    Detail: Fetching
    http://mqtt.burooq.com/.well-known/acme-challenge/8IHxI6_GD1I5jhn8wxD6UzYn4QpyBt2-7rFk3-qXvWE:
    Error getting validation data

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

1 Like
#8

Now

D:\temp>nslookup -type=TXt _acme-challenge.mqtt.burooq.com.
...
_acme-challenge.mqtt.burooq.com text =

    "JYYMVbfVSJlqU4xqcZseGG56H5yU4AgbUrKGknpc0iY"

you have created one correct value.

PS: The domain name must be _acme-challenge.mqtt, then the main domain is added.

1 Like
#9

That's not the manual plugin with the DNS challenge you're using, but the standalone plugin, which uses the http-01 challenge.

The standalone plugin could also work if you don't require a wildcard certificate, but should be run on the same host as where the hostname is pointing to and it requires an open port 80.

2 Likes
#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.