I have a vps slefmanaged server from godaddy running Ubuntu. I installed Mosquitto MQTT Broker and it is running just fine. However, when I tried to install certbot let's encrypt I run into the following issue. Then I tried to run this command:
sudo certbot -d mqtt.burooq.com --manual --preferred-challenges dns certonly
then I added a TXT record to my domain with the following:
Host:
_acme-challenge.mqtt.burooq.com
Value:
eP7vZDXtO9-faQbgZ7sYVXS1B8Oqx9qvoINpahAWA1U
TTL:
1 hour
My domain
I also added a dns record for my subdomain:
Type:
a
Host:
mqtt
Value:
148.66.131.56 (Pointing to my server)
TTL:
1/2 Hour
The domain is pointing to share hosting right now through A records, I tried to point to my server ip address earlier but didn't work where I ran into the same issue.
My domain is: mqtt.burooq.com
I ran this command:
sudo certbot certonly --standalone --standalone-supported-challenges http-01 -d mqtt.burooq.com
It produced this output:
The standalone specific supported challenges flag is deprecated. Please use the --preferred-challenges flag instead.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mqtt.burooq.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. mqtt.burooq.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mqtt.burooq.com/.well-known/acme-challenge/US4bpFoP9hSSBQKog0PwGm30FLZgzWQCtQG5zQeulNM: Error getting validation data
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
My web server is (include version):
The operating system my web server runs on is (include version):
Ubuntu
My hosting provider, if applicable, is:
Godaddy
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0
Depending on the DNS zone editor you're required to end a complete FQDN with a dot, otherwise the entry will be appended with the zone root, most of the time the domain name with TLD.
E.g. a zone file for example.com with entries and the result:
Note that officially all FQDN end with a dot, but in 99.9999999 % when a FQDN is posted, this dot is missing, as its presence is implicit. However, when dealing with DNS zone editors, this isn't the case.
The standalone specific supported challenges flag is deprecated. Please use the --preferred-challenges flag instead.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mqtt.burooq.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. mqtt.burooq.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mqtt.burooq.com/.well-known/acme-challenge/8IHxI6_GD1I5jhn8wxD6UzYn4QpyBt2-7rFk3-qXvWE: Error getting validation data
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
That's not the manual plugin with the DNS challenge you're using, but the standalone plugin, which uses the http-01 challenge.
The standalone plugin could also work if you don't require a wildcard certificate, but should be run on the same host as where the hostname is pointing to and it requires an open port 80.
