Hi everyone
- Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.example.com - check that a DNS record exists for this domain
Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.
It's not very obvious how. You would think it's got to be a certbot flag of some kind, but there is none. (And if you ask GPT it'd happily dream up non-existent --manual-delay.)
It is only in one of the examples in User Guide / Pre and Post Validation Hooks you can see how it's done, apparently:
# Sleep to make sure the change has time to propagate over to DNS
sleep 25
Maybe it'd save time for those who are new to explicitly say in the docs (or in that error message itself) that you get certbot to wait by sleeping in the actual hook, not by instructing certbot.
Current certbot --help manual
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
options:
-h, --help show this help message and exit
-c CONFIG_FILE, --config CONFIG_FILE
path to config file (default: /etc/letsencrypt/cli.ini and ~/.config/letsencrypt/cli.ini)
--http-01-port HTTP01_PORT
Port used in the http-01 challenge. This only affects the port Certbot listens on. A conforming ACME server will still attempt to connect on port 80.
(default: 80)
--preferred-challenges PREF_CHALLS
A sorted, comma delimited list of the preferred challenge to use during authorization with the most preferred challenge listed first (Eg, "dns" or
"http,dns"). Not all plugins support all challenges. See https://certbot.eff.org/docs/using.html#plugins for details. ACME Challenges are versioned, but if
you pick "http" rather than "http-01", Certbot will select the latest version automatically. (default: [])
manual:
Authenticate through manual configuration or custom shell scripts. When using shell scripts, an authenticator script must be provided. The environment variables available to this
script depend on the type of challenge. $CERTBOT_DOMAIN will always contain the domain being authenticated. For HTTP-01 and DNS-01, $CERTBOT_VALIDATION is the validation string,
and $CERTBOT_TOKEN is the filename of the resource requested when performing an HTTP-01 challenge. An additional cleanup script can also be provided and can use the additional
variable $CERTBOT_AUTH_OUTPUT which contains the stdout output from the auth script. For both authenticator and cleanup script, on HTTP-01 and DNS-01 challenges,
$CERTBOT_REMAINING_CHALLENGES will be equal to the number of challenges that remain after the current one, and $CERTBOT_ALL_DOMAINS contains a comma-separated list of all domains
that are challenged for the current certificate.
--manual-auth-hook MANUAL_AUTH_HOOK
Path or command to execute for the authentication script (default: None)
--manual-cleanup-hook MANUAL_CLEANUP_HOOK
Path or command to execute for the cleanup script (default: None)
