Manually certbot renew with dns challenge, not some dns acme_challenge

pinkilla · February 27, 2018, 8:58am

My context.
I use certbot as no-root user on local box. When certs are generate I push them on my server. I have no problem the first time i ran the command. All is fine. Thanks.

I have this dns record (something like):
_acme-challenge 10800 IN TXT "first-UPvyMipxfho52xawazaa_Qu4HV81bkBimpaf"

when I will renew certs, I use the some command (I read I can’t use renew with manual mode) but I must change dns record. I would like renew manually without editing dns record.

My domain is: https://paste.esigoto.info

I ran this command:
certbot certonly --manual --preferred-challenges dns -d paste.esigoto.info --config-dir . --logs-dir . --work-dir .

It produced this output:

Please deploy a DNS TXT record under the name
_acme-challenge.paste.esigoto.info with the following value:

   second-iaB3xFjnxlRUzR0iON8rIQHMpompompom

Once this is deployed,
-------------------------------------------------------------------------------
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. paste.esigoto.info (dns-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record "first-Hcxdec2iYWYRb8g5CYFX-pompompom" found at _acme-challenge.paste.esigoto.info

I understand this output.

Is it possible to not change dns record for manually renew ?
Thanks a lot.

P.

More infos.

My web server is (include version): Apache
The operating system my web server runs on is (include version): Linux
My hosting provider, if applicable, is: Debian VM OVH
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

_az · February 27, 2018, 9:27am

Well, what you are saying is, I don't want to go through domain validation again at renewal time. No, you can't do this, because it is part of the rules that Let's Encrypt must follow in order for them to be trusted as a CA.

What you want is to automate the doman validation process: User Guide — Certbot 2.7.0.dev0 documentation

If you want to keep using the DNS challenge, then you need to figure out a way to automate the updating of your Gandi-hosted DNS records from Certbot.

I wrote a blog post previously that shows how to use Lexicon with Certbot to achieve this. Lexicon supports Gandi, so all you will need to do is plug your Gandi API key into the renewal/auth hook, and you will have automated DNS-based certificate renewal.

Alternatively you can use an entirely different Let's Encrypt client, such as Lego, which natively supports Gandi.

Finally, you have the option to change to the HTTP challenge and write a renewal/auth hook that, for example, automatically copies the challenge file to your web server over SSH or FTP.

mnordhoff · February 28, 2018, 2:03am

There are actually some clients that natively support that too, though it's easy to write your own script for as well.

pinkilla · February 28, 2018, 8:24am

I read your ideas and I try with hook and http.

I ran this command:

certbot certonly --manual \
    --preferred-challenges http \
    -d paste.esigoto.info \
     --config-dir . --logs-dir . --work-dir . \
     --manual-public-ip-logging-ok  \
     --manual-auth-hook ../before.sh

my script is:

#! /usr/bin/env bash
echo $CERTBOT_VALIDATION > /tmp/$CERTBOT_TOKEN
scp /tmp/$CERTBOT_TOKEN \
	user@host:/var/www/paste.esigoto.info/.well-known/acme-challenge
rm /tmp/$CERTBOT_TOKEN

It produced this output (cut):

Failed authorization procedure. paste.esigoto.info (http-01): 
urn:acme:error:connection :: The server could not connect to the client to verify the domain :: 
Fetching https://paste.esigoto.info.well-known/acme-challenge/QSKgOHDlcutSmrVE7yNHpvoLk: 
Error getting validation data

I don’t understantd why https://paste.esigoto.info.well-known and no https://paste.esigoto.info/.well-known.

_az · February 28, 2018, 8:30am

Great to see that you got the hook figured out.

The problem is that you have a bad redirect in your webserver configuration.

$ curl -i paste.esigoto.info/blah-blah-blah
HTTP/1.1 301 Moved Permanently
Date: Wed, 28 Feb 2018 08:28:07 GMT
Server: Apache/2.4.25 (Debian)
Location: https://paste.esigoto.infoblah-blah-blah
Content-Length: 332
Content-Type: text/html; charset=iso-8859-1

You need to look for RewriteRule or Redirect in your Apache configuration and also your .htaccess file.

You may find a line that looks like:

Redirect / https://paste.esigoto.info

but it needs to have a trailing slash

Redirect / https://paste.esigoto.info/

(or the RewriteRule equivalent).

pinkilla · March 1, 2018, 11:10am

yes, this trailing slash was the problem. thanks a lot

I write my doc on Une manière de mettre en place un certificat Letsencrypt avec Certbot sans les prévilèges de root

system · March 31, 2018, 11:10am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.