My old SSL certificate has expired, I did not renew and I want to get a new one from scratch, just like I used to, I ran my commands via certbot. Although I deleted the TXT of my old SSL before, I get an error TXT error, what is the reason?

My old SSL certificate has expired, I did not renew and I want to get a new one from scratch, just like I used to, I ran my commands via certbot. Although I deleted the TXT of my old SSL before, I get an error TXT error, what is the reason?
My domain is: vultuslaw.com

I ran this command:
#!/bin/sh

Waits for proxy to be available, then gets the first certificate.

set -e

until nc -z nginx 80; do
echo "Waiting for proxy..."
sleep 5s & wait ${!}
done

echo "Getting certificate..."
wget https://github.com/joohoi/acme-dns-certbot-joohoi/raw/master/acme-dns-auth.py
chmod +x acme-dns-auth.py
mv acme-dns-auth.py /etc/letsencrypt/

certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d *.$DOMAIN -d $DOMAIN

It produced this output:

django@localhost:~/dj_crm_tenant$ docker-compose -f docker-compose.prod.yml run --rm certbot /opt/certify-init.sh
Creating dj_crm_tenant_certbot_run ... done
Getting certificate...
Connecting to github.com (140.82.121.3:443)
Connecting to raw.githubusercontent.com (185.199.111.133:443)
saving to 'acme-dns-auth.py'
acme-dns-auth.py 100% |********************************************************************************************************************************************************| 5570 0:00:00 ETA
'acme-dns-auth.py' saved
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for *.vultuslaw.com and vultuslaw.com


Challenges loaded. Press continue to submit to CA.
Pass "-v" for more info about challenges.


Press Enter to Continue

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: vultuslaw.com
Type: unauthorized
Detail: No TXT record found at _acme-challenge.vultuslaw.com

Domain: vultuslaw.com
Type: unauthorized
Detail: No TXT record found at _acme-challenge.vultuslaw.com

Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: 1

My web server is (include version): Nginx - Docker - Django - Certbot - Postgres
certbot/certbot:v1.27.0
nginx:alpine
The operating system my web server runs on is (include version): Ubuntu

Why are you putting executable files in /etc?

Why are you running a manual challenge? That makes automation impossible, defeating one of the main purposes of using an automated certificate authority.

You might consider using the Certbot DNS Linode plugin.

4 Likes

Not with acme-dns as an authentication hook. Using a Linode DNS plugin might also be possible, but acme-dns is meant to secure your DNS zone as usually the token can do way too much next to just adding/removing a simple TXT RR.

Anyway, acme-dns usually works by adding a CNAME in place of the _acme-challenge label pointing it to the acme-dns service. This CNAME RR is not present. @msozkan have you done this before?

3 Likes

Yes i have done this before 3 months ago end it is expired. Now i want to get new one the same way but it did not give me any acme_challenge key

Probably because your acme-dns configuration is still saved. The default location would be /etc/letsencrypt/acmedns.json.

Where did the _acme-challenge.vultuslaw.com CNAME go? It should still have been present from your previous attempt.

3 Likes

currently i have no any cname and txt record.

If you didn't remove it, kept the default settings and you previously successfully used acme-dns, you can find the value of the CNAME RR for the _acme-challenge label in /etc/letsencrypt/acmedns.json (under "fulldomain").

2 Likes

i couldnt any value under the directroy maybe i removed

In that case you might want to consider using the Linode DNS plugin as suggested by @linkp earlier. As you're using Docker, you can get this official Certbot DNS plugin at Docker and read more about it in the linked documentation on that page.

The documentation on how to use that plugin can be found here: Welcome to certbot-dns-linode’s documentation! — certbot-dns-linode 0 documentation

That might or might not be easier than trying to set up acme-dns all over again.

That said, if you don't require a wilcard certificate entirely, the above can be simplified even further!

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.