Nextjs-nginx:No TXT record found at _acme-challenge.agoratsp.com

architek0 · February 7, 2023, 7:17pm

Hello,
The last couple days I am struggling to get a ssl certificate for my web app. I use Nextjs with Nginx and I am trying to use certbot in order to get the certificate. After a lot of searching around I ended up at this specific point where it says No TXT record found at _acme-challenge.agoratsp.com
I have run a scan which points out some things I am not quite sure how to fix. Check the scan results here

The rest of the details are listed below

My domain is: agoratsp.com

I ran this command: sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d *.agoratsp.com -d agoratsp.com -v

It produced this output:Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Requesting a certificate for *.agoratsp.com and agoratsp.com
Performing the following challenges:
dns-01 challenge for agoratsp.com
dns-01 challenge for agoratsp.com
Running manual-auth-hook command: /etc/letsencrypt/acme-dns-auth.py
Running manual-auth-hook command: /etc/letsencrypt/acme-dns-auth.py

Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.

Press Enter to Continue-v
Waiting for verification...
Challenge failed for domain agoratsp.com
Challenge failed for domain agoratsp.com
dns-01 challenge for agoratsp.com
dns-01 challenge for agoratsp.com

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: agoratsp.com
Type: unauthorized
Detail: No TXT record found at _acme-challenge.agoratsp.com

Domain: agoratsp.com
Type: unauthorized
Detail: No TXT record found at _acme-challenge.agoratsp.com

Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): NextJS latest version

The operating system my web server runs on is (include version): ubuntu 22.04

My hosting provider, if applicable, is: Contabo

My domain provider is: Hostigner

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.21.0

The nginx config for my website is:

server {
        listen       80;
        listen       [::]:80;
        server_name  agoratsp.com www.agoratsp.com;

        include /etc/nginx/snippets/letsencrypt-acme-challenge.conf;

location / {
                # reverse proxy for next server
                proxy_pass http://localhost:3000/;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection 'upgrade';
                proxy_set_header Host $host;
                proxy_cache_bypass $http_upgrade;
                return 301 https://www.agoratsp.com/$request_uri;
        }
location ^~ /.well-known/acme-challenge/ {
                allow all;
                default_type "text/plain";
                root /var/www/html;
        }
}

Thanks in advance!!

Bruce5051 · February 7, 2023, 7:27pm

Hello @architek0, welcome to the Let's Encrypt community.

Here is a list DNS providers who easily integrate with Let's Encrypt DNS validation

This is what I see with nslookup; I find is odd that _acme-challenge.agoratsp.com has an IP Address but no TXT record.

$ nslookup
> server ns1.contabo.net.
Default server: ns1.contabo.net.
Address: 79.143.182.242#53
Default server: ns1.contabo.net.
Address: 2a02:c205:0:882::1#53
> set q=any
> agoratsp.com
;; Connection to 79.143.182.242#53(79.143.182.242) for agoratsp.com failed: timed out.
Server:         ns1.contabo.net.
Address:        79.143.182.242#53

Name:   agoratsp.com
Address: 38.242.206.228
agoratsp.com    mail exchanger = 10 mail.agoratsp.com.
agoratsp.com    nameserver = ns1.contabo.net.
agoratsp.com    nameserver = ns2.contabo.net.
agoratsp.com    nameserver = ns3.contabo.net.
agoratsp.com
        origin = ns1.contabo.net
        mail addr = hostmaster.contabo.de
        serial = 2023020401
        refresh = 3600
        retry = 7200
        expire = 2419200
        minimum = 10800
>
> _acme-challenge.agoratsp.com
;; Connection to 79.143.182.242#53(79.143.182.242) for _acme-challenge.agoratsp.com failed: timed out.
Server:         ns1.contabo.net.
Address:        79.143.182.242#53

Name:   _acme-challenge.agoratsp.com
Address: 38.242.206.228
>

Bruce5051 · February 7, 2023, 7:33pm

Maybe this is a simpler nslookup view

$ nslookup -q=a _acme-challenge.agoratsp.com ns1.contabo.net.
Server:         ns1.contabo.net.
Address:        79.143.182.242#53

Name:   _acme-challenge.agoratsp.com
Address: 38.242.206.228

$ nslookup -q=a _acme-challenge.agoratsp.com ns2.contabo.net.
Server:         ns2.contabo.net.
Address:        178.238.234.231#53

Name:   _acme-challenge.agoratsp.com
Address: 38.242.206.228

$ nslookup -q=a _acme-challenge.agoratsp.com ns3.contabo.net.
Server:         ns3.contabo.net.
Address:        5.189.191.29#53

Name:   _acme-challenge.agoratsp.com
Address: 38.242.206.228

$ nslookup -q=txt _acme-challenge.agoratsp.com ns1.contabo.net.
Server:         ns1.contabo.net.
Address:        79.143.182.242#53

*** Can't find _acme-challenge.agoratsp.com: No answer

$ nslookup -q=txt _acme-challenge.agoratsp.com ns2.contabo.net.
Server:         ns2.contabo.net.
Address:        178.238.234.231#53

*** Can't find _acme-challenge.agoratsp.com: No answer

$ nslookup -q=txt _acme-challenge.agoratsp.com ns3.contabo.net.
Server:         ns3.contabo.net.
Address:        5.189.191.29#53

*** Can't find _acme-challenge.agoratsp.com: No answer

architek0 · February 7, 2023, 7:53pm

Thanks for answering!
So to solve my problem I must connect a dns provider like clouflare? I dont quite understand what would be the proccess. What's currently going on with my web app is that I host it on a Contabo Ubuntu server so is there anything I can do from there?

Sorry for being too vague this is my first time setting up an ssl certificate.

Bruce5051 · February 7, 2023, 7:59pm

No, you need one that

The list I pointed to in Post #2 is just a list of known provider that are easy.

The README.md is here GitHub - joohoi/acme-dns-certbot-joohoi: Certbot client hook for acme-dns
Also in https://github.com/joohoi/acme-dns-certbot-joohoi/blob/master/acme-dns-auth.py
there is ### EDIT THESE: Configuration values ###
Can you show what you edited?

Bruce5051 · February 7, 2023, 8:08pm

There are 3 Challenge Types - Let's Encrypt

HTTP-01 requires Port 80 access on each of the Subject Alternative Name (SAN), cannot do wildcard certificates
DNS-01 requires a DNS TXT record for the domain name _acme-challenge.<YOUR_DOMAIN> this is the only challenge that can do wildcard certificates.
TLS-ALPN-01 complicated and hard.

And this

is asking for a wildcard certificate (i.e. *.agoratsp.com)

rg305 · February 7, 2023, 8:13pm

Please tell us how you've tested this plugin [to be working with your DSP]:

architek0 · February 7, 2023, 8:39pm

About these I wasn't aware that I need to configure them and I am not quite sure about the first 3 variables.
Firstly, how can I find these and what are they?

the acmedns url
the acmedns.json
Secondly, the "allow from" list should include the domain of the server plus what ports? 443? 80? 54?

architek0 · February 7, 2023, 8:42pm

Can you explain what do you mean by how?

Bruce5051 · February 7, 2023, 8:46pm

Configure the variables in the beginning of the hook script file to point to your acme-dns instance. The only value that you must change is the ACMEDNS_URL, other values are optional.

### EDIT THESE: Configuration values ###

# URL to acme-dns instance
ACMEDNS_URL = "https://auth.acme-dns.io"
# Path for acme-dns credential storage
STORAGE_PATH = "/etc/letsencrypt/acmedns.json"
# Whitelist for address ranges to allow the updates from
# Example: ALLOW_FROM = ["192.168.10.0/24", "::1/128"]
ALLOW_FROM = []
# Force re-registration. Overwrites the already existing acme-dns accounts.
FORCE_REGISTER = False

ACMEDNS_URL this would come from your DNS Provider.

Bruce5051 · February 7, 2023, 8:54pm

If you would be willing to forgo wildcard certificates by using

-d www.agoratsp.com -d agoratsp.com

Then you could use the HTTP-01 challenge then the validation TOKEN looks like this
http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>

For each of the Subject Alternative Name you have a <YOUR_DOMAIN>.

Bruce5051 · February 7, 2023, 8:57pm

From here DNS Spy report for agoratsp.com I see these DNS Records

Osiris · February 7, 2023, 9:01pm

The first time you ran certbot with the acme-dns-auth.py auth hook, the script would have provided you with this information and instructions.

I'm not sure what you mean by this Bruce. Did you mean "acme-dns" provider by any chance?

Bruce5051 · February 7, 2023, 9:03pm

Yes I did @Osiris, thank you!

architek0 · February 7, 2023, 9:10pm

I run it as you said with the manual hook but it still gives me the same results. I am not sure I understand where I can find the acmedns_url. Should it be somewhere in my hosting provider settings?

architek0 · February 7, 2023, 9:12pm

Wait I think I got what you said. The acme dns url should be the url the py script provided me the first time I ran it? Is that correct?

I put that and no it produced a different type of error where it said that its an invalid link and for some reason a part of the string was highlited different color. Should I send it here or it is considered sensitive information?

Bruce5051 · February 7, 2023, 9:17pm

I've never actually used this plugin before, just reading the source and documentation.
Kindly wait for more knowledgeable Let's Encrypt community volunteers to assist.

architek0 · February 7, 2023, 9:20pm

Okk thank you very much for your help so far. Do you suggest any other way of approaching this problem?

Osiris · February 7, 2023, 9:42pm

Probably not. The ACMEDNS_URL value depends on which acme-dns service you're using. Are you self-hosting the acme-dns service? Or are you using the acme-dns.io service?

The instructions should provide you with a value you should put in a CNAME resource record for the _acme-challenge subdomain of your domain.

But it sounds to me you really need to read more information about what you're currently doing, because I have a feeling your lacking in the knowledge department currently.

architek0 · February 7, 2023, 9:50pm

I am self hosting it. Indeed the script provided me with a name and a content to put on a CNAME resource. This is the link I copied into the ACMEDNS_URL but it still produced an error saying: Perhaps you meant http://(something).auth.acme-dns.io/update?
Then I changed the value to that, re run the script and it produced another error related to the python script it self. I think the problem is in the value it self because when I nano the file some part is colored green and some part colored magneta. I do not know why this happens. It shouldn't the content is alphanumeric characters.

But indeed I lack knowledge in this field but I am interested to acquire more so if you have any links or concepts you could refeer me to, I would me more than glad to study them.

Regardless, thanks a lot for your help