No-ip DNS and certbot

My domain is: lmetv.be

I ran this command:

sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d *.lmetv.be -d lmetv.be --dry-run -v

It produced this output:

Failed authorization procedure. lmetv.be (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.lmetv.be - check that a DNS record exists for this domain, lmetv.be (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.lmetv.be - check that a DNS record exists for this domain

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: lmetv.be
    Type: None
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.lmetv.be - check that a DNS record exists for this
    domain

    Domain: lmetv.be
    Type: None
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.lmetv.be - check that a DNS record exists for this
    domain

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

My web server is (include version): NA

The operating system my web server runs on is (include version): proxmox 6 (Debian 10)

My hosting provider, if applicable, is: NA

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.31.0

This server is behind an ADSL router with a public IP. I would like to create a certificate that I can use on the proxmox server itself but also on another proxmox server @ OVH and on tthe various containers and virtual machines I run on them.

I would like to use the manual renewal method as no-ip does not provide an API to maintain DNS records.

I could not create a CNAME that starts with '_' (it seems to be a deliberate choice from no-ip), hence I added a TXT record for _acme-challenge to my lmetv.be A record.

The funny thing is that I can lookup the TXT information that cerbot seems to be looking for but reports to be missing.

I made several attempts (with just lmetv.be, with just proxmox1.lmetv.be) : they all failed. Note that I recently moved my DNS from my registrar (NETIM) to no-ip. Note also that I wasn't able to register here with an address in my domain and had to use an address at gmail.com.

Thanks in advance.

Marc

Hi @ballama,

How did you check this? It seems to be missing to me too.

Hi @schoen ,

The last test I ran was for droixhe.lmetv.be :

$ dig -t TXT _acme-challenge.droixhe.lmetv.be
; <<>> DiG 9.11.5-P4-5.1+deb10u3-Debian <<>> -t TXT _acme-challenge.droixhe.lmetv.be
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24674
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.droixhe.lmetv.be. IN	TXT

;; ANSWER SECTION:
_acme-challenge.droixhe.lmetv.be. 299 IN TXT	"9dfe990a-8135-4a04-97ab-473c970eb8df.auth.acme-dns.io."

;; Query time: 26 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Apr 18 06:06:05 CEST 2021
;; MSG SIZE  rcvd: 128

And still, the same error message :

$ sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d droixhe.lmetv.be  --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for droixhe.lmetv.be

Waiting for verification...

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Cleaning up challenges
Failed authorization procedure. droixhe.lmetv.be (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record "9dfe990a-8135-4a04-97ab-473c970eb8df.auth.acme-dns.io." found at _acme-challenge.droixhe.lmetv.be

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: droixhe.lmetv.be
   Type:   unauthorized
   Detail: Incorrect TXT record
   "9dfe990a-8135-4a04-97ab-473c970eb8df.auth.acme-dns.io." found at
   _acme-challenge.droixhe.lmetv.be

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

But the error you showed us from Certbot refers to the CA checking _acme-challenge.lmetv.be, not _acme-challenge.droixhe.lmetv.be. So, this result doesn't appear to contract the error you saw.

_acme-challenge.lmetv.be was one of my first attempts. I had the flags -d lmetv.be -d \*.lmetv.be and the following TXT record : _acme-challenge.lmetv.be.

Failed authorization procedure. lmetv.be (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record "acfaf683-7faf-48a0-9c93-c708d3b3e87b.auth.acme-dns.io." found at _acme-challenge.lmetv.be

If I understand correctly, certbot does find the TXT record but claims it is incorrect.

As it was failing, I tried to simplify to troubleshoot and did a test with a single host -d droixhe.lmetv.be and the following TXT record : _acme-challenge.droixhe.lmetv.be.

dig finds the TXT record as shown below but certbot says it is incorrect.

$ dig -t TXT _acme-challenge.droixhe.lmetv.be
;; ANSWER SECTION:
_acme-challenge.droixhe.lmetv.be. 299 IN TXT	"9dfe990a-8135-4a04-97ab-473c970eb8df.auth.acme-dns.io."

Failed authorization procedure. droixhe.lmetv.be (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record "9dfe990a-8135-4a04-97ab-473c970eb8df.auth.acme-dns.io." found at _acme-challenge.droixhe.lmetv.be

As far as I can see, there is no info in the debug output over the expected value for the TXT record. It just outputs what it finds in the DNS. It could be useful to be able to compare the expected value with the one that it finds.

Please note the difference between the first attempt below (-d droixhe.lmetv.be) for which there is a TXT record...

Failed authorization procedure. droixhe.lmetv.be (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record "9dfe990a-8135-4a04-97ab-473c970eb8df.auth.acme-dns.io." found at _acme-challenge.droixhe.lmetv.be

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: droixhe.lmetv.be
   Type:   unauthorized
   Detail: Incorrect TXT record
   "9dfe990a-8135-4a04-97ab-473c970eb8df.auth.acme-dns.io." found at
   _acme-challenge.droixhe.lmetv.be

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

...and the second one, without TXT record :

Failed authorization procedure. d.lmetv.be (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.d.lmetv.be - check that a DNS record exists for this domain

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: d.lmetv.be
   Type:   None
   Detail: DNS problem: NXDOMAIN looking up TXT for
   _acme-challenge.d.lmetv.be - check that a DNS record exists for
   this domain

Hi @ballama

your content is completely wrong.

Must be something like

_acme-challenge.server-daten.de text = "Kc4k2Kgr26XXNCmJj9I4SQdQIgV1fc4YGwJWr9wDij8"

Looks like you have tried to create a CNAME with _acme-challenge.lmetv.be as domain name, but you have created a wrong TXT entry.

PS: Yep, checking that domain name there are two TXT entries:

D:\temp>nslookup -type=TXT 9dfe990a-8135-4a04-97ab-473c970eb8df.auth.acme-dns.io.
9dfe990a-8135-4a04-97ab-473c970eb8df.auth.acme-dns.io text =
"kTtY4s_-uPBSrVPsc4Oh_g5FKJQm75SUt41HPk5dmbQ"

9dfe990a-8135-4a04-97ab-473c970eb8df.auth.acme-dns.io text =
"V9HvzMwH3l_BL38BmZ07QUZs8btmD68_dQrY53cBlmU"

1 Like

Hi @JurgenAuer,

could the problem come from the fact that no-ip will not let me create a CNAME record whose alias starts with '_' ?

What I could do was to create a TXT record under lmetv.be. I did so because the error message was mentioning TXT (this is very misleading for those who read the debugging info ;-). However, I read in another post on this site saying that it must be a CNAME.

If this is correct, I'll have to cancel my subscription with no-ip and move to FreeDNS.

Thank you for taking the time to reply to me on a Sunday.

Marc

If you want to use that tool

you have to create a CNAME.

So if your hoster doesn't allow that: Switch your hoster or you can't use that plugin.

If your dns provider allows that, you can use manual without a --manual-auth-hook script.

But then you can't automate it, you have to create / change the required TXT manual.

1 Like

Before you get too far down that road, there are some limitations with FreeDNS that might affect you. You basically can't automate LE challenge records with them unless you actually own the domain you're working with. Free accounts require solving a CAPTCHA to create any records on domains you don't own and you can't create records that start with "_" at all unless you own the domain even if you're a premium user.

Thanks Ryan,

I own two domains (one with my name, the other for my company), so most of the issues you mention shoudl not apply.

I am contemplating the paid service from FreeDNS as long as :

  • my MX records are not deleted automatically when the IP of my domain (lmetv.be) gets updated by the client (this behavior seems to happen with the paid offer of no-ip)
  • I can obtain certificates from letsencrypt using certbot and the dns plug-in (again, no-ip does not allow me to create _acme-challenge CNAME, I would have to go through their helpdesk every other month)

BTW, 60 $ for FreeDNS if few compared to the price of SSL certificates from commercial providers...

Kind regards.

marc

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.