Not able to issue certificate for subdomain and dns01


#1

Hi

I have no problems creating certificate for the domain www.mydomain.net or mydomain.net
But since I have a managed dns on the domain I also have the DNS myotherplace.domain.net.
This is located on another site and different ip adress.

I’m able to issue certificate at that site with opening the port 80 but not using the dns-01.

This works for the domain:
certbot-auto -d domain.net --manual --preferred-challenges dns certonly

but this does not work with the correct TXT value in the dns host setting:
certbot-auto -d myotherplace.domain.net --manual --preferred-challenges dns certonly

Maybe this is how it should be but I’m not sure?
Maybe the TXT record only is valid on the root domain and not hosts?
Maybe the better solution is to use the wildchart certificate for both?

Steinar


#2

The most likely explanation is that you incorrectly installed the TXT record for myotherplace, or did not wait long enough for your DNS host to start advertising the updated record.

How did you verify that it’s correct? Did you try a direct nameserver query?

dig +trace _acme-challenge.myotherplace.domain.net TXT

Can you show us the /var/log/letsencrypt/letsencrypt.log that shows the authz URL for that certificate order?


#3

Link: https://acme-v01.api.letsencrypt.org/acme/authz/v5sJxotZkcmt7t_TlOJtdmMWmPKPA5CEIg5SDGoSZc4;rel=“up”
Location: https://acme-v01.api.letsencrypt.org/acme/challenge/v5sJxotZkcmt7t_TlOJtdmMWmPKPA5CEIg5SDGoSZc4/5000482713
Replay-Nonce: 96Adu-d5tuNepRnnYTWZhEOi-RfY8L113xgQ4E1w_SE
Expires: Thu, 07 Jun 2018 13:47:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 07 Jun 2018 13:47:25 GMT
Connection: keep-alive


#4

and gets this:

“challenges”: [
{
“type”: “dns-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:acme:error:unauthorized”,


#5

yesterday I did wait 3 hours before continue after save the TXT records.


#6

The record name is correct, but the record value should have just been ydVLk-4ZVnMEz1Y2BCBS_XfZLbJ9X-Wzj5YNlSMP7k0, not _acme-challenge.hytta.steinkjar.net=ydVLk-4ZVnMEz1Y2BCBS_XfZLbJ9X-Wzj5YNlSMP7k0.


#7

Thanks. I’ll try again tonight.


#8

Thanks.
I was able to issue a certificate now.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.