Not able to issue certificate for subdomain and dns01

steinarjoh · June 8, 2018, 10:35am

Hi

I have no problems creating certificate for the domain www.mydomain.net or mydomain.net
But since I have a managed dns on the domain I also have the DNS myotherplace.domain.net.
This is located on another site and different ip adress.

I’m able to issue certificate at that site with opening the port 80 but not using the dns-01.

This works for the domain:
certbot-auto -d domain.net --manual --preferred-challenges dns certonly

but this does not work with the correct TXT value in the dns host setting:
certbot-auto -d myotherplace.domain.net --manual --preferred-challenges dns certonly

Maybe this is how it should be but I’m not sure?
Maybe the TXT record only is valid on the root domain and not hosts?
Maybe the better solution is to use the wildchart certificate for both?

Steinar

_az · June 8, 2018, 10:39am

The most likely explanation is that you incorrectly installed the TXT record for myotherplace, or did not wait long enough for your DNS host to start advertising the updated record.

How did you verify that it's correct? Did you try a direct nameserver query?

dig +trace _acme-challenge.myotherplace.domain.net TXT

Can you show us the /var/log/letsencrypt/letsencrypt.log that shows the authz URL for that certificate order?

steinarjoh · June 8, 2018, 12:26pm

Link: https://acme-v01.api.letsencrypt.org/acme/authz/v5sJxotZkcmt7t_TlOJtdmMWmPKPA5CEIg5SDGoSZc4;rel=“up”
Location: https://acme-v01.api.letsencrypt.org/acme/challenge/v5sJxotZkcmt7t_TlOJtdmMWmPKPA5CEIg5SDGoSZc4/5000482713
Replay-Nonce: 96Adu-d5tuNepRnnYTWZhEOi-RfY8L113xgQ4E1w_SE
Expires: Thu, 07 Jun 2018 13:47:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 07 Jun 2018 13:47:25 GMT
Connection: keep-alive

steinarjoh · June 8, 2018, 12:27pm

and gets this:

“challenges”: [
{
“type”: “dns-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:acme:error:unauthorized”,

steinarjoh · June 8, 2018, 12:28pm

yesterday I did wait 3 hours before continue after save the TXT records.

mnordhoff · June 8, 2018, 12:28pm

The record name is correct, but the record value should have just been ydVLk-4ZVnMEz1Y2BCBS_XfZLbJ9X-Wzj5YNlSMP7k0, not _acme-challenge.hytta.steinkjar.net=ydVLk-4ZVnMEz1Y2BCBS_XfZLbJ9X-Wzj5YNlSMP7k0.

steinarjoh · June 8, 2018, 1:10pm

Thanks. I’ll try again tonight.

steinarjoh · June 11, 2018, 7:35pm

Thanks.
I was able to issue a certificate now.

system · July 11, 2018, 7:35pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Dns verification fails? Help	5	7346	November 8, 2017
DNS problem: NXDOMAIN looking up TXT error for a wildcard cert request Help	9	2047	January 26, 2021
TXT record not found Help	5	9215	February 2, 2019
How do i manually register subdomains using dns verification? Help	4	3805	December 2, 2017
Error valildating certificate Help	10	1059	August 15, 2021

Not able to issue certificate for subdomain and dns01

Related topics