Not able to verify by DNS for some reason


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
*.oath.coach
*.oathcoaching.com

I ran this command:
On my Mac OS 10.14, I run sudo certbot certonly --manual and get the necessary DNS TXT entries. I added them to my DNS entries but they don’t seem to be propagating out from GoDaddy to the world

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

GoDaddy

I can login to a root shell on my machine (yes or no, or I don’t know):

don’t know but I have cPanel access

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

GoDaddy Cpanel

Is there some way that I can use upload a file to my domain webserver in order to authenticate?


#2

TXT records exist… but not with the correct name:

_acme-challenge.oath.coach.oath.coach. 3600 IN TXT "EmEJuKL6iqyFo36W1BiV0udCtUtLTg0Q_fpyUu22Yak-mRtc"

_acme-challenge.oathcoaching.com.oathcoaching.com. 3600 IN TXT "7j0LxtLaTwp8WNC5CqoebQRQY30pkjvLro8Numrxz9Y"

You have to enter “_acme-challenge” into your control panel instead of “_acme-challenge.oath.coach” or the other FQDN.

By the way, a wildcard certificate for *.example.com does not apply to https://example.com/. If you want to secure that too, you need to get certificates including both example.com and *.example.com. (And you’ll have to set twice as many TXT records.)

Let’s Encrypt requires DNS validation for wildcard certificates. If you would prefer to use HTTP validation, you can’t use wildcards. (Let’s Encrypt certificates can include up to 100 names.)

Also… Issuing certificates manually is unfortunate. Let’s Encrypt certificates expire in 90 days. It’s easier if you can fully automate renewal. But some GoDaddy hosting plans might not allow that.


#3

THANK YOU!!! It was late at night when I was trying to figure this out last night, but you’ve been a big help.

If I am understanding you correctly, I just need to get 2 certificates for each domain (one plain and one wildcard) in order to secure the various CNAME entries. Do I have that right?


#4

You don’t need multiple certificates. You can have one certificate with multiple names. But if you want https://oath.coach/ and https://oathcoaching.com/ to work – as well as their subdomains – you need to include oath.coach and oathcoaching.com in the certificate(s).


#5

Oh, ok. So if I want email.oath.coach and email.oath.coaching as well as www.* and the bare domain name, I just need one single cert for each domain then? Trying to get things straight in my head.


#6

You can organize it however you want. A single Let’s Encrypt certificate can cover up to 100 names, any number of which can be wildcards (or not), and which don’t have to be related to one another in any particular way (as long as they’re all controlled by the person requesting the certificate!). The certificate will be equally valid for each of the names listed on it.


#7

It’s also required that names on the same certificate not be overlapping, correct?


#8

Yes, that’s a good point. (You’re not allowed to have a name appear twice, or have a wildcard and non-wildcard name that are redundant with one another.)


#9

Good to know, thanks!

Could someone check my DNS for oath.coach and let me know what/if the verification TXT shows?


#10

At the moment, my resolver gets:

_acme-challenge.oath.coach. 3600 IN     TXT     "sfswy3ltpBlXGTiiNckoVvUrKNOC1Z7G6PInD4m6UPA"
_acme-challenge.oath.coach. 3600 IN     TXT     "mslC1_M6i3lXBv9edc85xEXLAuogU0YpBYVLeXprgrM"

#11

I see the same records as @mnordhoff!


#12

Thank you. Could you tell me how you’re getting that, since I don’t seem to be getting the same results as you are. It’s been a few years since I had to go looking for DNS stuff, but nslookup isn’t doing what I thought it should. Probably some Apple weirdness. :smiley:


#13

I was doing “dig _acme-challenge.oath.coach txt”. I don’t use nslookup but it should be possible. Make sure you’re querying for the right name and type.

Your resolver might also have the old results cached (for up to 10 minutes if it didn’t exist, or 1 hour if it did exist, currently).


#14

Dig is doing what I wanted. Not sure why nslookup wasn’t, but it may have been a propagation issue. Thank you