NXDOMAIN looking up TXT for _acme-challenge.ch.cryptospaceus.com

#1

I’m following this guide: https://hackernoon.com/easy-lets-encrypt-certificates-on-aws-79387767830b which, unfortunately provides no guidance on how to set up the DNS. I understand that I need to create a TXT record for the challenge to succeed. what I don’t know is what value to use. where to get that. help?

My domain is: cryptospaceus.com

I ran this command:

DN=cryptospaceus.com
certbot certonly --non-interactive --manual \
      --manual-auth-hook "./auth-hook.sh UPSERT $DN" \
      --manual-cleanup-hook "./auth-hook.sh DELETE $DN" \
      --preferred-challenge dns \
      --config-dir "./letsencrypt" \
      --work-dir "./letsencrypt" \
      --logs-dir "./letsencrypt" \
      --agree-tos \
      --manual-public-ip-logging-ok \
      --domains ch.$DN \
      --email admin@cryptospace.exchange

where the auth hook is defined in the guide I’m following

It produced this output:

Saving debug log to /home/ubuntu/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for ch.cryptospaceus.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. ch.cryptospaceus.com (dns-01): urn:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.ch.cryptospaceus.com

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: ch.cryptospaceus.com
    Type: None
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.ch.cryptospaceus.com

My web server is (include version): nginx/1/14.0

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
WIX

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): v0.23.0

#2

Hi @ekkis

looks like you have found a solution ( https://check-your-website.server-daten.de/?q=ch.cryptospaceus.com ):

There is a new certificate:

CertSpotter-Id Issuer not before not after Domain names LE-Duplicate next LE
910310806 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-05-13 23:08:40 2019-08-11 23:08:40 ch.cryptospaceus.com
1 entries duplicate nr. 1

and a good-looking TXT entry:

. TXT - Entries

Domainname TXT Entry Status ∑ Queries ∑ Timeout
ch.cryptospaceus.com ok 1 0
_acme-challenge.ch.cryptospaceus.com Ux7wWxAnDvZ87UXyG1vig3zbQQpyxzSnEzMiA8viMVI looks good 1 0
_acme-challenge.ch.cryptospaceus.com.cryptospaceus.com Name Error - The domain name does not exist 1 0
_acme-challenge.ch.cryptospaceus.com.ch.cryptospaceus.com Name Error - The domain name does not exist 1 0

But I can’t see if you use that certificate, https has a timeout.

But if this is an internal domain, that’s not a problem.

#3

thanks for replying. I think the thing is the guide I was following is designed to create certificates when your domain is hosted at AWS because the scripts it provides use the AWS CLI to do the work. in my case, my service is hosted on AWS but the domain is at WIX so the script isn’t going to work. so now I need to figure out what the standard way of creating certs is.

I tried running certbox without the automation for AWS and it gave me a code I could use to put in the TXT record but then WIX takes forever to make the record available and the certbox waits but I had to cancel, so now I have to do it again

is there a way I can get certbot to give me the value it wants such that I can come back later (when the record is available) and generate the certs?

#4

That can’t work. Your nameserver ( https://check-your-website.server-daten.de/?q=ch.cryptospaceus.com ):

ch.cryptospaceus.com
	•  ns2.wixdns.net
	216.239.36.100	•

but the scrit tries to contact aws. Does Wix support a nameserver API? If not, you have to use --manual, that should always work. But you can’t automate that.

Isn’t it possible to have a running webserver there?

Domainname Http-Status redirect Sec. G
http://ch.cryptospaceus.com/
52.14.145.153 -2 1.340 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 52.14.145.153:80
https://ch.cryptospaceus.com/
52.14.145.153 -14 10.030 T
Timeout - The operation has timed out
http://ch.cryptospaceus.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
52.14.145.153 -2 1.336 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 52.14.145.153:80
Visible Content:

http is blocked, so change your firewall settings.