Problem creating new certificate

My domain is: myvideoimage.com

I ran this command: Renewing an existing certificate for myvideoimage.com and www.myvideoimage.com

It produced this output: (Virtualmin)
Use of --manual-public-ip-logging-ok is deprecated.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Use of --manual-public-ip-logging-ok is deprecated.
Renewing an existing certificate for myvideoimage.com and www.myvideoimage.com
Performing the following challenges:
dns-01 challenge for myvideoimage.com
dns-01 challenge for www.myvideoimage.com
Running manual-auth-hook command: /etc/webmin/webmin/letsencrypt-dns.pl
Running manual-auth-hook command: /etc/webmin/webmin/letsencrypt-dns.pl
Waiting for verification...
Challenge failed for domain www.myvideoimage.com
Challenge failed for domain myvideoimage.com
dns-01 challenge for www.myvideoimage.com
dns-01 challenge for myvideoimage.com
Cleaning up challenges
Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
Some challenges have failed.
IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: myvideoimage.com
    Type: unauthorized
    Detail: Incorrect TXT record "v=DKIM1; k=rsa; t=s;
    p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApDgW6gxtwVwwkRhL49QcK9ppNEV2He3aR..."
    found at _acme-challenge.myvideoimage.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

  • The following errors were reported by the server:

    Domain: www.myvideoimage.com
    Type: dns
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.www.myvideoimage.com - check that a DNS record
    exists for this domain

My web server is (include version): NGINX 1.14.1

The operating system my web server runs on is (include version): CentOS Linux 8.3.2011

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Virtualmin/Webmin - Virtualmin 6.14

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

My record Configuration:

1 Like

Is your DNS provided by the same hosting provider as your website? I.e., do they run on the same server? Because if I read the Webmin letsencrypt-dns.pl correctly, it seems to be using some access to a locally running bind daemon. (Perl documentation is terrible...)

2 Likes

DNS is provided by an external provider who also provides me with domain registration (Vhosting).

The server where the site is hosted is managed directly by me.

The external DNS servers are:
dns1.vhosting-it.com
dns2.vhosting-it.com (this is currently down).

I specify that the provider that manages the DNS zone has recently changed the configuration in the control panel.

Where before I had myvideoimage.com now I have @

Does Webmin/Virtualmin offer different methods of authenticating your hostname other than DNS? I'm not familiar with Webmin/Virtualmin.

An update:

I did a test with this utility and I found the error that I report below, what does it depend on? How can I intervene? Thank you

http://myvideoimage.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 93.38.118.232
403

Fatal: Check of /.well-known/acme-challenge/random-filename has a http status 401 / 403 Not Allowed / Forbidden. A http status 404 - Not Found - is expected. Creating a Letsencrypt certificate via http-01 challenge may not work. Trouble creating a certificate? Use https://community.letsencrypt.org/ to ask.


Hi @pgimagevideo,

That's not relevant to what you're currently trying to do, because @JuergenAuer's site is testing whether the HTTP-01 validation method would be expected to fail, but you're not using that method. You're instead trying to use the DNS-01 validation method. An error associated with one validation method doesn't affect the other.

1 Like

I thank you for the answer.
Maybe I understand the origin of the problem, but I can't take the test now as I have exceeded the maximum number of attempts.

I had entered a CNAME record for my server name which is called linux1.myvideoimage.com, maybe it conflicted with the myvideoimage.com domain name I configured?

Basically I had these two records:
@ A
linux1 CNAME

Now I have removed linux1 CNAME.

I have to wait to see if it works What do you think?

I don't understand how this DNS record ever came to exist at all:

_acme-challenge.myvideoimage.com text = "v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApDgW6gxtwVwwk" "RhL49QcK9ppNEV2He3aRWXYkTYmnsNLEx4CjwnR5PrdquKABv0EMlV4U8i91b02Nj95227fINh/qSLQT" "SdNCoc+ijRQ1QVJz6Pvb5pxJEKI/LzrNgeLo7uffgXcdf5jni6YnwX/lmKbCh1VGtP7TDv9UeUkrcdq7" "LvipY7glVx4vcbKEkcEVO6dLgNeqKLXOE4fDT+GOShdE7fZ3hkUeGKIGTwoPYMEJKPXpzWLYzsVinsBa" "Nob7yTO0V+iKMk8/ok5JJ6n4o1+sp7y7l2hE/YgKOnukG98wU4lyDV78nVgMr+4a7jJxolqayEqCi6Wx" "rdMfztSQQIDAQAB"

This isn't a Let's Encrypt challenge token, it's a DKIM key—but under the totally wrong DNS name.

1 Like

It is the key I had already entered when I requested the certificate and it worked at the time. Where do I find the correct key for Let's Encrypt?

I used the value I found in the Virtualmin control panel under: default._domainkey

1 Like

I don't understand how it ended up at _acme-challenge, though. That's not where DKIM records are supposed to go!

That part is supposed to be handled for you automatically by the script /etc/webmin/webmin/letsencrypt-dns.pl, which is meant to update your DNS records automatically with a token passed to it by the Certbot client. It seems like your Webmin setup doesn't actually have the right credentials to update your DNS records from software, or else somehow your DNS setup has some additional configuration that's taking precedence over the DNS records that Webmin is attempting to create this way.

1 Like

I used the value I found in the Virtualmin control panel under: default._domainkey

1 Like

Sorry, where did you use that value?

I copied it from the "DNS RECORD" tab of my Virtualmin panel and entered it in the card of the provider that manages the DNS zone. Up to the expiration of the old certificate did not give any problems. The problem occurred when I tried to renew the certificate.

I tried again to request a new certificate, after removing the linux1 record and leaving @.

But I always get the same error.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: myvideoimage.com
    Type: unauthorized
    Detail: Incorrect TXT record "v=DKIM1; k=rsa; t=s;
    p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApDgW6gxtwVwwkRhL49QcK9ppNEV2He3aR..."
    found at _acme-challenge.myvideoimage.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

  • The following errors were reported by the server:

    Domain: www.myvideoimage.com
    Type: dns
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.www.myvideoimage.com - check that a DNS record
    exists for this domain

I found this documentation on the page: Challenge Types - Let's Encrypt - Free SSL/TLS Certificates :

"HTTP-01 challenge

This is the most common challenge type today. Let’s Encrypt gives a token to your ACME client, and your ACME client puts a file on your web server at http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN> . That file contains the token, plus a thumbprint of your account key."

I checked on the server the folder /.well-known/acme-challenge/ exists but there is no TOKEN
I also found this wording:

"Our implementation of the HTTP-01 challenge follows redirects, up to 10 redirects deep. It only accepts redirects to “http:” or “https:”, and only to ports 80 or 443. It does not accept redirects to IP addresses. When redirected to an HTTPS URL, it does not validate certificates (since this challenge is intended to bootstrap valid certificates, it may encounter self-signed or expired certificates along the way)."

My DNS provider's control panel contains recod @ A pointing to my server 93.38.118.232 Could this be the problem?

1 Like

Resolved. I manually installed the certificate. Maybe the problem is Virtualmin not having updated features yet?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.