Problem using non-standard port


#1

I have a home webcam server that I want to access via https. Thus, I’m trying to set up a LetEncrypt certificate. My internet provider (Comcast) provides a non-static IP address and blocks port 443, so I have to use an alternate port and route through a DDNS service (Dynu).

I’m thinking I need to use certbot’s DNS verification to achieve this, and have executed the following command on my server…

sudo certbot certonly –manual –preferred-challenges dns

I specified nelsamia.com for the domain, and created a TXT record in the DNS with the text…

_acme-challenge.nelsamia.com=m17HqrYSurdnIYxxxxxxxxxxxxxxxxxxx

I get an error saying “No TXT record found at _acme-challenge.nelsamia.com”

Where am I going wrong?
Thanks
Eric


#2

Hi @mn1247

if you use dns-challenge, the port is irrelevant.

I can’t find a dns txt entry. Did you create one with the name

_acme-challenge.nelsamia.com

and the value m17HqrYSurdnIYxxxxxxxxxxxxxxxxxxx?

Or did you create one with the name _acme-challenge.nelsamia.com=m17HqrYSurdnIYxxxxxxxxxxxxxxxxxxx without a value?

Perhaps share a screenshot of your dns menu.


#3

Now I see the problem.

D:\temp>nslookup -type=txt nelsamia.com.
nelsamia.com text =

    "_acme-challenge.nelsamia.com=m17HqrYSurdnIYYOR4IC3n7xZyAi61hPNoOi2zehGVY"

You have created a new txt entry with the name nelsamia.com and the wrong content.

The name must be

_acme-challenge.nelsamia.com

and the content must be

m17HqrYSurdnIYYOR4IC3n7xZyAi61hPNoOi2zehGVY

The content will change if you try it again.


#4

Hi @mn1247,

As @JuergenAuer said, you have created the wrong TXT record, as you are using dynu, your TXT record should look like this:

Keep in mind that if the validation already failed, then this token m17HqrYSurdnIYYOR4IC3n7xZyAi61hPNoOi2zehGVY won’t be valid and you should execute the certbot command again, take the new token and update the TXT record on dynu.

Good luck,
sahsanu


#5

That solved it! Thanks so much for all the help.

One follow-up question if I may… how do I auto-renew the certificate? If I type

sudo certbot renew --dry-run

I just get errors about not having an authentication script. Is there an example of how to do this?
Thanks again
Eric


#6

You cannot auto-renew when using --manual.

Consider using acme.sh, which supports automatically renewing via Dynu’s DNS API.

(If you want to keep using Certbot, you can write your own script to talk to the Dynu API and perform the DNS update - https://certbot.eff.org/docs/using.html#pre-and-post-validation-hooks)


#7

Hi,

I’m also a Comcast Xfinity user.

Comcast does not block any incoming http / https ports, I believe they blocked outgoing connections to SMTP ports. (And there might be other ports that are blocked, I haven’t discovered any yet)

If your http and https ports are blocked, you might want to contact Comcast customer service to sort this out…

Thank you