Recover the ACME TXT Tokens

My domain is: askmate.com.br

Hi, I'm running my website in AWS Lighsail and when I was executing those steps (https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-using-lets-encrypt-certificates-with-wordpress) I missed out my tokens and now I can't create the TXT Records.
How can I recover my tokens? Where do they sit and what commands to use?

Any help very appreciated.

Thanks

Oi @andren,

Unlike some other services that ask you to create a TXT record to prove your control over a site, the Let's Encrypt TXT tokens are different for every certificate request.

That means you should just repeat the entirety of Step 3 in that tutorial. The TXT records will be different this time, but that's OK!

As another note, this tutorial is using the --manual method where you have to create the records yourself (as opposed to other methods where software would perform all of the proof of domain control automatically). Keep in mind that Let's Encrypt certificates are only valid for 90 days so all of these steps would have to be repeated every 90 days (ideally, sooner, such as every 60 days) with this method. You might want to consider whether you can get Let's Encrypt certificates in a different way (the reason that the tutorial uses --manual is that this DNS authentication is required by Let's Encrypt policy for wildcard certificates, with the *.domain, although it is not required if you have a fixed list of names that the certificate will cover, without the *). It might also be possible for you to get certificates from Amazon's own CA instead of from Let's Encrypt.

I'm not familiar with whether or how ACM works with Lightsail (my knowledge of AWS services is somewhat limited). If they do work together, you might have a better experience using Amazon's certificate services because they may be better integrated with other parts of AWS, and offer better automation.

3 Likes

Thanks @schoen, very much appreciated.

I ended up changing my domain to askmate.net.br and redone the full procedure.
The bot was giving 2 option (1 to keep the current certificate or 2 to renew) rather then presenting the tokens again. I gave up.

Now my problem is other :frowning:
I completed all steps accordingly and deployed the challenges, however, when I access the website from any browser the certificates are still not recognised.
Try askmate.net.br and you will see it.

Any idea what is going on?

Thanks again.

Your site is showing certificates for askmate.digital instead of askmate.net.br.

There are many limitations of the method described in the tutorial that you followed. First, the command

sudo certbot -d $DOMAIN -d $WILDCARD --manual --preferred-challenges dns certonly

obtains a new certificate but doesn't configure your web server application to use that certificate. The tutorial provides a partial way of doing that in its Step 7, where it describes creating symbolic links (with ln -s) to replace default Bitnami certificates with your new Let's Encrypt certificate.

The particularly bad thing about this advice is that it assumes that your web server can only have one single certificate. But it looks like you have (or want to have) a separate certificate for askmate.net.br and for askmate.digital. While that's perfectly OK, the tutorial that you followed doesn't provide any procedure that could make this work because it describes setting up a server with only a single hard-coded certificate.

You can check your certificate configuration from Certbot's perspective with the command sudo certbot certificates, but Certbot doesn't know about other copies or names of its certificate files, such as you would get by following Step 7 in the tutorial.

Could you describe how you would like everything to work on your site? Maybe we could suggest a better or different method from this tutorial's advice.

Thanks again @schoen,
Got it. I'm happy to use just askmate.net.br.
Not sure whether or not there is a way of fixing it, removing, deleting or updating this reference related to askmate.digital, but happy to completely get rid of it altogether.

Please, advice on how to go ahead with just askmate.net.br :slight_smile:

@schoen I found my way to remove other certificates which are not related to askmate.net.br
I believe now is a matter of removing askmate.digital from the tree or something like that.

How can I do this?

I tried the command $ certbot delete -d {domain} but I got an access denied message.

The permission is denied because you didn't use sudo. However, deleting the old certificates is probably not helpful.

For now, why don't you run sudo certbot certificates to make sure of which certificates you have, and then try following Step 7 of the tutorial over again using your new certificate for askmate.net.br instead of askmate.digital?

Since Step 7 relies on having the variable DOMAIN set in your shell, you would also need to do that from Step 3 (that is, DOMAIN=askmate.net.br) before following Step 7.

If you replace the certificate this way, it's likely to at least work for askmate.net.br, which could be a good first step.

(Assuming that works properly, my long-term suggestion would probably be to ask on the Bitnami forums whether anyone has a better tutorial applicable to your situation, because I think that, even though this tutorial is published by Amazon itself, it's not really following the way that Bitnami and the Bitnami community would expect you to do it! For example, we know from other threads here on the Let's Encrypt forum that Bitnami has its own guide for installing Let's Encrypt certificates on Bitnami, and that guide doesn't use Certbot at all!)