Renews work, but new issues are not with certbot docker

My domain is: ssl-test.lukavalabs.com

I ran this command:
docker run -t --rm certbot/certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \*.ssl-test.lukavalabs.com -d ssl-test.lukavalabs.com
*note: I left out volume bindings

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for *.ssl-test.lukavalabs.com and ssl-test.lukavalabs.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

My web server is (include version): NA

The operating system my web server runs on is (include version): Amazon Linux 2

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.22.0

So I can request renewal certificates and that's fine, they'll renew. However when I try to issue/request new certificates like one listed in the command above, I see the above report output and after pressing Enter nothing happens, it just sits there. I'm completely stumped. I've requested certs on this server before, but it's been a while and now that I need a new one I'm a bit stuck.

New WILDCARD certs (or just regular certs)?

Please show the (non-private parts) of file:
/etc/letsencrypt/acme-dns-auth.py

@rg305 I'm not sure I follow your question about new wildcard certs. As far as I know they were introduced while back and haven't changed. Anyhow, I'm requesting a certificate that covers the domain ssl-test.lukavalabs.com and all of it's subdomains. Thus the -d ssl-test.lukavalabs.com and -d *.ssl-test.lukavalabs.com

The code for acme-dns-auth can be found at acme-dns-certbot-joohoi/acme-dns-auth.py at master · joohoi/acme-dns-certbot-joohoi · GitHub which makes use a private server running GitHub - joohoi/acme-dns: Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.. It's basically using CNAME to reference a server dishing out the TXT records. Using this tool I can support multiple domains with dns hosted on various servers without having to have separate plugins for all of them.

You said that you previously issued certs without any problem.
My question is: What type(s) of certs were previously issued?

I know the acme-dns-auth.py [and I have used it without issue]
My concern is that you may have modified it and now it fails.

ALSO, I don't see the CNAME that you speak of.

Ah, both wildcard and single domain certs I've issue previously.

I just downloaded the source from the link I referenced and did a diff and the only change is the ACMEDNS_URL point it to my own acme-dns server.

Correct, the ssl-test.lukavalabs.com dns entry doesn't actually exist, but I don't believe it should need to when doing dns based auth.

Thanks for helping btw!

So where is the CNAME that shifts the TXT record query to your local ACME-DNS?

So where is the CNAME that shifts the TXT record query to your local ACME-DNS?

It's at _acme-challenge.ssl-test.lukavalabs.com

I'm not sure how it worked previously, but it works now. I needed to change the docker argument from -t to -it. The i means interactive, which in this case I'm assuming means it can respond when I press Enter. Duh. I'm still baffled that worked previously though, maybe there wasn't the interactive prompt in old version? Anyhow, the full working command is below if others need the solution.

docker run -it --rm certbot/certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \*.ssl-test.lukavalabs.com -d ssl-test.lukavalabs.com

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.