Some challenges have failed

My domain is:
api.pay.425yx.com

I ran this command:
python script:
certbot_cmd = “/usr/bin/certbot certonly --renew-by-default -d {} --manual --preferred-challenges dns”.format(domain)
self.logger.info(certbot_cmd)
f = open(‘spawn.log’,‘wb’)
child = pexpect.spawn(’/bin/bash’, [’-c’,certbot_cmd],logfile=f,timeout=300)
i = child.expect(’(Y)es/(N)o:’)

    if i == 0:
        child.sendline("Y\n")
        i = child.expect("Press Enter to Continue",timeout=30)

It produced this output:

Waiting for verification…
Challenge failed for domain api.pay.425yx.com
dns-01 challenge for api.pay.425yx.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: api.pay.425yx.com
    Type: dns
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.api.pay.425yx.com - check that a DNS record exists
    for this domain

note: i already txt dns TXT record _acme-challenge.api.pay ,and gig ok with 8.8.8.8

My web server is (include version):
nginx 1.5

The operating system my web server runs on is (include version):
centos7.8

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 1.5.0

/var/log/letsencrypt/letsencrypt.log:

Hi @shangz

there - api.pay.425yx.com - Make your website better - DNS, redirects, mixed content, certificates - is no TXT entry visible.

But see the name server part of your check: Some of your name servers have timeouts.

And critical:

X Nameserver Timeout checking Echo Capitalization: f1g1ns1.dnspod.net / 129.211.176.187
X Nameserver Timeout checking Echo Capitalization: f1g1ns1.dnspod.net / 14.215.150.17
X Nameserver Timeout checking Echo Capitalization: f1g1ns1.dnspod.net / 14.215.155.156
X Nameserver Timeout checking Echo Capitalization: f1g1ns1.dnspod.net / 14.215.155.170
X Nameserver Timeout checking Echo Capitalization: f1g1ns2.dnspod.net / 101.226.220.16

Echo capitalization support is checked via Letsencrypt. If that doesn't work, that may produce a Servfail.

i challenges from linux terminal,i can challenge success with dns txt record
/usr/bin/certbot certonly --renew-by-default -d api.pay.425yx.com --manual --preferred-challenges dns
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for api.pay.425yx.com


NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.

Are you OK with your IP being logged?


(Y)es/(N)o: y


Please deploy a DNS TXT record under the name
_acme-challenge.api.pay.425yx.com with the following value:

WqYDmisqiVqew441rKrhdNqsxFHiAoC_BGDFky-O8d4

Before continuing, verify the record is deployed.


Press Enter to Continue
Waiting for verification…
Resetting dropped connection: acme-v02.api.letsencrypt.org
Cleaning up challenges

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/api.pay.425yx.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/api.pay.425yx.com/privkey.pem
    Your cert will expire on 2020-10-21. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

how can i challenge with python pexpect???

You have created a valid certificate. So the problem is solved.

I don't understand your question.

PS: The screen of that edit form is a little bit buggy - so two parts. Scrolling isn't possible.

PPS: If someone has the same problem: Edit form - fullscreen, not possible to reduce the height. Solution: Hide preview, then it's possible to create a smaller window.

I don't know how to integrate the following with your Python script, but certbot uses the options --manual-auth-hook and --manual-cleanup-hook to point to a script which would put the TXT record into the zonefile (auth hook) and a script which would cleanup the TXT records after the challenge has been performed. See the certbot documentation about hooks for more info.

Also I'd like to add that using renew-by-default is NOT recommended for production use. I would also like to remind you to the staging environment, where testing like this should be done!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.