Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: nlclass.nl
I ran this command:
sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d nlclass.nl
I forgot to add *.nlclass.nl, so when I tried this command again I get an error:
sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d nlclass.nl -d *.nlclass.nl
It produced this output:
Existing certificate that contains a portion of the domains you requested (ref: /etc/letsencrypt/renewal/nlclass.nl.conf). It contains: nlclass.nl
Domain: nlclass.nl
Type: none
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.nlclass.nl -check that a DNS record exists for this domain
The operating system my web server runs on is (include version):
Ubuntu 18.04.3 (LTS) x64
My hosting provider, if applicable, is:
Domain name from namecheap.
Domain server (droplet) from DigitalOcean
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
digital ocean control panel
command line (ubuntu)
and
virtualmin
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
0.31.0
Thank you. "I also think those in the screenshot aren’t your actual dns records: are you configuring the right nameservers?"
--> Yes, I set those exact DNS records from the printscreen.
" (Anyhow, you should use single quotes around wildcards -d '*.nlclass.nl' otherwise your shell might get in the way)"
--> I used Backslash*.nlclass.nl but this forum automatically removes the backslash.
No, that's not a file, that's the output of a tool that queries dns servers.
ABSOLUTELY NOT.
If you're using acme-dns, you should only have a CNAME record like this:
_acme-challenge 3600 in CNAME somethingsomething.auth.acme-dns.io
If you're going to use your provider's API (digitalocean should be supported by most clients, and by certbot in particular) you should have nothing on _acme-challenge, because the client will create and destroy the records when it needs to do so.
But you should really make sure that those are your actual dns records, because they look really different to me. Where are you editing them from?
"If you’re using acme-dns, you should only have a CNAME record"
Yes, in the printscreen there is only 1 CNAME record. After I got the error message which says:
NXdomain looking up TXT for _acme-challenge.nlclass.nl - check that a DNS record exists for this domain
I then added a TXT record, which didn't help. I will remove the TXT record now.
Question:
Should I change something in the letsencrypt renewal conf file?
Also:
SSL works on my domain: nlclass.nl
SSL does not work on my subdomain: wp2.nlclass.nl
What is the best way to renew it so that the subdomain also works?
Now you need to follow me carefully: I can see your CNAME/TXT record, but only if I query host.nlclass.nl directly.
# dig @host.nlclass.nl txt _acme-challenge.nlclass.nl
; <<>> DiG 9.16.1-Ubuntu <<>> @host.nlclass.nl txt _acme-challenge.nlclass.nl
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25611
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: cf011098da4d8f78996846625f324bf4f95ec637de063f8d (good)
;; QUESTION SECTION:
;_acme-challenge.nlclass.nl. IN TXT
;; ANSWER SECTION:
_acme-challenge.nlclass.nl. 3600 IN CNAME cae0c757-6268-45db-b8d2-061af219d161.auth.acme-dns.io.
;; Query time: 11 msec
;; SERVER: 178.128.244.70#53(178.128.244.70)
;; WHEN: Tue Aug 11 09:42:44 CEST 2020
;; MSG SIZE rcvd: 150
But the issue is that host.nlclass.nl is not an authoritative name server for nlclass.nl, whose authoritative nameservers are ns1.digitalocean.com, ns2.digitalocean.com, ns3.digitalocean.com.
My advice would be to use those. (find the right control panel in digitalocean's website -- webmin is not it.)
But if you want to use host.nlclass.nl, you need to login in your registrar's panel (whoever you bought your domain from) and set it as a nameserver (also: it's really unadvisable to use a single nameserver, find backup ), without forgetting to add a glue record -- and keeping it up to date, which is a totally avoidable pain in the ass: use digitalocean's nameservers
# dig @ns2.dns.nl ns nlclass.nl
; <<>> DiG 9.16.1-Ubuntu <<>> @ns2.dns.nl ns nlclass.nl
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11435
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 0812dbde428f533255572bd65f324c8680c2a681a65b01fc (good)
;; QUESTION SECTION:
;nlclass.nl. IN NS
;; AUTHORITY SECTION:
nlclass.nl. 3600 IN NS ns1.digitalocean.com.
nlclass.nl. 3600 IN NS ns2.digitalocean.com.
nlclass.nl. 3600 IN NS ns3.digitalocean.com.
;; Query time: 3 msec
;; SERVER: 2001:67c:1010:10::53#53(2001:67c:1010:10::53)
;; WHEN: Tue Aug 11 09:45:10 CEST 2020
;; MSG SIZE rcvd: 137
" This looks better, but I’m not sure what you’re trying to do. That looks like you’re trying to get a wildcard for *.wp2.nlclass.nl"
–> yes, I am trying to set *.nlclass.nl. But it gives me an error (in any of the 3 windows for setting up DNS records, see printscreen) and I have no idea where to look how to fix SSL for wp2.nlclass.nl.
Question: Where should I look?
Question: Why does SSL work for nlclass.nl and not for wp2.nlclass.nl?
“I also think those in the screenshot aren’t your actual dns records: are you configuring the right nameservers?”
–> You are right, I posted the DNS records from VirtualMin/WebMin.
Below are the DNS records from the control panel (of DigitalOcean). Are the DNS records set correctly?
thank you for your answer. After I added this dns record *.nlclass.nl it worked because now https://wp2.nlclass.nl has SSL. This thread is solved. Thanks have a nice day