Troubles with certbot duplicate certificate renewal using dns challenge acme-dns-certbot

Tried to renew certificates using certbot dns challenge/validation using acme-dns-auth.py but errors out basically with no DNS for the domain or no DNS TXT records exist. Yet I can do a nslookup or dig look for for nutthause.com domain and all of the sub domains, and I can do nslookup type=txt for the domain and its sub-domains. It shows the TXT records I created for the acme-dns-auth.ply challenge. Not sure what is wrong, I followed this digitalocean tutorial:
https://www.digitalocean.com/community/tutorials/how-to-acquire-a-let-s-encrypt-certificate-using-dns-validation-with-acme-dns-certbot-on-ubuntu-18-04

Basically I want to renew my certificates using a dns validation as I use to be able to use, “certbot-auto certonly --standalone-supported-challenges tls-sni-01 -d nutthause.com -d helios.nutthause.com -d silo-omv.nutthause.com -d silo2-omv.nutthause.com -d media2.nutthause.com -d www.nutthause.com” , but this is no longer allowed to be used any longer.

Perhaps I created the DNS TXT record incorrectly. Here is an example the txt record I created for nutthause.com domain:
|Host Text TTL
acme-challenge.nutthause.com 4a306f34-3e24-4a71-9b79-c19691fce8e0 300 sec

Question 1:
My domain is:
nutthause.com

Question 2:
I ran this command:
2A:
First Time:
sudo /usr/bin/certbot --duplicate certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d helios.nutthause.com -d media.nutthause.com -d media2.nutthause.com -d silo-omv.nutthause.com -d silo2-omv.nutthause.com -d www.nutthause.com -d nutthause.com

2B:
Second Time after changing the Txt record to be like the one I listed above:
sudo /usr/bin/certbot --duplicate certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d helios.nutthause.com -d media.nutthause.com -d media2.nutthause.com -d silo-omv.nutthause.com -d silo2-omv.nutthause.com -d www.nutthause.com -d nutthause.com

Question 3:
It produced this output:
3A:
Output from first time:
sudo /usr/bin/certbot --duplicate certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d helios.nutthause.com -d media.nutthause.com -d media2.nutthause.com -d silo-omv.nutthause.com -d silo2-omv.nutthause.com -d www.nutthause.com -d nutthause.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for helios.nutthause.com
dns-01 challenge for media2.nutthause.com
dns-01 challenge for silo-omv.nutthause.com
dns-01 challenge for silo2-omv.nutthause.com
dns-01 challenge for media.nutthause.com
dns-01 challenge for nutthause.com
dns-01 challenge for www.nutthause.com

NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.

Are you OK with your IP being logged?

(Y)es/(N)o: y
Output from acme-dns-auth.py:
Please add the following CNAME record to your main DNS zone:
_acme-challenge.helios.nutthause.com CNAME 929f7071-acc6-4b2d-9b9b-8540f167286e.auth.acme-dns.io.

Output from acme-dns-auth.py:
Please add the following CNAME record to your main DNS zone:
_acme-challenge.media2.nutthause.com CNAME 1d6ec31f-9da5-4476-9983-27a737c35bd5.auth.acme-dns.io.

Output from acme-dns-auth.py:
Please add the following CNAME record to your main DNS zone:
_acme-challenge.silo-omv.nutthause.com CNAME 72eda225-f677-4d2e-aa54-92abe063bd10.auth.acme-dns.io.

Output from acme-dns-auth.py:
Please add the following CNAME record to your main DNS zone:
_acme-challenge.silo2-omv.nutthause.com CNAME 67df6c8f-812f-415f-bc73-1e1bd66e79e7.auth.acme-dns.io.

Output from acme-dns-auth.py:
Please add the following CNAME record to your main DNS zone:
_acme-challenge.media.nutthause.com CNAME 687a8d42-ba0d-421f-b0bf-0b4b2d3bc76f.auth.acme-dns.io.

Output from acme-dns-auth.py:
Please add the following CNAME record to your main DNS zone:
_acme-challenge.nutthause.com CNAME 4a306f34-3e24-4a71-9b79-c19691fce8e0.auth.acme-dns.io.

Output from acme-dns-auth.py:
Please add the following CNAME record to your main DNS zone:
_acme-challenge.www.nutthause.com CNAME 5b34ead1-c91e-4cd6-b339-8b38f031dc4c.auth.acme-dns.io.

Waiting for verification…

Challenges loaded. Press continue to submit to CA. Pass “-v” for more info about
challenges.

Press Enter to Continue
Cleaning up challenges
Failed authorization procedure. media2.nutthause.com (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.media2.nutthause.com - check that a DNS record exists for this domain, media.nutthause.com (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.media.nutthause.com - check that a DNS record exists for this domain, silo2-omv.nutthause.com (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.silo2-omv.nutthause.com - check that a DNS record exists for this domain, www.nutthause.com (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.www.nutthause.com - check that a DNS record exists for this domain, nutthause.com (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: No TXT record found at _acme-challenge.nutthause.com, silo-omv.nutthause.com (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.silo-omv.nutthause.com - check that a DNS record exists for this domain, helios.nutthause.com (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.helios.nutthause.com - check that a DNS record exists for this domain

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: media2.nutthause.com
  Type: None
  Detail: DNS problem: NXDOMAIN looking up TXT for
  _acme-challenge.media2.nutthause.com - check that a DNS record
  exists for this domain

  Domain: media.nutthause.com
  Type: None
  Detail: DNS problem: NXDOMAIN looking up TXT for
  _acme-challenge.media.nutthause.com - check that a DNS record
  exists for this domain

  Domain: silo2-omv.nutthause.com
  Type: None
  Detail: DNS problem: NXDOMAIN looking up TXT for
  _acme-challenge.silo2-omv.nutthause.com - check that a DNS record
  exists for this domain

  Domain: www.nutthause.com
  Type: None
  Detail: DNS problem: NXDOMAIN looking up TXT for
  _acme-challenge.www.nutthause.com - check that a DNS record exists
  for this domain

  Domain: silo-omv.nutthause.com
  Type: None
  Detail: DNS problem: NXDOMAIN looking up TXT for
  _acme-challenge.silo-omv.nutthause.com - check that a DNS record
  exists for this domain

  Domain: helios.nutthause.com
  Type: None
  Detail: DNS problem: NXDOMAIN looking up TXT forhttps://www.digitalocean.com/community/tutorials/how-to-acquire-a-let-s-encrypt-certificate-using-dns-validation-with-acme-dns-certbot-on-ubuntu-18-04
  _acme-challenge.helios.nutthause.com - check that a DNS record
  exists for this domain

• The following errors were reported by the server:

  Domain: nutthause.com
  Type: unauthorized
  Detail: No TXT record found at _acme-challenge.nutthause.com

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

3B:
Output from Second Time after changing DNS TXT record as I listed above:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for helios.nutthause.com
dns-01 challenge for media2.nutthause.com
dns-01 challenge for nutthause.com
dns-01 challenge for silo-omv.nutthause.com
dns-01 challenge for silo2-omv.nutthause.com
dns-01 challenge for www.nutthause.com
dns-01 challenge for media.nutthause.com

NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.

Are you OK with your IP being logged?

(Y)es/(N)o: y
Waiting for verification…

Challenges loaded. Press continue to submit to CA. Pass “-v” for more info about
challenges.

Press Enter to Continue
Cleaning up challenges
Failed authorization procedure. silo2-omv.nutthause.com (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record “67df6c8f-812f-415f-bc73-1e1bd66e79e7” found at _acme-challenge.silo2-omv.nutthause.com, helios.nutthause.com (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record “929f7071-acc6-4b2d-9b9b-8540f167286e” found at _acme-challenge.helios.nutthause.com, nutthause.com (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record “4a306f34-3e24-4a71-9b79-c19691fce8e0” found at _acme-challenge.nutthause.com, media.nutthause.com (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record “687a8d42-ba0d-421f-b0bf-0b4b2d3bc76f” found at _acme-challenge.media.nutthause.com, silo-omv.nutthause.com (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record “72eda225-f677-4d2e-aa54-92abe063bd10” found at _acme-challenge.silo-omv.nutthause.com, media2.nutthause.com (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record “1d6ec31f-9da5-4476-9983-27a737c35bd5” found at _acme-challenge.media2.nutthause.com, www.nutthause.com (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record “5b34ead1-c91e-4cd6-b339-8b38f031dc4c” found at _acme-challenge.www.nutthause.com

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: silo2-omv.nutthause.com
  Type: unauthorized
  Detail: Incorrect TXT record “67df6c8f-812f-415f-bc73-1e1bd66e79e7”
  found at _acme-challenge.silo2-omv.nutthause.com

  Domain: helios.nutthause.com
  Type: unauthorized
  Detail: Incorrect TXT record “929f7071-acc6-4b2d-9b9b-8540f167286e”
  found at _acme-challenge.helios.nutthause.com

  Domain: nutthause.com
  Type: unauthorized
  Detail: Incorrect TXT record “4a306f34-3e24-4a71-9b79-c19691fce8e0”
  found at _acme-challenge.nutthause.com

  Domain: media.nutthause.com
  Type: unauthorized
  Detail: Incorrect TXT record “687a8d42-ba0d-421f-b0bf-0b4b2d3bc76f”
  found at _acme-challenge.media.nutthause.com

  Domain: silo-omv.nutthause.com
  Type: unauthorized
  Detail: Incorrect TXT record “72eda225-f677-4d2e-aa54-92abe063bd10”
  found at _acme-challenge.silo-omv.nutthause.com

  Domain: media2.nutthause.com
  Type: unauthorized
  Detail: Incorrect TXT record “1d6ec31f-9da5-4476-9983-27a737c35bd5”
  found at _acme-challenge.media2.nutthause.com

  Domain: www.nutthause.com
  Type: unauthorized
  Detail: Incorrect TXT record “5b34ead1-c91e-4cd6-b339-8b38f031dc4c”
  found at _acme-challenge.www.nutthause.com

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

Question 4:
My web server is (include version):
nginx -v
nginx version: nginx/1.10.3 (Ubuntu)

Question 5:
The operating system my web server runs on is (include version):
Linux Mint 18 (Ububtu 16.04)

Question 6:
My hosting provider, if applicable, is:
ZoneEdit Domains

Question 8:
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

Question 9:
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

Question 10:
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot --version
certbot 0.31.0
acme-dns-certbot

Thanks for making it to the end:
Steve

Hello Steve

1. Your cerbot version is ancient (0.31.0)

2. It’s _acme-challenge.nutthause.com

3. You usually use TXT records, not CNAMES, with dns-01 challenges. But in your case, per @_az, you need to create CNAMES instead.

4. Ever consider getting a wildcard certificate for nutthause.com and *.nuthause.com?

I think you are getting mixed up between the TXT records that Let's Encrypt needs, and the CNAME records that acme-dns uses.

Take, for example:

What you have done is created a TXT record at _acme-challenge.helios.nutthause.com with the value of 929f7071-acc6-4b2d-9b9b-8540f167286e.

But that's not what it's asking you to do. It's asking you to create a CNAME record which points to the acme-dns server (929f7071-acc6-4b2d-9b9b-8540f167286e.auth.acme-dns.io.)! The acme-dns server will then serve up the correct TXT record automatically (thanks to your acme-dns hook).

It may be worth carefully re-reading the parts about how acme-dns works and how it uses DNS delegation to do its job.

It's definitely a worthwhile approach and I think you should stick with it.

@_az

Interesting… and yet so confusing. Why on earth did they do that?

Best to read about it on https://github.com/joohoi/acme-dns.

acme-dns exists to automate DNS challenges when there is no straightforward or secure way to do it directly via your DNS host.

@_az

Thanks for the tip. Just wish automation and frustration didn’t rhyme so much.

SOLVED !!! Thanks for the input above to all who answered, especially _az. OK I did in fact create cname records for nutthause.com, and I have successfully renewed my certificates. What was confusing to me is the warnings I was getting creating the CNAME records at DNS hoster Zone Edit. But for anyone needing the correct CNAME format to use while using acme-dns-certbot actual dns challenge script acme-dns-auth.py, here https://github.com/joohoi/acme-dns-certbot-joohoi.
Example:
aliases CNAME records, for example ZoneEdit has this layout:
HOSTADDRESS: Value: TTL
_acme-challenge.nutthause.com 4a306f34-3e24-4a71-9b79-c19691fce8e0.auth.acme-dns.io. 300 sec

Hope this helps someone else.

I have the follow up question, What will be the effect if I want to just use a wild card subdomain *.nutthause.com. Yes I agree with griffin above it would be easier to just use a wild card rather than all of the subdomains I have now. What happens to the certificates that I have created for my subdomains, do I have to do something with them before I can renew next time if I just want *.nutthause.com and .nutthause.com.

Thanks for the replies they help me!

Just noticed certificate only renewed for helios.nutthause.com but not for the root nutthause.com or any of the other sub-domains. Why didn’t the root domain and the other sub domains renew?

sudo /usr/bin/certbot --duplicate certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d helios.nutthause.com -d media.nutthause.com -d media2.nutthause.com -d silo-omv.nutthause.com -d silo2-omv.nutthause.com -d www.nutthause.com -d nutthause.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate

IMPORTANT NOTES:

• Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/helios.nutthause.com/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/helios.nutthause.com/privkey.pem
  Your cert will expire on 2020-12-03. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot
  again. To non-interactively renew all of your certificates, run
  “certbot renew”

• If you like Certbot, please consider supporting our work by:

  Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
  Donating to EFF: https://eff.org/donate-le

You did get a certificate issued today:

https://crt.sh/?id=3334776065

        commonName                = helios.nutthause.com

        X509v3 Subject Alternative Name: 
            DNS:helios.nutthause.com
            DNS:media.nutthause.com
            DNS:media2.nutthause.com
            DNS:nutthause.com
            DNS:silo-omv.nutthause.com
            DNS:silo2-omv.nutthause.com
            DNS:www.nutthause.com

There are several possible causes for your troubles:

1. You need to restart nginx after installing new certificates.
2. When you use certonly, there is no installation process used for your new certificate.
3. --duplicate tells Certbot to create a separate, unrelated certificate with the same domains as an existing certificate. This certificate is saved completely separately from the prior one. Most users will not need to issue this command in normal circumstances.
4. None of your domains are responding on ports 443 or 80. Probably because of #1 (meaning that nginx is currently shutdown and not restarted).

Just create a new certificate for nutthause.com and *.nutthause.com between now and then and you're golden. Keep in mind that the dns record you'll need to create for *.nutthause.com is _acme-challenge.nutthause.com, not _acme-challenge.*.nutthause.com. I would recommend using --cert-name nutthause.com in your command to create a new certificate folder under nutthause.com to make your life simpler. After your wildcard certificate is working you can view your certificates with certbot certificates and cleanup your old certificate with certbot delete --cert-name helios.nutthause.com.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.