TXT Challenge failed for domain - Certbot -Wildcard - MacOS

Issue:
TXT Challenge failed for domain - Certbot -Wildcard - MacOS

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

My domain is:
ans.red

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

I ran this command:

AnasPRO:~ anas$ sudo certbot certonly --manual -d *.ans.red -d and.red --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

Password:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator manual, Installer None

Obtaining a new certificate

Performing the following challenges:

dns-01 challenge for and.red

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Please deploy a DNS TXT record under the name

_acme-challenge.and.red with the following value:

lJFwN3pkJP4t96VDpSwasoQmECIi8DCllWMzZY_GymA

Before continuing, verify the record is deployed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Details:

;* <<>> DiG 9.10.6 <<>> _acme-challenge.ans.red TXT

  • ;; global options: +cmd

  • ;; Got answer:

  • ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37920

  • ;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1

  • ;; OPT PSEUDOSECTION:

  • ; EDNS: version: 0, flags:; udp: 1452

  • ;; QUESTION SECTION:

  • ;_acme-challenge.ans.red. IN TXT

  • ;; ANSWER SECTION:

  • _acme-challenge.ans.red. 1799 IN TXT “8r9OyaJSlOch5RezBf_TjTMyFVU6vXeq0LTcaktNX7g”

  • _acme-challenge.ans.red. 1799 IN TXT “KPB4X0MERieAwqxY-lPdWuT3WqJsGcrWLGCsy6QDchM”

  • _acme-challenge.ans.red. 1799 IN TXT “L6qK1CLJ0YrnRIw_VV7hr6kH-xIGmshUhNq8oxwXT3w”

  • _acme-challenge.ans.red. 1799 IN TXT “ZFuj89TYdhJxuz0aK3RVIGMYYvWV3dqWB9JVBulVMfI”

  • _acme-challenge.ans.red. 1799 IN TXT “bNhc9HPC3OH6Kx7Z5LvkkJMLT8twm5T0jammY18rblE”

  • _acme-challenge.ans.red. 1799 IN TXT “fEe0cdUUSYvqh804d8K2TL_4-cbRMPkZHp7MrbbyvFA”

  • _acme-challenge.ans.red. 1799 IN TXT “lJFwN3pkJP4t96VDpSwasoQmECIi8DCllWMzZY_GymA”

  • _acme-challenge.ans.red. 1799 IN TXT “y0_DYWfWZudrnur_DuTfZnQ1-wq0vZwb8IDyYJyuMzQ”

  • ;; Query time: 70 msec

  • ;; SERVER: 1.1.1.1#53(1.1.1.1)

  • ;; WHEN: Sun Jun 07 18:04:09 EDT 2020

  • ;; MSG SIZE rcvd: 523

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Details:

https://crt.sh/?q=ans.red

Attached screenshot of Namecheap TXT records

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

My web server is (include version):
N/A

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

The operating system my web server runs on is (include version):

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

My hosting provider, if applicable, is:
Namecheap

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
I can login to a root shell on my machine (yes or no, or I don’t know):slight_smile:
It's MacOS and yes, I have sudo access

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
N/A

Please advise and help.

Thanks

It was a typo in the command

The correct one is:

AnasPRO:~ anas$ sudo certbot certonly --manual -d *.ans.red -d ans.red --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

So now, the question is how to copy the actually cert files to a folder so I can use them to upload manually to a webserver?

 AnasPRO:~ root# cd /private/etc/letsencrypt/live 

AnasPRO:live root# ls

README ans.red

AnasPRO:live root# cd ans.red

AnasPRO:ans.red root# 

AnasPRO:ans.red root# ls

README cert.pem chain.pem fullchain.pem privkey.pem

AnasPRO:ans.red root#

Please advise.

How do you normally move any file from any system to any other system?
[SCP, SFTP, RSYNC, WinSCP, etc.]

1 Like

Hey @rg305

I have access to the Certbot/Let’s Encrypt directory on MacOS finder

AnasPRO:ans.red root# pwd

/private/etc/letsencrypt/live/ans.red

AnasPRO:ans.red root# ls

README cert.pem chain.pem fullchain.pem privkey.pem

AnasPRO:ans.red root#

I am not sure why they are showing up as “Shortcuts” instead of an actual files.

Except the readme file, I can open it and view its content as you can see from the screenshot above.

Any idea?

Thanks

1 Like

Because they are shortcuts.
Those names (in that folder never change) will point to the latest cert files.

2 Likes

@rg305 aha! That makes sense now.

So where can I find the original cert files to copy them for later manual using on a webserver?

Thanks

1 Like

And I found the files locations.

they are located at:

/private/etc/letsencrypt/archive/ans.red

AnasPRO:ans.red root# ls -1

cert1.pem

chain1.pem

fullchain1.pem

privkey1.pem

AnasPRO:ans.red root#

All good now. Thanks

1 Like

Just so you are fully aware:
As the cert gets renewed the number will increment.
So next time it will be cert2.pem and then cert3.pem and so on …
But the shortcut will always be at the same file location.
If possible, you should try to use the shortcut instead of choosing the files individually.

3 Likes

I think some macOS users might get confused about the permissions if they run Certbot as root from the command line (probably with sudo) but then view the certificate files in the macOS GUI as a regular user. Running Certbot with sudo on the command line gives it administrative permissions and allows it to create files (as it does) which can themselves only be read with administrative permissions. In that case the graphical interface seen by a regular user account would not be able to directly read the content of those files.

A good practice if you use Certbot on a macOS desktop and need the resulting certificates to be sent or placed somewhere else is to specify an additional command or script with --deploy-hook when running Certbot. The deploy hook script will be run automatically by Certbot (with the same permissions as Certbot itself) when a new certificate is obtained, including by certbot renew, and could perform tasks such as copying the files to another machine or directory, as long as you can tell it how to do these tasks with a command-line command.

3 Likes