Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is: mydomain.com
I can login to a root shell on my machine (yes or no, or I donât know): yes
Iâm using a control panel to manage my site (no, or provide the name and version of the control panel):
I am trying to get an SSL cert for my Home assistant server installed on RP3. I am using DNS verification and have created the txt records. Based on some googling I added some additional records with a trailing â.â and a couple with the www added. My dns verification still fails with a no TXT record found. I am sure I have something wrong with the txt records (other than not needing the www ones) but I cannot figure out what is wrong.
You have concatenated the _acme-challenge part with the token part. Those two items are NOT to be one thing, they are separate entities.
The _acme-challenge part is best explained as a âsubdomainâ to the hostname youâre authenticating: if you want to authenticate the âbase domainâ felzer.com, youâll need to add the valueVQ_4oITDICs0scP5VW4HWfeOxXECA1XeM8I-mRJO4yU to the hostname_acme-challenge.felzer.com (as a TXT record).
If youâd want to authenticate the subdomainwww.felzer.com, youâd have to add another token value to the âsub-subâ-domain _acme-challenge.www.felzer.com (of course with type TXT again).
Now youâve added the (erroneous) concatenated stuff ("_acme-challenge"+token value) to the hostname felzer.com and www.felzer.com.
Do you understand the difference?
Also, if youâd like to authenticate the www subdomain, certbot will give you a distinct token value which is different than the token for the âbareâ domain felzer.com.
Thanks for the quick responses. This crappy registrar does not allow its customers to create dns records for subdomains. I have to open a ticket to get this done. Doing that nowâŚ
I only added them at the root domain. When I tried the www subdomain I just pasted the verification string in with the www inserted before the domain name.
I tried that. I can create a subdomain that points at a URL but I cannot create a txt record for it. I contacted them via chat and they told me they have added the record on the backend (and I was not able to do it) but it will take 24-48 hours to propogate. Guess I will find out in 1-2 days.
They probably mean propagate to recursive resolvers - it shouldnât take more than 5-10 minutes to deploy to your authoritative name servers. That being said, theyâre not available yet on authoritative name servers ns1.yourhostingaccount.com and ns2.yourhostingaccount.com.
I was able to get it working using the web server. Not sure why I did not try that first. I guess I figured the DNS would be easier and then once down the rabbit hole......
IMHO, DNS is easier as long as you've got a client that supports your provider for automatic record creation. It's also the only way (for the time being) to get a wildcard cert and the only way to get a cert from a non-Internet-facing device (which admittedly is uncommon).
To me, it always seemed like more of a hassle trying to configure your web server in a particular way to satisfy a challenge while also needing to configure it separately for your actual site. Those two purposes often conflict particularly with all of the HTTP redirect rules people end up putting in and complex web frameworks with routing rules and such. DNS is just more direct.