Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I ran this command: letsencrypt certonly -d gitlab.ndc.com
It produced this output:
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for gitlab.ndc.com
Input the webroot for gitlab.ndc.com: (Enter ācā to cancel): /var/opt/gitlab/nginx/www
Waiting for verificationā¦
Cleaning up challenges
Failed authorization procedure. gitlab.ndc.com (http-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for gitlab.ndc.com - check that a DNS record exists for this domain
My web server is (include version): since weāve installed gitlab, itās running on nginx
The operating system my web server runs on is (include version): Ubuntu 16.04
My hosting provider, if applicable, is: This is an internal portal, there is no hosting provider in this case.
I can login to a root shell on my machine (yes or no, or I donāt know): yes
Iām using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if youāre using Certbot):0.27.0
Thanks Juergen for the advise. I believe there is a DNS TXT entry created since, I can go to the domain via http. So, why canāt LetsEncrypt canāt see that domain added to our DNS server?
Between, our Ubuntu server is behind the firewall for security reasons.
Okay. Sorry Juergen, I wasnāt aware of having a TXT entry added to our dns server. So, just to be user, I need to ask our sysadmin team to add a TXT entry to an already created domain on our dns server. Is that the correct?
Currently you are using HTTP-01 validation, which Letās Encrypt will try to resolve the domain and find content on the webserver.
Since this is an internal portal, you should ask your sysadmin team to complete the validation (by adding a TXT record) every 60 days via manual action to the ATT NS server. (which should be your external NS server for this domain).
This might be painful, so you might want to also ask your sysadmin team if thereās any method to automate the process. They might want to write some scripts to add/remove the specified record automatically. the scripts can be specified with certbot hooks. (--manual-auth-hook for adding and verifying the record, --manual-cleanup-hook for removing the records after validation passed)
Thanks Steve. Iāll check with my sysadmin team if they can automate the validation process. Between, is there a requirement to change the TXT record every 60 days?
No.
Each time you attempt to request a certificate, you'll be asked to enter a specific TXT record (every attempt has a different value) to your DNS records. Let's Encrypt will attempt to find the record on your external DNS and validate if that's what you are required to add. After you complete/failed the challenge, you are able to remove it. (and recommended)
The reason i said you might need to add a txt record every 60 days is because certbot will attempt to renew your certificate starting from 60 days point, and if you used manual plugin (--manual), the certificate will not renew automatically.
I see. So, in that case instead of using a manual plug-in, can I or is there an option such as
āletsencrypt certonly -d domain_name --perferred-challenges dnsā or something similar on those lines? I donāt intend to manually renew the certificates every 60 days.
This will still result in an manual operation... (since certbot can't complete the challenge automatically)
However, the manual plugin doesn't mean you must manually complete the challenge.
If you use --manual with the hook / script i mentioned (if your sysadmin can make one), the renewal process will complete automatically.
P.S. renewing with certonly will not reload your website configuration automatically, your certificate will be renewed (if success) but your web server will still use the old configuration / certificate, which you'll need to manually reload your web server.
You can specify --installer apache or --installer nginx when requesting/renewing the certificate, so certbot will know what web server to reload if a new certificate is issued (or renewed).
Hello:
Iām revisiting this issue and I wanted to know what should be placed in TXT record for the DNS validation to succeed in order to obtain the SSL cert.?
Thanks Steve. However, according to the document, it says ACME client will provide a token, which can then be inserted into TXT record of DNS. At the moment, we arenāt able to generate the token from LetsEncrypt.
If you run the command: certbot certonly -d domain_name --perferred-challenges dns, you can see the required value / record you need to add to your DNS panel.
Here you go. I ran cerbot command will the necessary options and here I what I receive.
certbot certonly -d gitlab.xxx.com --preferred-challenges dns
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
Select the appropriate number [1-2] then [enter] (press ācā to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
None of the preferred challenges are supported by the selected plugin
As you see, itās complaining that none of the preferred challenges are supported by the plugin