Hello.
I am failing to get the certificates generated by letsencrypt according to the documentation. I would like some pointers to check please.
I’ve followed the documentation https://desec.readthedocs.io/en/latest/dyndns/lets-encrypt.html.
I’m running a nginix server on a custom port that isn’t yet open at the firewall. I can connect out to the internet from the server host but no traffic can yet get to it on ports 80, 443 or my custom port 8082.
It OS is freebsd.
I have created my mydomain.dedyn.io domain and a dynamic dns on the router is running fine, updating the DNS entry to it’s public ip (ipv4). I have also updated the record using the UI to add a TXT record “mydomain.dedyn.io”.
From the documentation sending me to certbot site link, I used the OS repository package to install certbot. All good.
At this point I had done the steps: 1. Install certbot 2.Install hook scripts 3.Got a fresh token 4.Configure the token 5. Ran certbot according to the documentation. Here is where I am stuck.
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: mydomain.dedyn.io
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.mydomain.dedyn.io - check that a DNS record exists for this domain
A nslookup gives the correct public ip.
What am I doing wrong please?
I think I found the problem despite the error suggesting a problem with my DNS at dedyn.io.
The command used # certbot --manual --manual-auth-hook ./hook.sh --manual-cleanup-hook ./hook.sh --preferred-challenges dns -d "mydomain.dedyn.io" -d "*.mydomain.dedyn.io" certonly
The error:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for mydomain.dedyn.io and *.mydomain.dedyn.io
Hook ‘–manual-auth-hook’ for mydomain.dedyn.io reported error code 127
Hook ‘–manual-auth-hook’ for mydomain.dedyn.io ran with error output:
env: bash: No such file or directory
Hook ‘–manual-auth-hook’ for mydomain.dedyn.io reported error code 127
Hook ‘–manual-auth-hook’ for mydomain.dedyn.io ran with error output:
env: bash: No such file or directory
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: mydomain.dedyn.io
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.mydomain.dedyn.io - check that a DNS record exists for this domain
Domain: mydomain.dedyn.io
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.mydomain.dedyn.io - check that a DNS record exists for this domain
Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to “certbot --help manual” and the Certbot User Guide.
Hook ‘–manual-cleanup-hook’ for mydomain.dedyn.io reported error code 127
Hook ‘–manual-cleanup-hook’ for mydomain.dedyn.io ran with error output:
env: bash: No such file or directory
Hook ‘–manual-cleanup-hook’ for mydomain.dedyn.io reported error code 127
Hook ‘–manual-cleanup-hook’ for mydomain.dedyn.io ran with error output:
env: bash: No such file or directory
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
The “env: bash: No such file or directory” element made me look first for the hook code. It uses bash and curl but they are no installed by default in FreeBSD.
There is a check in the hook file code for curl but it doesn’t seem to have been triggered. There is no check for bash.
After installing both, I’ve been able to get the certificates. So I am a step further now.
My suggestion is twofold:
a) update the documentation for FreeBSD
b) update the hook code to check for dependencies bash and curl.
The certbot-dns-desec certbot plugin (linked at the end of the documentation you read) does not require bash or curl. It is the more interoperable choice, and well supersede the hook script.
The documentation currently does not reference it as the main solution, as there are some open issues before we can consider it stable.
The hook script is now deprecated and the deSEC certbot plugin has been released. To request certificates from Let’s Encrypt for deSEC-hosted domains, please use the certbot plugin.