Let's Encrypt Renewal failed


I have an error to renew the SSL on few of my Domain Names. I’ve checked the log of Letsencrypt and I saw this line:

certbot.errors.FailedChallenges: Failed authorization procedure. autodiscover.shivaconception.com (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.autodiscover.shivaconception.com - check that a DNS record exists for this domain, autoconfig.shivaconception.com (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.autoconfig.shivaconception.com - check that a DNS record exists for this domain

I’ve the DNS Configuration and I don’t have the TXT entry for _acme-challenge.autoconfig.shivaconception.com

Do I have to enter it with the “_” ? and what are the values associated to this entry?

Thank you!

All Packages are updated.
Debian 10

You should pay more attention to the web validation error that happened before this. The DNS validation is a fallback, and only happens if the web validation fails…but, unless Virtualmin is managing your DNS it can’t possibly work (and it sounds like Virtualmin is not managing your DNS).

But, it’s pretty much always one of the same couple of problems:

  1. DNS is wrong. Your A record doesn’t point to the right place, and Let’s Encrypt is asking the wrong server for the validation file.
  2. You have redirects or proxy rules preventing Let’s Encrypt from reaching the .well-known path on your website.

You cannot do this manually. If Virtualmin is not managing your DNS, you cannot validate LE via DNS in Virtualmin.

You can do manual DNS validation using the command line Let’s Encrypt client, but you should not. You should fix whatever is preventing Let’s Encrypt from validating via a web request. That’s always the simpler option.

I will take a look at that but why everything worked without any issue before and now I have this error? I didn’t change anything.

DNS are managed by the Domain Name hoster, I didn’t use VirtualMin to manage them. I know that they changed some services few weeks ago. It could be because of that? If yes, what I have to ask them?

Thanks for your answer!

I told you what to check. Something obviously changed. It’s probably that you introduced a new redirect or proxy rule that doesn’t allow LE to fetch the file from .well-known.

Test that: Create a file in /home/<domain>/public_html/.well-known and try to browse to it. If you can’t reach it (you probably can’t), you need to fix whatever is preventing it.

It may be something in .htaccess introduced by one of your web applications.

No. I also told you what the problem could be there. You don’t need to ask anybody. Just check the A record(s) for the name(s) you are requesting certificates for. Do they all exist and point to the right IP?

A third common problem when people aren’t managing DNS with Virtualmin is they request certificates for names that do not exist. Virtualmin has some default domains (www, mail, etc.) for convenience…if you’re managing your own DNS and not paying attention, it’s easy to request certs for names that don’t exist. Don’t do that. It can’t work. Choose to specify which names to request certs for and only request certs for names that exist.

Check the things I’m telling you to check, don’t try to guess. There is an error above the DNS error you posted here. That is the useful error in your case. The DNS validation is expected to fail because Virtualmin is not managing your DNS. DNS validation cannot work for that scenario. Web validation can, so look at the error that occurred when it tried to do web validation!

I’ve checked the DNS Configuration and one of the line was incorrect for the IP. The hosting changed something recently and I had to enter the IP of my server again. I forgot one line for a TXT.
It works for one of my domain so I guess it’s the same for the other ones.

Thank you @Joe !

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.