Unable to get a certificate from Letsencrypt using the DNS-01 challenge
I've tried getting a certificate using certbot, caddy, and lego. They've all returned similar errors with this domain.
I used the DNS-01 challenge. Here's output from the lego client:
ananth@wopr ~> lego -a -m "[email protected]" -d subhamho.me -d "*.subhamho.me" --dns gandiv5 --path ./lego run
2021/05/14 00:20:13 [INFO] [subhamho.me, *.subhamho.me] acme: Obtaining bundled SAN certificate
2021/05/14 00:20:15 [INFO] [*.subhamho.me] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/13090317014
2021/05/14 00:20:15 [INFO] [subhamho.me] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/13090317037 2021/05/14 00:20:15 [INFO] [*.subhamho.me] acme: use dns-01 solver
2021/05/14 00:20:15 [INFO] [subhamho.me] acme: Could not find solver for: tls-alpn-01 2021/05/14 00:20:15 [INFO] [subhamho.me] acme: Could not find solver for: http-01
2021/05/14 00:20:15 [INFO] [subhamho.me] acme: use dns-01 solver
2021/05/14 00:20:15 [INFO] [*.subhamho.me] acme: Preparing to solve DNS-01
2021/05/14 00:20:15 [INFO] [subhamho.me] acme: Preparing to solve DNS-01
2021/05/14 00:20:15 [INFO] [*.subhamho.me] acme: Cleaning DNS-01 challenge
2021/05/14 00:20:15 [INFO] [subhamho.me] acme: Cleaning DNS-01 challenge
2021/05/14 00:20:15 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/13090317014
2021/05/14 00:20:16 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/13090317037
2021/05/14 00:20:16 Could not obtain certificates:
error: one or more domains had a problem:
[*.subhamho.me] [*.subhamho.me] acme: error presenting token: gandiv5: findZoneByFqdn failure: unexpected response code 'FORMERR' for _acme-challenge.subhamho.me.
[subhamho.me] [subhamho.me] acme: error presenting token: gandiv5: findZoneByFqdn failure: unexpected response code 'FORMERR' for _acme-challenge.subhamho.me.
The other two clients: certbot, and caddy also had FORMERR in their error messages.
Solution 1:
When requesting a wildcard certificate from Let's Encrypt you have to set a TXT record in your DNS zone file (or in the backend of your provider gandi.net) under the name _acme-challenge.subhamho.me containing the token that you get when when issuing the command
certbot certonly --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory --manual-public-ip-logging-ok -d '*.subhamho.me' -d subhamho.me
The output of the above command would be
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for subhamho.me
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.subhamho.me with the following value:
<acme-challenge-value>
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
where the token is the value of <acme-challenge-value>. After setting the TXT record press Enter and you should get the wildcard certificate.
At the moment there is no such token. You can check this with
dig TXT +short subhamho.me
Thus you are getting the error
[*.subhamho.me] [*.subhamho.me] acme: error presenting token: gandiv5: findZoneByFqdn failure: unexpected response code 'FORMERR' for _acme-challenge.subhamho.me.
[subhamho.me] [subhamho.me] acme: error presenting token: gandiv5: findZoneByFqdn failure: unexpected response code 'FORMERR' for _acme-challenge.subhamho.me.
Keep in mind that you have to renew the TXT record on any renewal of the certificate, which is after 90 days.
Solution 2:
I tried specifying a different resolver to lego using the --dns.resolvers option. It appears that systemd-resolved is having trouble resolving this TXT record correctly. It seems to think that its format is invalid. The domain resolved correctly using a dnsmasq server that I run.