certbot - What is the correct way to wait for TXT Record updated?

Solution 1:

I found that if I Ctrl-C before challenging (e.g. press Enter) the hash won't change.

So I can wait for the DNS update then re-run certbot, it shows the same hash, and now I can press Enter immediately.

Solution 2:

AFAIK, the TTL is irrelevant for the DNS-01 challenge. It appears that Let's Encrypt checks which servers are authoritative and queries one of the authoritative servers directly, so the necessary delay is about allowing for the zone data to sync to all the authoritative servers, not about waiting for any caches to expire (this would be where TTL is relevant).


That said, the intended way of doing Let's Encrypt is to actually automate, whether you use the HTTP-01 challenge or the DNS-01 challenge.
The major advantage of this is that with a small bit of work upfront the certificates will actually automatically renew as necessary (by having certbot renew invoked regularly), which is pretty important for making these short-lived certificates viable.

certbot comes with a set of plugins for doing DNS updates (and there is always the option implementing your own as well).

At the time of this posting, the list of plugins was:

  • certbot-dns-cloudflare
  • certbot-dns-cloudxns
  • certbot-dns-digitalocean
  • certbot-dns-dnsimple
  • certbot-dns-dnsmadeeasy
  • certbot-dns-google
  • certbot-dns-linode
  • certbot-dns-luadns
  • certbot-dns-nsone
  • certbot-dns-ovh
  • certbot-dns-rfc2136
  • certbot-dns-route53

(See the docs for an up to date list + links to relevant instructions)

Ie, essentially there's a plugin with RFC2136 support (regular DNS dynamic updates, compatible with most standard DNS servers that you might run yourself) + a set of plugins for proprietary APIs of some major DNS service providers.

Example usage:

certbot certonly \
  --dns-rfc2136 \
  --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini \
  -d example.com

These also have an argument (name varies by plugin) like --dns-rfc2136-propagation-seconds that allows for tweaking how long to wait before completing the challenge (to allow zone data to sync to authoritatives).

Solution 3:

There isn't any good way to accomplish this atm I guess.

I kept the certbot prompt open for waiting while in my second terminal window I just ran for example dig -t txt _acme-challenge.mydomain.com (replace the txt address with yours). When it didn't show any TTL seconds running in ;; ANSWER SECTION: anymore for that record then the certbot finished successfully after enter-press.

If you should still need to keep your SSH connection alive long time (on the background) then maybe Linux screen tool comes handy? I use it to run long-running commands which might get in danger of SSH-timeout. Just open screen-session with screen -S give_it_a_good_name and run the certbot operation in there. You can then deattach the screen with Ctrl+a d and later come back into it with screen -r your_screen_numerical_id and see your prompt still alive.

Be sure to later access the screen session under same user you initiated it! For ex. if you initiated screen session as root then you don't find it under ubuntu or whatever other user for example.