Dehydrated DNS-01

Hi guys,

I’m trying to setup LetsEncrypt and getting stuck.
First question: Are there any coherent instructions?
In my searching I’ve found bits and pieces scattered about but nothing complete enough for me to be successful.
Second: I setup a TXT record for our domain but I don’t know how it is to be formatted. I’ve tried:
_acme-challenge.my.domain.com “v=sODSl2_6gmW6BUsqSEkLrTTkbn5FtRCoS9-V1he0uYY”
_acme-challenge.my.domain.com “sODSl2_6gmW6BUsqSEkLrTTkbn5FtRCoS9-V1he0uYY”
Neither seems to work but I don’t know which end the problem is on.
Everytime I run:
dehydrated -c
the [“token”] “UywkpsWUBVBDCVCRsHrhNboUE58n_V3mI2TXySc4bxY”
is different and is never what I put in the TXT record.
Here is the failed Challenge Vaklidation:

ERROR: Challenge is invalid! (returned: invalid) (result: [type] dns-01
[status] invalid
[error,type] urn:ietf:params:acme:error:unauthorized
[error,detail] Incorrect TXT record \sODSl2_6gmW6BUsqSEkLrTTkbn5FtRCoS9-V1he0uYY\ found at _acme-challenge.my.domain.com
[error,status] 403
[error] {type:urn:ietf:params:acme:error:unauthorized,detail:Incorrect TXT record \sODSl2_6gmW6BUsqSEkLrTTkbn5FtRCoS9-V1he0uYY\ found at _acme-challenge.my.domain.com,status:403}
[url] https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3657438774/PeLgtg
[token] UywkpsWUBVBDCVCRsHrhNboUE58n_V3mI2TXySc4bxY
[validated] 2022-09-16T20:45:42Z)

help

I think you need to download first the certificate using the equivalent for dehydrated of certbot certonly and --manual options and then prepare the DNS record.

see https://eff-certbot.readthedocs.io/en/stable/using.html#manual

Here in few words a nice explanation from a post of letsencrypt forum, you should ask for assistance over there, I think.

Thanks for that. It doesn’t explain what to put in the TXT record. Whatever I put in I can read with:
host -ttxt _acme-challenge.my.domain.com
and dehydrate still fails.

So I gave up on that and tried http-01 pointed at our internal server.
I created .well-known/acme-challenge and
ran “date > /web-root/.well-known/acme-challenge/test.txt”
apacke runs as wwwrun:www. The folders are so owned.

With a browser http://my.domain.com/.well-known/acme-challenge/text.txt works.
“wget my.domain.com/.well-known/acme-challenge/Test.txt” from the firewall works
“dehytreaded -c” gives the same:

ERROR: Challenge is invalid! (returned: invalid) (result: [type] http-01
[status] invalid
[error,type] urn:ietf:params:acme:error:unauthorized
[error,detail] 96.65.209.137: Invalid response from http://my.domain.com/.well-known/acme-challenge/5dyfFltlkEz4OrqZydeoyru27p3b0DfGAsze5rrJbHQ: 404
[error,status] 403

On the server I probably missed a step.
Any ideas?
Thanks

Before issuing a renewal attempt, type this in the console:

sysctl net.ipv4.conf.default.rp_filter=2
sysctl net.ipv4.conf.all.rp_filter=2

discussion here: Reverse Path Filtering prevents certbot renewal using HTTP-1 acme-challenge

Running this from the firewall:
wget my.domain.com/.well-known/acme-challenge/Test.txt
works before I run those commands and still works after.
dehydreted does not.

How would I test writing to my.domain.com/.well-known/acme-challenge/ from the firewall?

Thanks

Ok. I have a work around for dns-01. I added a pause to the Deploy_Challenge function thusly:

printf "Copy and paste this Token to %s TXT record for:  %s \n" $DOMAIN, $TOKEN_VALUE
printf "Challenge is waiting for DNS to propagate. \n"
read -n 1 -r -s -p "Press any key to continue..." key

I didn’t try it but I guess if you used:
printf “Domain = %s File Name = %s Token Value = %s \n” $DOMAIN, $TOKEN_FILENAME, $TOKEN_VALUE

This should work for http-01 also.
I hope this helps somebody.
and thanks to the guys who tried to help me.