Dehydrated DNS-01

Hi guys,

I’m trying to setup LetsEncrypt and getting stuck.
First question: Are there any coherent instructions?
In my searching I’ve found bits and pieces scattered about but nothing complete enough for me to be successful.
Second: I setup a TXT record for our domain but I don’t know how it is to be formatted. I’ve tried: “v=sODSl2_6gmW6BUsqSEkLrTTkbn5FtRCoS9-V1he0uYY” “sODSl2_6gmW6BUsqSEkLrTTkbn5FtRCoS9-V1he0uYY”
Neither seems to work but I don’t know which end the problem is on.
Everytime I run:
dehydrated -c
the [“token”] “UywkpsWUBVBDCVCRsHrhNboUE58n_V3mI2TXySc4bxY”
is different and is never what I put in the TXT record.
Here is the failed Challenge Vaklidation:

ERROR: Challenge is invalid! (returned: invalid) (result: [type] dns-01
[status] invalid
[error,type] urn:ietf:params:acme:error:unauthorized
[error,detail] Incorrect TXT record \sODSl2_6gmW6BUsqSEkLrTTkbn5FtRCoS9-V1he0uYY\ found at
[error,status] 403
[error] {type:urn:ietf:params:acme:error:unauthorized,detail:Incorrect TXT record \sODSl2_6gmW6BUsqSEkLrTTkbn5FtRCoS9-V1he0uYY\ found at,status:403}
[token] UywkpsWUBVBDCVCRsHrhNboUE58n_V3mI2TXySc4bxY
[validated] 2022-09-16T20:45:42Z)


I think you need to download first the certificate using the equivalent for dehydrated of certbot certonly and --manual options and then prepare the DNS record.


Here in few words a nice explanation from a post of letsencrypt forum, you should ask for assistance over there, I think.

Thanks for that. It doesn’t explain what to put in the TXT record. Whatever I put in I can read with:
host -ttxt
and dehydrate still fails.

So I gave up on that and tried http-01 pointed at our internal server.
I created .well-known/acme-challenge and
ran “date > /web-root/.well-known/acme-challenge/test.txt”
apacke runs as wwwrun:www. The folders are so owned.

With a browser works.
“wget” from the firewall works
“dehytreaded -c” gives the same:

ERROR: Challenge is invalid! (returned: invalid) (result: [type] http-01
[status] invalid
[error,type] urn:ietf:params:acme:error:unauthorized
[error,detail] Invalid response from 404
[error,status] 403

On the server I probably missed a step.
Any ideas?

Before issuing a renewal attempt, type this in the console:

sysctl net.ipv4.conf.default.rp_filter=2
sysctl net.ipv4.conf.all.rp_filter=2

discussion here: Reverse Path Filtering prevents certbot renewal using HTTP-1 acme-challenge

Running this from the firewall:
works before I run those commands and still works after.
dehydreted does not.

How would I test writing to from the firewall?


Ok. I have a work around for dns-01. I added a pause to the Deploy_Challenge function thusly:

printf "Copy and paste this Token to %s TXT record for:  %s \n" $DOMAIN, $TOKEN_VALUE
printf "Challenge is waiting for DNS to propagate. \n"
read -n 1 -r -s -p "Press any key to continue..." key

I didn’t try it but I guess if you used:
printf “Domain = %s File Name = %s Token Value = %s \n” $DOMAIN, $TOKEN_FILENAME, $TOKEN_VALUE

This should work for http-01 also.
I hope this helps somebody.
and thanks to the guys who tried to help me.