Can't create SSL cert after DNS change
Hi,
I've both a server (SERVER_1) and DNS (DNS_1) records running on linode.
Before:
I had various subdomains registered as A records. I ran certbot on my linode server to generate SSL certs, and used the dns-linode authenticator, which worked fine after it created TXT records.
Now:
I have grown some of the site functionality to an external server (SERVER_2) with its own DNS (DNS_2). The API remains on the same linode server (SERVER_1) as before, with an A record on DNS_2 pointing to my SERVER_1 IP address by api.mydomain.com
SERVER_2 also auto-generates SSL certs and has 2:
1 for mydomain.com and 1 for *.mydomain.com
The Problem:
I cannot find a way to generate an SSL cert on the linode server for api.mydomain.com. dns-linode authenticator is failing.
Although SERVER_2 tries to generate an SSL cert for all * subdomains I believe I'm correct in thinking I need to host a cert for api.mydomain.com on SERVER_1 as that's where the A record points to.
Details
Running the same certbot command that worked before now informs me that:
Certbot failed to authenticate some domains (authenticator: dns-linode). The Certificate Authority reported these problems:
Domain: mydomain.com
Type: unauthorized
Detail: No TXT record found at _acme-challenge.mydomain.com
I can see in cloud.linode.com that TXT records were generated.
Question
I'm a bit lost as to what it is I need to change to get an SSL cert functioning again on SERVER_1. I'm running nginx in a docker container so my attempts to do a standard certbot installation weren't relevant. If I got confirmation this would be the way to go, I could look at roundabout ways of working with a containerized nginx cert.
Also, I'm not entirely sure why the current dns-linode is failing with the change I made. Although the initial request is not on DNS_2, it points back to SERVER_1 (and I thought it also pointed to DNS_1). TXT Records are being created by the authenticator.
1 Reply
Have you checked for errors in the /var/log/letsencrypt/letsencrypt.log
file? In a previous post regarding a similar issue, it was suggested that the OP check their API key as it may have expired. You may want to check that as well.
If the API is on SERVER_1, then I would also assume that you would need the cert to be generated from and hosted on that instance.
Since you used the dns-linode authenticator to create the TXT records, I suggest reading through the documentation again to see if you need to repeat your steps after you've made updates to the configuration.
If you're unable to resolve this using the dns-linode authenticator, this post offers some alternatives such as running certbot in docker or using lego.