Level 102
It seems you are trying to use dns challenges. Did you set them up in the dns? It seems it cannot find them
Nov 15, 2019
10
Level 3
Challenge failed for domain -- Forge Wildcard SSL creation fails on Digital Ocean
I am trying to create a Let'sEncrypt wildcard SSL certificate using Forge, but it fails with the following error messages. I set a wildcard subdomain on Digital Ocean. The root domain is maxcpq-metal.com, and the wildcard subdomain on Digital Ocean is *.maxcpq-metal.com. I removed the entire site and re-created it through Forge, but still get the same errors.
While Digital Ocean provides Lets Encrypt certificates, their integration with Let's Encrypt does not allow wildcard subdomain certificates. I tried.
ERROR BELOW
--2019-11-15 18:47:06-- https://forge-certificates.laravel.com/le/664467/890698?env=production Resolving forge-certificates.laravel.com (forge-certificates.laravel.com)... 104.25.8.32, 104.25.9.32, 2606:4700:20::6819:920, ... Connecting to forge-certificates.laravel.com (forge-certificates.laravel.com)|104.25.8.32|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘letsencrypt_script1573843626’
0K .. 25.2M=0s
2019-11-15 18:47:06 (25.2 MB/s) - ‘letsencrypt_script1573843626’ saved [2729]
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator dns-digitalocean, Installer None Obtaining a new certificate Performing the following challenges: dns-01 challenge for maxcpq-metal.com dns-01 challenge for maxcpq-metal.com Unsafe permissions on credentials configuration file: letsencrypt/creds.ini Waiting 10 seconds for DNS changes to propagate Waiting for verification... Challenge failed for domain maxcpq-metal.com Challenge failed for domain maxcpq-metal.com dns-01 challenge for maxcpq-metal.com dns-01 challenge for maxcpq-metal.com Cleaning up challenges Some challenges have failed. cp: cannot stat '/etc/letsencrypt/live/certificate/privkey.pem': No such file or directory cp: cannot stat '/etc/letsencrypt/live/certificate/fullchain.pem': No such file or directory
Level 3
I have A records on Digital Ocean for maxcpq-metal.com and *.maxcpq-metal.com. Is that what you mean? The domains are registered through Hover, and Hover shows A records for @ and *.
Level 3
I can create a Lets Encrypt certificate through Forge, on this domain, without wildcard. It only fails when I try to create wildcard subdomain SSL through Forge.
Level 102
Not quite. They should ask you to add a txt record
DNS-01 challenge. This challenge asks you to prove that you control the DNS for your domain name by putting a specific value in a TXT record under that domain name.
Level 3
The LetsEncrypt site says the following:
After Let’s Encrypt gives your ACME client a token, your client will create a TXT record derived from that token and your account key, and put that record at _acme-challenge.<YOUR_DOMAIN>. Then Let’s Encrypt will query the DNS system for that record. If it finds a match, you can proceed to issue a certificate!
... so, doesn't the mean that Forge should create the TXT record when requesting the new certificate?
Level 102
Does forge have access to edit your dns configuration at digital Ocean?
Level 3
The steps laid out by Taylor in his Medium post show that I need to enter my access token from Digital Ocean, which I did. The token has read and write authorization.
Is there somewhere else on Digital Ocean that I need to authorize the use of the token for this purpose?
Level 102
Well it does not look like digitalocean is managing your dns. Instead it's hover.com
https://dnskit.dk/maxcpq-metal.com
Either transfer the domain to them or add the txt string manually
Level 3
Thank you so much! I was pointing to Hover's name servers, even though I was managing all of the DNS records on Digital Ocean, so I hadn't realized that I needed to change the name servers on Hover to Digital Ocean's name servers.
I just made that change, and the SSL certificate creation in Forged worked as advertised.
Thanks!
Level 102
Perfect. Happy to help. Please remember to mark the best answer
Please or to participate in this conversation.