Let's Encrypt Add-On

I am trying to use the Let’s Encrypt Add-On to use my own domain that is at Cloudflare. When running the add-on it is giving me the following error.

Performing the following challenges:
dns-01 challenge for xxxx.mydomain.net
Waiting 10 seconds for DNS changes to propagate
Waiting for verification...
Challenge failed for domain xxxx.mydomain.net
dns-01 challenge for xxxx.mydomain.net
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: xxxx.mydomain.net
Type: dns
Detail: DNS problem: SERVFAIL looking up TXT for _acme-challenge.xxxx.mydomain.net - the domain's nameservers may be malfunctioning

Is there a log somewhere that I might be missing that can help me with what the issue was? If I ping the subdomain on my computer it points to my IP on my router.

You are using DNS challenge instead of HTTP challenge.

Type: dns
Detail: DNS problem: SERVFAIL looking up TXT for _acme-challenge.xxxx.mydomain.net

This means that you need to add a TXT record to your DNS settings at your DNS provider.

DNS-01 challenge
This challenge asks you to prove that you control the DNS for your domain name by putting a specific value in a TXT record under that domain name. It is harder to configure than HTTP-01, but can work in scenarios that HTTP-01 can’t. It also allows you to issue wildcard certificates. After Let’s Encrypt gives your ACME client a token, your client will create a TXT record derived from that token and your account key, and put that record at _acme-challenge.<YOUR_DOMAIN> . Then Let’s Encrypt will query the DNS system for that record. If it finds a match, you can proceed to issue a certificate!

So I have to manually add the TXT. I though the add on would handle that.

Hi Sean,

no you don’t have to manually add the TXT. Mikes advice is not correct. You would not know the secret to put into the TXT record.
The dns-01 challenge works as described above.
That means that the letsencrypt add-on will use the cloudflare api with your credentials to add a TXT record in the dns section of your domain. Then the system waits 10 seconds an then tries to read the TXT record by using a query of the DNS system.

To debug this you need to logon to your cloudflare account to monitor your DNS entries. During the 10 seconds wait, you should see a TXT record popping up. If this doesn’t happen your config is wrong. If you see the record later it might be that the 10 seconds propagation time might be too short and the entry is just not yet there when the add-on is verifying.
I don’t know if there is a way to extend the propagation wait time with cloudflare.

Chris

Thanks for the detailed info. I will take a look at this again.

Hi Sean,

there were updates on the Let’s Encrypt add-on in the last days.
Propagation Time is now a general feature usable on all providers.
This might help you if you DNS setup needs more time than 10 seconds which was the default so far.

Chris

Thanks for the info. I ended up switching to the Linuxserver.io Let’s Encrypt Nginx Reverse Proxy. Once I got it setup it went smooth and now using my domain with Home Assistant

I am a bit puzzeled how to setup the letsencrypt plugin.

In the manual way to do this (Certificate for SSL/TLS via domain ownership) there is an option to run certbot with the option to add a txt record to your dns records as a validation method.

I cannot find this option in the letsencrypt addon and unfortunately eurodns is not in the list of dns providers.

Is there any way to do this or am I stuck with manual mode?