Incorrect instructions in manual mode

[CristianCantoro]

I am requesting a certificate for an internal domain using DNS validation. I am following the directions from [1] and [2].

My domain example.com is valid and available in the open, while the subdomain subdomain.example.com is reachable only if connected to the Intranet.

What I want is a certificate for subdomain.example.com.

Since the internal DNS is managed by our Network Office I have being using the manual mode.

If I use certbot-external-auth I get this:

$ sudo certbot --text \
                --agree-tos \
                --email [email protected] \
                --expand  \
                --renew-by-default \
               --configurator certbot-external-auth:out \
               --certbot-external-auth:out-text-mode \
               -d subdomain.example.com \
                  certonly
[sudo] password for user: 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator certbot-external-auth:out, Installer certbot-external-auth:out
Obtaining a new certificate
/usr/lib/python3/dist-packages/josepy/jwa.py:107: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
  signer = key.signer(self.padding, self.hash)
Performing the following challenges:
dns-01 challenge for subdomain.example.com

-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: Y
Please deploy a DNS TXT record under the name
subdomain.example.com with the following value:

aaa-aaa-aaa

Once this is deployed,
Press ENTER to continue
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. subdomain.example.com (dns-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up 
TXT for _acme-challenge.subdomain.example.com

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: subdomain.example.com
   Type:   connection
   Detail: DNS problem: NXDOMAIN looking up TXT for
   _acme-challenge.subdomain.example.com

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

the strange thing is that the instruction say to

deploy a DNS TXT record under the name subdomain.example.com

while in the end the DNS request is made to:

DNS problem: NXDOMAIN looking up TXT for  _acme-challenge.subdomain.example.com

If I use the "vanilla" certbot I am able to get the certificate:

$ sudo certbot --text \
              --agree-tos \
              --email [email protected] \
              -d subdomain.example.com \
              --manual \
              --preferred-challenges dns \
              --expand \
              --renew-by-default \
              --manual-public-ip-logging-ok \
                  certonly
[sudo] password for user: 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
/usr/lib/python3/dist-packages/josepy/jwa.py:107: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
  signer = key.signer(self.padding, self.hash)
Performing the following challenges:
dns-01 challenge for subdomain.example.com

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.subdomain.example.com with the following value:

aaa-aaa-aaa

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/subdomain.example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/subdomain.example.com/privkey.pem
   Your cert will expire on 2018-07-08. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

and the instructions say to:

Please deploy a DNS TXT record under the name _acme-challenge.subdomain.example.com

with the domain request for the verification correclty made to _acme-challenge.subdomain.example.com.

So I think this a bug of certbot-external-auth.

[ph4r05]

hmm seems you’re right! Thanks for the notification, we will take a look on that