Note what "correctly configured" DNS means in context of Let's Encrypt

[JedMeister]

As suggested by Farmer20 in the forums it might be useful to have some more noob friendly docs explaining what "correctly configured" DNS means in context of Let's Encrypt.

[JedMeister]

Or better still, perhaps we should just probe the domain(s) and check if they point to the public IP of the current server?!

I note that the public IP can be determined via the python3 standard library like this:

import urllib.request
external_ip = urllib.request.urlopen('https://www.wikipedia.org').headers['X-Client-IP']

external_ip will be a string containing the public IP address.

Then if the dnspython library (python3-dnspython in Debian repos) is installed, then the A record of the desired domain name can be checked like this:

domain = 'domain.to.check.com'
answers = dns.resolver.query(domain, 'A')
for answer in answers:
print(answer.to_text())

answer.to_text() should be a string containing the 'A' record IP address. For the couple that I tested, answers[0].to_text() returned the same info.

[OnGle]

It is possible the domain has multiple A records as such here's a possible solution

from urllib.request import request
import dns

external_ip = urllib.request.urlopen('https://www.wikipedia.org').headers['X-Client-IP']

domain = 'domain.to.check.com'
domain_is_correct = False
for record in dns.resolver.query(domain, 'A'):
    if record.to_text() == external_ip: # note these may differ in format/type, couldn't find direct info in docs
        domain_is_correct = True
        break

if domain_is_correct:
    ...
else:
    ...

Deferring to 17.0, but I might handle this beforehand if I get the time.

[JedMeister]

I have implemented an improvement. It now suggests checking via Google's online DIG tool.

We could still do better though, so I'll leave this open.