403 error for incorrect TXT record

Alexf40 · October 12, 2023, 4:41am

Hi all,

Thanks for your help in advance.

I'm trying to install Let's Encrypt through Plesk, I'm getting an error for incorrect TXT record.
The TXT records are for email server validation, I'm assuming I'm getting the error as they are external domains, is there anyway around this?

Cheers
Alex

E.g.
Could not issue an SSL/TLS certificate for yamahaclub.com
Details

Could not issue a Let's Encrypt SSL/TLS certificate for yamahaclub.com. Authorization for the domain failed.

Details

Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/273029068756.

Details:

Type: urn:ietf:params:acme:error:unauthorized

Status: 403

Detail: Incorrect TXT record "v=spf1 include:_spf.google.com include:sparkpostmail.com ~all" found at _acme-challenge.yamahaclub.com

My domain is: yamahaclub.com

I ran this command:

It produced this output:

My web server is (include version): Apache/Nginx
The operating system my web server runs on is (include version): Ubuntu 22.04 / Plesk 18.0.55 Update #2

I can login to a root shell on my machine (yes or no, or I don't know): Have SSH access

Osiris · October 12, 2023, 6:37am

It's possible to have multiple TXT RRs for the same hostname. That said, why would the _acme-challenge label have a SPF TXT record?

rg305 · October 12, 2023, 1:12pm

They likely also used a wildcard DNS entry to define their SPF record [not uncommon].

MikeMcQ · October 12, 2023, 1:22pm

Or because of a mis-placed CNAME?

_acme-challenge.yamahaclub.com.	300 IN	CNAME	yamahaclub.com.
yamahaclub.com.		3600	IN	TXT	"v=spf1 include:_spf.google.com include:sparkpostmail.com ~all"

rg305 · October 12, 2023, 1:27pm

OR
A wildcard CNAME ? ? ?
Yikes!

I'd really like to see that DNS zone.

Alexf40 · October 12, 2023, 10:51pm

Thanks everyone, I hadn't added the acme challenge contents correctly to the DNS. Still confused over that error message though, not explicit to what the problem was. Oh well sorted now, thanks again.

Osiris · October 13, 2023, 3:50am

What exactly wasn't clear about the error message? It said it couldn't find the correct TXT record, instead found a SPF value.

Alexf40 · October 13, 2023, 4:26am

It said:

Detail: Incorrect TXT record "v=spf1 include:_spf.google.com include:sparkpostmail.com ~all" found at _acme-challenge.yamahaclub.com

That TXT record had no relation to the acme-challenge, why did it hightlight this one? This TXT record was correctly deployed.

Osiris · October 13, 2023, 4:56am

That's why it was incorrect.

Apparently not.

rg305 · October 13, 2023, 1:31pm

Because it was the only one heard.

system · November 12, 2023, 1:32pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Error 403: Incorrect TXT record Help	8	2260	July 22, 2022
Incorrect TXT record error even after the token matches Help	11	601	October 23, 2022
Incorrect TXT record from AcmeClient.php Help	4	838	April 1, 2020
Plesk wildcard certificate renewal fails Help	14	3579	November 12, 2018
Ssl certificate issue Help	9	780	January 28, 2022

403 error for incorrect TXT record

Related topics