Accidentally Overwrote DNS TXT record

I accidentally, stupidly, overwrote the existing TXT record on an AWS DNS record when renewing an SSL for a domain. Ooops! What do?!?

1 Like

I'm not quite following your question. Are you using DNS-01 authentication for Let's Encrypt authentication? If so, the TXT record is only used while getting a specific certificate and not used thereafter. That is, each renewal uses a new TXT record value. Once it's checked, it can (and probably should) just be deleted.

What problem are you having?


Yes, I am trying to renew an existing SSL using DNS challenge. I went to add the TXT record and half asleep copied and pasted over the old. When I hit ENTER to continue, then it decides to tell me to add a new one and not replace the old one. I should have known better. Anyway, now it won’t renew.

I looked at the log hoping I could find the old, but the letsencrypt log only shows the new TXT not the old. I did a DNS query hoping I could retrieve the old one but its too late, already propogated.

So... what’s the best course of action from here?


Try again?  

1 Like

It's still not entirely clear to me what you're doing, or what the problem is that you're trying to solve. Can you complete the standard "Help" template that you should have seen when starting a new Help topic, especially what command you're running and what its output is? It's not clear to me what you're being told to do that you don't think you can do.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of `certbot --version` or `certbot-auto --version` if you're using Certbot):
1 Like

I think the thing other people are pointing out is that these values are ephemeral—they're basically randomly generated by the certificate authority to prove your control over the domain name in response to an individual certificate request. Therefore there's nothing especially precious, important, or secret about these strings. If you make a new request from scratch, you'll get a new one, which will work just fine in place of the "lost" one.

It's also important to understand that, unlike some "proof of website ownership" TXT records, this one is different every time, like @petercooperjr mentioned

By contrast, some other services that use TXT records to verify your control over a domain name may expect you to keep a specific TXT record in place indefinitely. But that's not how Let's Encrypt in particular uses these.

1 Like

The DNS TXT record itself has changed. The old record that it looks for has been replaced, so trying again is futile.

I don’t do this very often, every three months or so for a couple of domains. First time I’ve ever boffo’d it.


1 Like

Sorry, I don't understand what you mean here. It seems to me that if you try again, you will be told a new value to use. I don't understand why this would be futile.

1 Like

Ok I think I get what you all are saying, so to cut right to it I think the issue may be that acme is attempting to verify the server by looking up the TXT record in DNS, but I unfortunately copied and pasted the new string over it.

So the challenge segment of the process is an acme process, not a lets encrypt process, right?


1 Like

ACME is the protocol that Let's Encrypt CA uses to communicate with your client software, including indicating the challenge methods and associated data that the certificate authority would accept for proof of your control over a domain name.

1 Like

Again, without you telling us your client, what command you're running, and what the output is that you're not expecting, it's hard for anyone here to give you much guidance. I would also expect updating any domains with DNS served by AWS Route53 would be easily automated, so it's also not clear why you're manually pasting things around.

1 Like

I think I'm looking at this from a big picture perspective, whereas you guys are looking at the nitty gritty. There is no specific command line operation I'm discussing here. I'm simply saying I attempted to renew an SSL for a domain and in the process I copied and pasted the string (challenge) into the TXT record instead of adding a new TXT record. Now the process fails because it's attempting to verify the old string before it produced a new SSL.

Therefore, I'm wondering what I should do, in terms revoking (removing) the old one, or creating something entirely from scratch. Hope this helps to clarify. And yes, I'm using a lightsail instance with route53 and of course lets encrypt and acme.

Yes, and I cannot prove my control over the domain because it's looking for a TXT record in the DNS that I altered by copying and pasting the new challenge string over the old one.

Well, in the big picture, TXT records for _acme-challenge.yourdomain.example are irrelevant except when you're trying to validate an order for a new certificate for yourdomain.example.


What process? That's what we're not understanding. What are you trying to do, if not run a command to get a new certificate?

The old what? You probably don't need to revoke or remove anything, but we don't know what you're trying to do.


@TheTopBloke It's not like the previous TXT record you should have used earlier is written in stone: if you request a certificate again, the ACME server will ask you to put new TXT records into your DNS. And even if it would reuse previous authorizations, the ACME client you use should be able to tell you which TXT record to put into your DNS zone. It's not like those TXT records are a secret. It's not like if one is presented to you and you somehow forget about it or fudge up the adding of the TXT record to your DNS zone, it will forever fail. It's just not how the ACME process works.

Also, I'm 200 % with @petercooperjr here. To me, it sounds like you've already made your mind up, even when multiple people here tell you your train of thought isn't correct. You don't post much required details, you keep it for some reason very vague. It's very hard to give advice that way.


Ok, I tried again. It worked. Thank you for dealing with me. I can't believe it was that easy.

So now, I should be able to delete those TXT records specific to the renewal process.


Yes, if you have your certificate, you can delete those TXT records: they aren't useful any longer.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.