ACME challenge failed despite having corrent TXT value


#1

I have confirmed that the content for the TXT record that certbot prompted me to attach is indeed attached and indeed the same text

My domain is: knine.club, *.knine.club

I ran this command:
/certbot-auto certonly --maual --preferred-challenges=dns --email emile@nobal.ca --server https://acme-v02.api.etsencrypt.org/directory --agree-tos -d *.knine.club -d knine.club

It produced this output:

  • The following errors were reported by the server:

    Domain: knine.club
    Type: unauthorized
    Detail: Incorrect TXT record
    “lek1Ww22hgLyh6JYKf-U1n-m-ELrMUkCAHsaY0XVSZ4” found at
    _acme-challenge.knine.club

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version):
Apache/2.4.10
The operating system my web server runs on is (include version):
Docker
My hosting provider, if applicable, is:
hosted on AWS DNS provider is google
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
None


#2

Certbot will have prompted you to create 2 separate (two) TXT records. You only have one.


#3

Hi @emile

you want one certificate with two domain names. So you have to create two dns txt entries with the same name and different values. But

Domainname TXT Entry Status ∑ Queries ∑ Timeout
knine.club ok 1 0
www.knine.club ok 1 0
_acme-challenge.knine.club lek1Ww22hgLyh6JYKf-U1n-m-ELrMUkCAHsaY0XVSZ4 looks good 1 0

I see only one entry, not two.


#4

Thanks for your reply, perhaps I’m confused about how to use this command. There is only one domain name .knine.club with a wildcard A record. It seems like I need to run the command again against the A record alone, is this right?


#5

Your command

-d *.knine.club -d knine.club

is good. Because the wildcard-certificate *.knine.club doesn’t work with the domain knine.club, so it’s standard to have one wildcard certificate with these two domain names.

But you have to create two dns txt entries with the same name

_acme-challenge.knine.club

and two different values. But there is only one entry, not two.


#6

ok, i understand. How can I get another value to add for the second TXT record? only one is provided by certbot.


#7

Certbot should show you two different txt values.


#8

Certbot just gives me this.


Please deploy a DNS TXT record under the name
_acme-challenge.knine.club with the following value:

lek1Ww22hgLyh6JYKf-U1n-m-ELrMUkCAHsaY0XVSZ4

Before continuing, verify the record is deployed.



#9

There must be a second value if you use

-d *.knine.club -d knine.club

as domains. Try it again.


#10

Sorry my last reply is incorrect
it has provided a second value.


#11

Hi @JuergenAuer
Thanks to your help I was able to get the wildcard subdomain set up, much appreciated!
I now need to get the base domain secured as well, my question is, can I run the above command against knine.club and substitute the given value for the one the is current in the TXT record?
My provider (google) seems to disallow multiple TXT records with the same host.


#12

This is highly unlikely. You may just have to add multiple values to the same record. Can you post a screenshot of the interface you’re using?


#13

unfortunately I’m doing this by proxy through my boss so I just have to take his word for it.
I was, however, able to get a cert issued in this manner, by running the command twice against each domain and swapping out the TXT content accordingly.


#14

Your boss needs to press the “+” (plus) button you can see on the below screenshot, to have multiple TXT values on one row (after first going into “Edit” mode).

image


Two separate DNS challenges
#15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.