_acme-challenge Incorrect TXT record Old Data

It seems that let’s encrypt is not refreshing it’s data.

I use the manual method to renew my certificates.

My WaynesPets.com certificate renewal is failing because Let’s Encrypt keeps reading an old TXT that does not exist anymore.

I checked with
https://mxtoolbox.com/TXTLookup.aspx
to make sure that my world readable TXT files were correct, but let’s Encrypt keeps saying:

  • The following errors were reported by the server:

    Domain: waynespets.com
    Type: unauthorized
    Detail: Incorrect TXT record
    “BeymzpVFB2ZZmqoRDIzKjz_d9_ETw1RbFlNT8aTnmFU” (and 1 more) found at
    _acme-challenge.waynespets.com

“BeymzpVFB2ZZmqoRDIzKjz_d9_ETw1RbFlNT8aTnmFU” is old data that does not exist any more.

Wayne Sallee
Wayne@WayneSallee.com
http://www.WayneSallee.com

Hi @WayneSallee

checking your domain that looks good - https://check-your-website.server-daten.de/?q=waynespets.com#txt

Two correct entries with the same domain name (main domain + wildcard domain), two different entries, no one of the wrong entries (duplicated domain names).

And it’s not the

BeymzpVFB2ZZmqoRDIzKjz_d9_ETw1RbFlNT8aTnmFU

value.

Perhaps try it one time again, remove both values, add both new values, recheck the domain.

1 Like

It worked now. It seems that giving Let's Encrypt time to clear it's cache allowed it to work this time.

Wayne Sallee
Wayne@WayneSallee.com
http://www.WayneSallee.com

1 Like

It was probably something else…
LE doesn’t cache such requests.
It goes directly to your authoritative name servers and retrieves the most current information.

But I’m glad to hear that your are all renewed :slight_smile:

1 Like

Yep, perhaps you have hitted the “return” too quickly. Letsencrypt queries always the newest results, like (good) online tools.

1 Like

FYI:
The entries are still there…
Some housecleaning may be in order (out-of-order):

nslookup -q=txt _acme-challenge.waynespets.com ns1.digitalocean.com
_acme-challenge.waynespets.com text = "PuBervvcq3zeKV2p-WCtNbZj-GjW_a4iGcsFVNxWhBs"
_acme-challenge.waynespets.com text = "yzdEmyMvCQVaaMldS-7004H5Reexml0OTHQbjjRpU0I"

That old data was from the previous certificate, and I had retried several times, so, it can’t be that I hit return to quickly. After the second time, I check the https://mxtoolbox.com/TXTLookup.aspx
to make sure it was good, and continued, but still errored. So the last time I waited 30 minutes, and then re - renewed the certificate and it worked.

Wayne Sallee
Wayne@WayneSallee.com
http://www.WayneSallee.com

I don’t delete the old data, as I don’t see any risk in keeping them. By leaving them there, it makes it quicker to renew the certificate the next time by simply editing the TXT.

What I think happened that woke up the bug, is that I think I edited one of the TXT twice instead of editing one, and then the other.

Then after the bug was woke up, it would not die until left alone for 30 minutes.

Wayne Sallee
Wayne@WayneSallee.com
http://www.WayneSallee.com

You can check (in another window) and hit return once it is seen.
Use:
nslookup -q=txt _acme-challenge.waynespets.com ns1.digitalocean.com

Yes that’s a nice way to do it too.

I'll install nslookup on my laptop, then it will be easier than going to the website I referenced.

Wayne Sallee
Wayne@WayneSallee.com
http://www.WayneSallee.com

It’s hard to be sure what records DigitalOcean’s DNS service will actually respond with. “ns1.digitalocean.com” is multiple servers – probably multiple clusters of multiple servers – behind the DNS equivalent of a CDN. When you make changes, there’s probably database replication delay and several layers of caching.

It might help if you can decrease the TTL.

1 Like

Yes that's a good point. I'll reduce the TTL. It might help.

Wayne Sallee
Wayne@WayneSallee.com
http://www.WayneSallee.com