Cannot generate certificate because DNS challenge fails

Hello, I am trying to generate a wildcard certificate for my domain but I keep getting the error below. The funny thing is that the dns-cloudflare plugin does successfully add and remove the TXT records to Cloudflare but for some reason still reports an error.

My domain is: *neuschool.app and .neuschool.app

I ran this command:

./certbot-auto certonly \
  --noninteractive \
  --server https://acme-v02.api.letsencrypt.org/directory \
  --agree-tos \
  --email 'admin@neustack.com' \
  --preferred-challenges dns \
  --rsa-key-size 4096 \
  -d '*.neuschool.app' \
  -d 'neuschool.app' \
  --dns-cloudflare \
  --dns-cloudflare-credentials /etc/certbot/secrets/cloudflare.ini \
  --dns-cloudflare-propagation-seconds 300

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for neuschool.app
dns-01 challenge for neuschool.app
Waiting 300 seconds for DNS changes to propagate
Waiting for verification...
Challenge failed for domain neuschool.app
Challenge failed for domain neuschool.app
dns-01 challenge for neuschool.app
dns-01 challenge for neuschool.app
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
 - The following errors were reported by the server:
                    |
   Domain: neuschool.app
   Type:   unauthorized
   Detail: No TXT record found at _acme-challenge.neuschool.app
                      |
   Domain: neuschool.app
   Type:   unauthorized
   Detail: No TXT record found at _acme-challenge.neuschool.app
                   |
   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): nginx 1.17.9

The operating system my web server runs on is (include version): Ubuntu 18.04.4 LTS

My hosting provider, if applicable, is: I have my own server. My DNS provider is Cloudflare and my domain registrar is Google Domains

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot-auto 1.4.0

Here are the TXT records that is is automatically adding:

Screen Shot 2020-04-15 at 9.53.41 AM2054×180 31.4 KB

Hi @kelvin-neustack

checking your domain there is no TXT entry visible - https://check-your-website.server-daten.de/?q=neuschool.app#txt

anna.ns.cloudflare.com is your primary name server.

No, not visible.

it is because the plugin removes them. I just ran it again and stopped it after it generated the TXT records so that you can see them. Try again.

Am I doing anything wrong?

Maybe.

It looks like you’re doing everything right to me.

Could you have multiple Cloudflare accounts, with the same zone configured, and you’re updating the wrong one?

Cloudflare’s status page showed that there were DNS update delays when you posted this thread – that’s probably the cause. Normally they update within a few seconds (sleeping for 300 seconds is more than enough), but that status post says they were delayed up to an hour, which would obviously be a problem.

There are worse problems with the API now, so trying again now might work, or might produce different errors.

Can you try again once their status page isn’t on fire?

Edit: I had only skimmed the status page, but someone pointed out to me that “DNS Updates” is “Offline”, so trying right now would very likely not work for you!

Yeah I did see that but this has been happening since yesterday. Nevertheless, I will wait until the status page says they’re back to normal and I will try again.

So this ended up being an issue the Cloudflare DNS service which had several production issues. Thank you very much for the support.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.