Can't generate my Wildcard Certificate by DNS-01 challenge

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: ./certbot-auto certonly --manual --preffered-challenges dns-01 --server

It produced this output:
Challenge failed for domain
dns-01 challenge for
Cleaning up challenges
Some challenges have failed.


  • The following errors were reported by the server:

    Type: unauthorized
    Detail: Incorrect TXT record
    “OcTk21wyPfuM6_KPok4lBAgtmgtwn7_T6CYEMsHU3NE” (and 1 more) found at

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.
    root@abromarina:/etc/certbot# ./certbot-auto certonly --manual --preferred-challenges dns-01 --server
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator manual, Installer None
    Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
    to cancel): *
    Cert is due for renewal, auto-renewing…
    Renewing an existing certificate
    Performing the following challenges:
    dns-01 challenge for

My web server is (include version): Apache Lounge 2.4

The operating system my web server runs on is (include version): Windows Server 2016 Standart

My hosting provider, if applicable, is: Rostelecom

I can login to a root shell on my machine (yes or no, or I don’t know): yes (of course)

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): none

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): CertBot 0.40.1

I can’t generate my certificates already for 2 days.

“nslookup -q=TXT” shows me right information but certbot says “NOT”! Why???

Hi @abromarina

checking your domain there is a new Letsencrypt certificate -

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2019-11-19 2020-02-17 *, - 2 entries duplicate nr. 1
Let's Encrypt Authority X3 2019-09-17 2019-12-16 *, - 2 entries

And you use it:

expires in 90 days	*, - 2 entries

Looks like you have found a solution.

But one of your TXT entries is wrong:

The first entry is good. The second is too long.

It’s just a luck) Just I’ve tried too many times and it’s OK. But That’s not good that I have to try so many times for getting my certificate. Maybe Do U know how to get it for less times?

DNS challenge is good if your dns provider has an API and if there is an ACME-client with API-support.

So the main question: Supports your dns provider an API? has a lot of dns options.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.