Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
certbot certonly --manual -d ‘*.tor-ns8ds.com’ -d tor-ns8ds.com --preferred-challenges dns-01 --dry-run --manual-auth-hook ./plugin.sh
It produced this output:
Failed authorization procedure. tor-ns8ds.com (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record “4uqZprjIo0sN852JlcNjqBS-La764UM7_mPfXehXHxI” (and 1 more) found at _acme-challenge.tor-ns8ds.com
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
I am currently developing a script to be used with the --manual-auth-hook option. Because the certificate has both the domain and the wildcard domain, the script gets called twice with a separate validation token for each. The script handles this accordingly, such that it remembers the token from the first time it is called, and the second time it is called, it sets 2 TXT records for _acme-challenge.tor-ns8ds.com, one for each token.
When I setup another domain with the dns01 challenge manually, this is essentially what I did: when it spit out the first token, I immediately hit enter to get the 2nd token, then set the actual DNS record with those tokens before hitting enter again. At that point, the DNS authorization would occur, and everything worked fine.
However, with the --manual-auth-hook option, I can see the script receiving the 2 tokens, then setting the DNS records (verified with dig), but the authorization fails anyway. I’ve tried making the hook script sleep (up to 30s), thinking there might need to be some kind of propagation, but that had no effect.
At this point, the only straw I’ve got to grasp at is some sort of TTL issue with my DNS server. That doesn’t sound like a winner right away, because I had the dns authorization succeed on another domain multiple times in a row (live mode) when I was setting the DNS records the same way and the TTL didn’t cause me an issue there, even though the TTL was much longer than it took me to change the DNS records.
Is it possible I have some incompatible combination of bits that I’m just not seeing? It sure seems like the dns01 authorization should succeed when I can see with my own eyes that the TXT records exist, but I only recently started using certbot, so I could definitely just be missing something obvious.
Either way… thanks for reading this far! Any help is incredibly appreciated!