Certbot failed to authenticate some domains

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:cypherintel.com

I ran this command:: sudo certbot certonly --manual --preferred-challenges dns --email support@riskcognizance.com --agree-tos --no-eff-email -d cypherintel.com -d compliance.cypherintel.com

It produced this output:sudo certbot certonly --manual --preferred-challenges dns --email support@riskcognizance.com --agree-tos --no-eff-email -d cypherintel.com -d compliance.cypherintel.com

My web server is (include version): LiteSpeed/1.8.4 Open (BUILD built: Tue Nov 4 13:44:54 UTC 2025)
module versions:
lsquic 4.3.1
modgzip 1.1
cache 1.66
mod_security 1.4 (with libmodsecurity v3.0.14)

The operating system my web server runs on is (include version): Ubuntu

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Cyberpanel version": "2.4", "build": "4"

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 1.21.0

You seem to have pasted the same thing for both.
Please provide the output that command produced.

root@ip-172-31-91-223:~# sudo certbot certonly --manual --preferred-challenges dns --email support@riskcognizance.com --agree-tos --no-eff-email -d cypherintel.com -d compliance.cypherintel.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for cypherintel.com and compliance.cypherintel.com

Please deploy a DNS TXT record under the name:

_acme-challenge.compliance.cypherintel.com.

with the following value:

e-WJUNcgFIMHpEjTdg-EaTS5Egdwtc5ESp1sDS7Z8W8

Press Enter to Continue

Please deploy a DNS TXT record under the name:

_acme-challenge.cypherintel.com.

with the following value:

IhJonoT88CHvozkTt7QFs42Z-MFQh0CeYV7NbDZV_ME

(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: Dig (DNS lookup).
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.

Press Enter to Continue

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: compliance.cypherintel.com
Type: unauthorized
Detail: Incorrect TXT record "AQhtN7ylqlNfd0JJ6QrAtlsJVAzkmpw717_ELFajNGA" found at _acme-challenge.compliance.cypherintel.com

Domain: cypherintel.com
Type: unauthorized
Detail: Incorrect TXT record "OHOVZaBc9E0PSV0Jrw7i1F9FwWHVf2OazBj0fwnqlzM" found at _acme-challenge.cypherintel.com

Hint: The Certificate Authority failed to verify the manually created DNS TXT records. Ensure that you created these in the correct location, or try waiting longer for DNS propagation on the next attempt.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

propably DNS propagation delays. It should "tolerate" incorrect records as long as it founds one correct.

Do you have a DNS provider, or do you host DNS yourself? If you host DNS yourself you should be able to force a transfer from your slaves, or even better, point the master and slave IP to the same machine, thus bypassing registrar limitations like "at least 2 DNS servers" but still having one DNS server.

DNS Godaddy.: propagation doesn't seems to be the issue

Public Digs

But, that isn't the value that Let's Encrypt saw when it checked that record. In fact, that "wrong" record value shown is still present in your DNS TXT record.

See: https://unboundtest.com/m/TXT/_acme-challenge.compliance.cypherintel.com/3WXSGLVY

I have no response with the above, can you confrim where this came from?

From post #3. It was output from Certbot giving you instructions what to do. It was your post.

It seems like GoDaddy have too many DNS servers and only half of them have updated. Thus, corraboration fails even if a few returns the right record.

Seriously. Godaddy is crap as DNS. Host your own DNS instead.

I don't know if you have full control of the compliance.cypherintel.com since that CNAME's to cypherintel.riskcognizance.com

But if you have, you can easily make so for example 172.67.72.8:53 --DNAT--> 141.193.213.10:53

Then you put your DNS records like this:
cypherintel.com IN NS ns1.cypherintel.com
ns1.cypherintel.com IN A 141.193.213.10
cypherintel.com IN NS ns2.cypherintel.com
ns2.cypherintel.com IN A 172.67.72.8

Then just host ONE single DNS server on 141.193.213.10

Then any updates you do, will go live instantly.

It is worth asking why they are doing a manual DNS challenge at all. Automation should be the goal.

Further, both their domains look to point at different services that both rely on Cloudflare. It would be worth understanding more about what they will use this cert for and perhaps offer a better solution.

It might just be for a custom domain for those services. In which case asking those services what kind of automated method they recommend for getting certs. If they could find a way to set something up to use Cloudflare's Origin CA cert, for example, might be a great fit.