Certbot keeps receiving outdated challenge TXT record value

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ftp.netexsw.com/ftp.netex.com

I ran this command: certbot certonly --manual --preferred-challenges dns -d ftp.netexsw.com -d ftp.netex.com

It produced this output:

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: ftp.netexsw.com
Type: unauthorized
Detail: Incorrect TXT record "YNS-9YBndPa-aWcBJFvHenFgVd0wbAmuBLj6SkD3VzQ" found at _acme-challenge.ftp.netexsw.com

My web server is (include version): Apache 2.4.37-65.module_el8.10.0+3872+9b8ab21e.1

The operating system my web server runs on is (include version): AlmaLinux 8 with all available updates

My hosting provider, if applicable, is: self-hosting

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.11.0

I'm trying to generate a new cert using the above command. The first time I ran the command, the TXT record validation for "ftp.netex.com" passed but the TXT record validation for "ftp.netexsw.com" failed. I'm pretty sure it is because I did not wait long enough for Network Solutions to push out the DNS record creation.

I tried to rerun the command and it spit out a new TXT validation string for ftp.netexsw.com. After editing the corresponding challenge TXT record to match the new string and using the suggested Google Admin Toolbox command to confirm that the TXT record displays the new string, I hit enter to move forward but it keeps saying it found the same invalid TXT record.

Why does Certbot continue to report an incorrect string despite the Google Admin Toolbox command showing that I have the correct/current string for that text record?

Thanks in advance!

1 Like
2

Hi @jskntx, and welcome to the LE community forum :slight_smile:

You may need to wait a little longer after updating the TXT record for the all the authoritative DNS servers to synchronize before you "continue".

3 Likes
3

I guess I have a follow-up question:

I have another host that's running an older version of the certbot client (certbot 1.22.0) under AlmaLinux 8. It's been running that way since I deployed that system a couple years ago. I've never had a problem with the timing of updates to these TXT challenge records.

I did not know until I was getting ready to migrate the host I'm having problems with from a NetSol cert to Let's Encrypt that the old Certbot client was being deprecated for this newer snap-based one. So, I will need to migrate my older host to this newer Certbot.

Was there a change between that older client and this new snap-based one that might have had an affect on the timing or method of these DNS record checks or have I just been lucky that I hadn't run into this timing problem previously? I only ask because I just tend to leave these TXT records out there and will update the value field when I've needed to renew a cert.

FWIW, my DNS provider is Network Solutions.

Thanks in advance.

1 Like
4

My issue was definitely due to timing of DNS challenge record change being pushed out to global DNS servers.

I reran my cert generation command this morning and after waiting a sufficiently long period of time (TTL=15 minutes), the cert generation completed successfully.

1 Like
5

Glad it worked. Just want to note that the TTL settings do not affect Let's Encrypt queries. LE looks directly at the authoritive DNS servers and is not subject to TTL propagation.

LE is affected if the auth DNS servers are slow to sync amongst themselves which is what rg305 said earlier. Sounds like your provider is on the slow side because usually that takes less than a minute.

6 Likes
6

Thanks for the clarification!

Like I said in my original response to rg305, this was the first time I've run into a timing issue when changing the challenge TXT record through NetSol.

Maybe they were having a slow day. :man_shrugging:

They seem to be prone to "mysterious" issues. :rofl:

3 Likes
7

Yes, yes they do :slight_smile:

6 Likes
8

And their IPs are from...
Cloudflare

ns35.worldnic.com       internet address = 162.159.26.212
ns36.worldnic.com       internet address = 162.159.27.146
ns53.worldnic.com       internet address = 162.159.26.165
ns54.worldnic.com       internet address = 162.159.27.8

ARIN Whois/RDAP - American Registry for Internet Numbers

5 Likes
9

Oh, good to know. Thanks!

3 Likes
10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.