Certbot not accepting provided Expected Value

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: paivi.biz

I ran this command: sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d *.paivi.biz -d paivi.biz -v

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Requesting a certificate for *.paivi.biz and paivi.biz
Performing the following challenges:
dns-01 challenge for paivi.biz
dns-01 challenge for paivi.biz
Running manual-auth-hook command: /etc/letsencrypt/acme-dns-auth.py
Running manual-auth-hook command: /etc/letsencrypt/acme-dns-auth.py

Challenges loaded. Press continue to submit to CA.
The following FQDNs should return a TXT resource record with the value
mentioned:

FQDN: _acme-challenge.paivi.biz
Expected value: 3gYpNu4hDR01m-3dupo4JE4QJXSVOAnq_fpI1Pa0cZo

Press Enter to Continue

Waiting for verification...
Challenge failed for domain paivi.biz

dns-01 challenge for paivi.biz

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:

Domain: paivi.biz
Type: unauthorized
Detail: Incorrect TXT record "3gYpNu4hDR01m-3dupo4JE4QJXSVOAnq_fpI1Pa0cZo" found at _acme-challenge.paivi.biz

Cleaning up challenges
Some challenges have failed.

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: 123reg.com

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 3.2.0

Looking at the --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py part, you seem to be wanting to use "acme-dns". But usually that works with a CNAME to "redirect" the DNS request to the acme-dns instance.

However, I do not see any CNAME, just the TXT RR. Can you explain more about the usage of acme-dns?

That said, I don't know why the validation server would complain about a value that seems to be equal to the expected value..?

Also, with regard to the "Certbot not accepting" part: Certbot is just the ACME client and does not perform the validation. It just outputs the error message from the ACME server. Thus it's not Certbot that's not accepting anything.

Hi thank you for your response. I initially tried with CNAME but raised an error that the TXT record was not present. Hence why it is setp with TXT. I have just changed it back to CNAME to double check and it has returned the same error.
Why am l using acme-dns-auth.py? That is the tutorial l found on how to do this. I am happy to try another approach if you can recommend one please.
I am curious why Certbot not go ahead and generate the cert after recieving the value. It clearly acknowledges recieving it.

I have just tried again with the following command and recieved the same error:

sudo certbot certonly --manual --preferred-challenges dns -d "*.paivi.biz"

This is not using the acme-dns-auth.py tool this time.

Did you understand what the tutorial was teaching you?

Certbot does not generate any certificate, that also is the job of the ACME server.. Please understand the difference and use the different parts of the ACME process correctly. Otherwise it's quite confusing.

Manually getting a cert should work.. I don't know why Let's Encrypt would complain about the value being incorrect while being correct.. Maybe some other volunteer knows this behaviour and knows what to do

A new --manual request should need a new TXT value. I see the same TXT value as before.

This is the answer from unboundtest right now: https://unboundtest.com/m/TXT/_acme-challenge.paivi.biz/GWQXYEIN

;; ANSWER SECTION:
_acme-challenge.paivi.biz.	0	IN	TXT	"3gypnu4hdr01m-3dupo4je4qjxsvoanq_fpi1pa0czo"
_acme-challenge.paivi.biz.	0	IN	RRSIG	TXT 13 3 1800 20250319183903 20250304183903 60134 paivi.biz. /MIOKzfQQRqrnDoknu4HvFgt3CS/Yc1UnwdqVXJ+Liu6j2Yp2s9EIZ9zD05ejdn5fGUrsrq6a3OAFKJs5GWy5w==

Also, the TXT value is all lower case letters. That is unusual and normally points to a problem with your DNS replies.

I think the error on the last occasion was due to copy and paste. I have regenerated the Expected Value and repeated the process. Unfortunately the result is the same, see details below:-

COMMAND :- sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d *.paivi.biz -d paivi.biz -v

Password:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Requesting a certificate for *.paivi.biz and paivi.biz
Performing the following challenges:

dns-01 challenge for paivi.biz

Running manual-auth-hook command: /etc/letsencrypt/acme-dns-auth.py

Challenges loaded. Press continue to submit to CA.
The following FQDNs should return a TXT resource record with the value
mentioned:

FQDN: _acme-challenge.paivi.biz

Expected value: EGBvfW5PaxVotBoij7_yBBW3IVcQYwtedqLcBESdcNA

Press Enter to Continue
Waiting for verification...
Challenge failed for domain paivi.biz

dns-01 challenge for paivi.biz

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:

Domain: paivi.biz
Type: unauthorized
Detail: Incorrect TXT record " EGBvfW5PaxVotBoij7_yBBW3IVcQYwtedqLcBESdcNA" found at _acme-challenge.paivi.biz

Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.

Cleaning up challenges
Some challenges have failed.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

You should probably try one without using the manual auth hook and place the TXT values manually. Use https://unboundtest.com to check the correct value appears. Once you see that cert request work you can start to debug the acme-dns parts.

Right now the TXT value has a leading space and doesn't match either value shown above. There should not be a space and not sure how this could appear based on your prior command

https://unboundtest.com/m/TXT/_acme-challenge.paivi.biz/WDZR4AV4

Sorry, l copied the wrong section. It has been corrected above

Thank you, l have finally done it. For the record, blank space during cut and paste was the problem. Thanks for your help