Certbot renewal failed to authenticate some domains

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

This has been working for several years. Auto-renews on schedule. Last successful renewal January 1 2025.

My domain is: travelteam-kc.com

I ran this command: certbot renew

It produced this output:Certbot failed to authenticate some domains (authenticator: dns-godaddy). The Certificate Authority reported these problems:
Domain: travelteam-kc.com
Type: unauthorized
Detail: Incorrect TXT record "5WMESMLzhHURfcrskgp55R5L2_tZash9WEQFjAl_5Fg" (and 31 more) found at _acme-challenge.travelteam-kc.com

Domain: travelteam-kc.com
Type: unauthorized
Detail: Incorrect TXT record "pShR6Vrdm5TPmyXZh_e61HV3HhCqv4QYdjMAB8JGeV8" (and 31 more) found at _acme-challenge.travelteam-kc.com

Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-godaddy. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-godaddy-propagation-seconds (currently 900 seconds).

Failed to renew certificate travelteam-kc.com with error: Some challenges have failed.

My web server is (include version): NA - used for multiple internal servers

The operating system my web server runs on is (include version): Red Hat 8.9

My hosting provider, if applicable, is: NA

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Yes for GoDaddy DNS, CLI for my certificate requesting host.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.22.0

2

Welcome @dmlash49

I see a renewal on Mar11 (link here). That doesn't affect anything just wondering about the discrepancy.

The DNS plugin you use is not deleting the prior TXT record value after the challenge. You now have too many and Let's Encrypt fails. Below quote from here: Challenge Types - Let's Encrypt

However, you should make sure to clean up old TXT records, because if the response size gets too big Letā€™s Encrypt will start rejecting it.

Below is a partial display of your TXT records. You need to delete them and find out why your DNS plugin is not deleting them each time.

dig TXT _acme-challenge.travelteam-kc.com
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.18.30-0ubuntu0.22.04.2-Ubuntu <<>> TXT _acme-challenge.travelteam-kc.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31867
;; flags: qr rd ra; QUERY: 1, ANSWER: 32, AUTHORITY: 0, ADDITIONAL: 1

;; ANSWER SECTION:
_acme-challenge.travelteam-kc.com. 3422 IN TXT  "h6MgbpWf2jQxIaoMTQGeK7S5qbnVYXXVlmWv34HTWDs"
_acme-challenge.travelteam-kc.com. 3422 IN TXT  "ujp-g5P0slwPIMaQhDRE4W-K8ZsZozFpX5LChUw83oM"
_acme-challenge.travelteam-kc.com. 3422 IN TXT  "CgdN8J2CLK7FnKlPWod7B1TKUGX9LaCfAM_kNUrkiqc"
_acme-challenge.travelteam-kc.com. 3422 IN TXT  "SyVkfyLVjleBTaEyNp5P8yXynu6nPs7685r7jIyWiyA"
_acme-challenge.travelteam-kc.com. 3422 IN TXT  "Fo3WS3Gg3tr02AxiovCZusofbLQ0L_rXUQ3oarT_WIw"
_acme-challenge.travelteam-kc.com. 3422 IN TXT  "CC3rjD_wcmVQiVQU2I_YNTNg6-a_7ZcK4_jdsMw5o5Y"
_acme-challenge.travelteam-kc.com. 3422 IN TXT  "ZmGROttNJRLG2kTyjHLPU0xCqLHjmuxBCr3M8HHpckI"
_acme-challenge.travelteam-kc.com. 3422 IN TXT  "Hrp6PQZNbrjcCJzHVUEQ7FZ_ICcTV3nPVgbaG1tW8A4"
_acme-challenge.travelteam-kc.com. 3422 IN TXT  "lVJ1PcyVuTniTReeubtNcREt16mKpSI5i_8TAb0G5rk"
(... rest omitted ...)
2 Likes
3

Thanks for this - I have cleared the TXT records and attempted renewal again getting this response:
[root@webhost1 ~]# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/travelteam-kc.com.conf

Failed to renew certificate travelteam-kc.com with error: urn:ietf:params:acme:error:serverInternal :: The server experienced an internal error :: The service is down for maintenance or had an internal error. Check https://letsencrypt.status.io/ for more details.

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/travelteam-kc.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

Suggestions?

4

Hi Mike,

Thanks for this! Cleared the TXT records from DNS and re-tried. Posted the failure result in the online stream and again below.

I think the March renewal must have failed mid-stream as the latest certs in my ā€œliveā€ folder are time-stamped Jan 1.

[root@webhost1 ~]# certbot renew

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/travelteam-kc.com.conf

Failed to renew certificate travelteam-kc.com with error: urn:ietf:params:acme:error:serverInternal :: The server experienced an internal error :: The service is down for maintenance or had an internal error. Check https://letsencrypt.status.io/ for more details.

All renewals failed. The following certificates could not be renewed:

/etc/letsencrypt/live/travelteam-kc.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

I checked the LE status link and all systems appear to be healthy at your end.

Thanks for any further advice.

David

5

Hmm. No, a cert was issued in Mar. Your domain even uses it for HTTPS requests: SSL Checker

Let's see output of this

sudo certbot certificates

I have a feeling you have a wider variety of certs like some with -0001 or -0002 in their name.

Let's Encrypt isn't posting an outage yet. Sometimes those happen anyway. Does it repeat?

Let's address that after we sort out your cert issue (Jan, Mar or otherwise). I think something got messed up there.

2 Likes
6

LE just posted an outage report: Let's Encrypt Status

We can still review your system and use the LE Staging system to test. Just letting you know this outage will resolve without your actions

2 Likes
7

Hi Mike,

Hereā€™s the certbot output:

[root@webhost1 ~]# certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Found the following certs:

Certificate Name: travelteam-kc.com
Serial Number: 3b15be8569d2c8709a3c2584d92cf2457ed
Key Type: RSA
Domains: *.travelteam-kc.com travelteam-kc.com
Expiry Date: 2025-04-01 08:59:56+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/travelteam-kc.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/travelteam-kc.com/privkey.pem

Our website doesnā€™t use these certs ā€“ itā€™s hosted at Wix and they provide the cert for it. We use these for trust internally and for our own remote access.

Here is a fresh attempt ā€“ still not happy:

Renewing an existing certificate for *.travelteam-kc.com and travelteam-kc.com

Waiting 900 seconds for DNS changes to propagate

Certbot failed to authenticate some domains (authenticator: dns-godaddy). The Certificate Authority reported these problems:

Domain: travelteam-kc.com

Type: dns

Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.travelteam-kc.com - check that a DNS record exists for this domain

Domain: travelteam-kc.com

Type: dns

Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.travelteam-kc.com - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-godaddy. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-godaddy-propagation-seconds (currently 900 seconds).

Failed to renew certificate travelteam-kc.com with error: Some challenges have failed.

All renewals failed. The following certificates could not be renewed:

/etc/letsencrypt/live/travelteam-kc.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

I may have cleaned up too thoroughly as I removed all the _acme-challenge TXT records. Do we need a ā€˜seed recordā€™ in there for starters? Itā€™s so long since I set this up Iā€™ve forgotten how that went.

Best,

David

8

Well, now we know why your plugin was not deleting TXT records. It can't ADD them either.

About a year ago GoDaddy started restricting API access to its DNS system. Is it possible they have restricted it further and now affects you? We saw many people affected back then. This is one of the better threads on that: Getting unauthorized URL error while trying to get cert for subdomains - #5 by adorobis

No you don't. The normal case is to add one, satisfy the challenge and delete it. At the beginning of each cert challenge there typically isn't any.

Which GoDaddy DNS plugin are you using? Because this one (link here) says it needs Certbot 2.7.4 which is much later than the one you have. Unless you are using an older plugin too I suppose :slight_smile:

Is there any info in the /var/log/letsencrypt/letsencrypt.log ? It is very long but you might be able to see something from this DNS plugin. Copy it to a .txt file and upload if you want us to look.

You could also try this command. It will pause and let you check the DNS records before sending the challenge to Let's Encrypt (in this case to the LE Staging test system)

sudo certbot renew --dry-run --debug-challenges -v

Use any DNS query tool or even your own DNS control panel if it shows TXT records

3 Likes