I'm at wit's end on this -- this wildcard renewal with dns-01 challenges has worked for years without fail. I've verified that the _acme-challenge TXT record is added and visible from both a local host as well as external DNS checkers -- yet certbot is suddenly no longer able to renew. In the DNS server logs there are no external attempts by Let's Encrypt to resolve the TXT record. What am I missing?
I have masked account numbers and various hex values, but can re-generate a trace if helpful.
My domain is:
dev-pma.schindlertech.com
I ran this command:
certbot renew -vvv --cert-name dev-pma.schindlertech.com --force-renewal
It produced this output:
Root logging level set at 0
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Notifying user: Processing /etc/letsencrypt/renewal/dev-pma.schindlertech.com.conf
Processing /etc/letsencrypt/renewal/dev-pma.schindlertech.com.conf
Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x7f1eaf5c3b38> and installer <certbot._internal.cli.cli_utils._Default object at 0x7f1eaf5c3b38>
Auto-renewal forced with --force-renewal...
Requested authenticator dns-rfc2136 and installer None
Single candidate plugin: * dns-rfc2136
Description: Obtain certificates using a DNS TXT record (if you are using BIND for DNS).
Interfaces: Authenticator, Plugin
Entry point: dns-rfc2136 = certbot_dns_rfc2136._internal.dns_rfc2136:Authenticator
Initialized: <certbot_dns_rfc2136._internal.dns_rfc2136.Authenticator object at 0x7f1eaf608c88>
Prep: True
Selected authenticator <certbot_dns_rfc2136._internal.dns_rfc2136.Authenticator object at 0x7f1eaf608c88> and installer None
Plugins selected: Authenticator dns-rfc2136, Installer None
Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/XXXXXXXXXXXXX', new_authzr_uri=None, terms_of_service=None), XXXXXXXXX, Meta(creation_dt=datetime.datetime(2023, 7, 17, 21, 9, 59, tzinfo=), creation_host='devhost.use1.schindlertech.com', register_to_eff=None))>
Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 1063
Received response:
HTTP 200
Server: nginx
Date: Tue, 25 Nov 2025 20:55:52 GMT
Content-Type: application/json
Content-Length: 1063
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"b0YJ5HEyM9c": "Adding random entries to the directory",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"profiles": {
"classic": "Profiles - Let's Encrypt",
"shortlived": "Profiles - Let's Encrypt (not yet generally available)",
"tlsclient": "Profiles - Let's Encrypt",
"tlsserver": "Profiles - Let's Encrypt"
},
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"renewalInfo": "https://acme-v02.api.letsencrypt.org/acme/renewal-info",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
Notifying user: Renewing an existing certificate for *.dev-pma.schindlertech.com
Renewing an existing certificate for *.dev-pma.schindlertech.com
Generating RSA key (2048 bits): /etc/letsencrypt/keys/0102_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0102_csr-certbot.pem
Requesting fresh nonce
Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
Received response:
HTTP 200
Server: nginx
Date: Tue, 25 Nov 2025 20:55:53 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: zahUfOdGaO3mLES1vq88yfUeKkZsatZj9ME6TsxsT56yTy91628
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Storing nonce: zahUfOdGaO3mLES1vq88yfUeKkZsatZj9ME6TsxsT56yTy91628
JWS payload:
b'{\n "identifiers": [\n {\n "type": "dns",\n "value": "*.dev-pma.schindlertech.com"\n }\n ]\n}'
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
"protected": "XXXXXXXXXX",
"signature": "XXXXXXXXXX",
"payload": "XXXXXXXXXX"
}
https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 361
Received response:
HTTP 201
Server: nginx
Date: Tue, 25 Nov 2025 20:55:53 GMT
Content-Type: application/json
Content-Length: 361
Connection: keep-alive
Boulder-Requester: XXXXXXXXXX
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/XXXXXXXXXX/XXXXXXXXXX
Replay-Nonce: jkzIQkhdBPiNGOSSh3sUxakhj0XwBodfPVYYxFS1i-GourHkQzo
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"status": "pending",
"expires": "2025-12-02T20:55:53Z",
"identifiers": [
{
"type": "dns",
"value": "*.dev-pma.schindlertech.com"
}
],
"authorizations": [
"https://acme-v02.api.letsencrypt.org/acme/authz/XXXXXXXXXX/XXXXXXXXXX"
],
"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/XXXXXXXXXX/XXXXXXXXXX"
}
Storing nonce: jkzIQkhdBPiNGOSSh3sUxakhj0XwBodfPVYYxFS1i-GourHkQzo
JWS payload:
b''
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/XXXXXXXXXX/XXXXXXXXXX:
{
"protected": "XXXXXXXXXX",
"signature": "XXXXXXXXXX",
"payload": ""
}
https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz/XXXXXXXXXX/XXXXXXXXXX HTTP/1.1" 200 407
Received response:
HTTP 200
Server: nginx
Date: Tue, 25 Nov 2025 20:55:53 GMT
Content-Type: application/json
Content-Length: 407
Connection: keep-alive
Boulder-Requester: XXXXXXXXXX
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: jkzIQkhd12kS3E_E4fhRiTBQxujPAoE8R1W1ASLTsUTbsA5-Tko
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "dev-pma.schindlertech.com"
},
"status": "pending",
"expires": "2025-12-02T20:55:53Z",
"challenges": [
{
"type": "dns-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall/XXXXXXXXXX/XXXXXXXXXX/gxPXBQ",
"status": "pending",
"token": "XXXXXXXXXX"
}
],
"wildcard": true
}
Storing nonce: jkzIQkhd12kS3E_E4fhRiTBQxujPAoE8R1W1ASLTsUTbsA5-Tko
Performing the following challenges:
dns-01 challenge for dev-pma.schindlertech.com
No authoritative SOA record found for _acme-challenge.dev-pma.schindlertech.com
Received authoritative SOA response for dev-pma.schindlertech.com
Successfully added TXT record _acme-challenge.dev-pma.schindlertech.com
Notifying user: Waiting 60 seconds for DNS changes to propagate
Waiting 60 seconds for DNS changes to propagate
JWS payload:
b'{}'
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall/XXXXXXXXXX/XXXXXXXXXX/gxPXBQ:
{
"protected": "XXXXXXXXXX",
"signature": "XXXXXXXXXX",
"payload": "XXX"
}
https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall/XXXXXXXXXX/XXXXXXXXXX/gxPXBQ HTTP/1.1" 200 194
Received response:
HTTP 200
Server: nginx
Date: Tue, 25 Nov 2025 20:56:53 GMT
Content-Type: application/json
Content-Length: 194
Connection: keep-alive
Boulder-Requester: XXXXXXXXXX
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index", https://acme-v02.api.letsencrypt.org/acme/authz/XXXXXXXXXX/XXXXXXXXXX;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall/XXXXXXXXXX/XXXXXXXXXX/gxPXBQ
Replay-Nonce: jkzIQkhdGFUQYnAHrYg-GEUJXmEp9ye69fJz_P1Js8q7bFU9s0E
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"type": "dns-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall/XXXXXXXXXX/XXXXXXXXXX/gxPXBQ",
"status": "pending",
"token": "XXXXXXXXXX"
}
Storing nonce: jkzIQkhdGFUQYnAHrYg-GEUJXmEp9ye69fJz_P1Js8q7bFU9s0E
Waiting for verification...
JWS payload:
b''
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/XXXXXXXXXX/XXXXXXXXXX:
{
"protected": "XXXXXXXXXX",
"signature": "XXXXXXXXXX",
"payload": ""
}
https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz/XXXXXXXXXX/XXXXXXXXXX HTTP/1.1" 200 808
Received response:
HTTP 200
Server: nginx
Date: Tue, 25 Nov 2025 20:56:54 GMT
Content-Type: application/json
Content-Length: 808
Connection: keep-alive
Boulder-Requester: XXXXXXXXXX
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: jkzIQkhdzlJAVP8dGKpDmcEJsE4jnalV-ji6MLu2RsnGD8REqp4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "dev-pma.schindlertech.com"
},
"status": "invalid",
"expires": "2025-12-02T20:55:53Z",
"challenges": [
{
"type": "dns-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall/XXXXXXXXXX/XXXXXXXXXX/gxPXBQ",
"status": "invalid",
"validated": "2025-11-25T20:56:53Z",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "During secondary validation: No TXT record found at _acme-challenge.dev-pma.schindlertech.com",
"status": 403
},
"token": "XXXXXXXXXX",
"validationRecord": [
{
"hostname": "dev-pma.schindlertech.com",
"addressUsed": ""
}
]
}
],
"wildcard": true
}
Storing nonce: jkzIQkhdzlJAVP8dGKpDmcEJsE4jnalV-ji6MLu2RsnGD8REqp4
Challenge failed for domain dev-pma.schindlertech.com
dns-01 challenge for dev-pma.schindlertech.com
Notifying user:
Certbot failed to authenticate some domains (authenticator: dns-rfc2136). The Certificate Authority reported these problems:
Domain: dev-pma.schindlertech.com
Type: unauthorized
Detail: During secondary validation: No TXT record found at _acme-challenge.dev-pma.schindlertech.com
Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-rfc2136. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-rfc2136-propagation-seconds (currently 60 seconds).
Certbot failed to authenticate some domains (authenticator: dns-rfc2136). The Certificate Authority reported these problems:
Domain: dev-pma.schindlertech.com
Type: unauthorized
Detail: During secondary validation: No TXT record found at _acme-challenge.dev-pma.schindlertech.com
Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-rfc2136. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-rfc2136-propagation-seconds (currently 60 seconds).
Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/certbot/_internal/auth_handler.py", line 105, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3.6/site-packages/certbot/_internal/auth_handler.py", line 205, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
Calling registered functions
Cleaning up challenges
No authoritative SOA record found for _acme-challenge.dev-pma.schindlertech.com
Received authoritative SOA response for dev-pma.schindlertech.com
Successfully deleted TXT record _acme-challenge.dev-pma.schindlertech.com
Failed to renew certificate dev-pma.schindlertech.com with error: Some challenges have failed.
Traceback was:
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/certbot/_internal/renewal.py", line 485, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/lib/python3.6/site-packages/certbot/_internal/main.py", line 1441, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File "/usr/lib/python3.6/site-packages/certbot/_internal/main.py", line 127, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/usr/lib/python3.6/site-packages/certbot/_internal/renewal.py", line 345, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File "/usr/lib/python3.6/site-packages/certbot/_internal/client.py", line 424, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3.6/site-packages/certbot/_internal/client.py", line 476, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "/usr/lib/python3.6/site-packages/certbot/_internal/auth_handler.py", line 105, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3.6/site-packages/certbot/_internal/auth_handler.py", line 205, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
Notifying user:
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/dev-pma.schindlertech.com/fullchain.pem (failure)
Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in
load_entry_point('certbot==1.22.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3.6/site-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
File "/usr/lib/python3.6/site-packages/certbot/_internal/main.py", line 1632, in main
return config.func(config, plugins)
File "/usr/lib/python3.6/site-packages/certbot/_internal/main.py", line 1518, in renew
renewal.handle_renewal_request(config)
File "/usr/lib/python3.6/site-packages/certbot/_internal/renewal.py", line 512, in handle_renewal_request
len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version):
N/A
The operating system my web server runs on is (include version):
RHEL 8.10
My hosting provider, if applicable, is:
N/A
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.22.0 (OS vendor packaged)
