DNS Challenge does not work

Hello Folks,

I have some trouble with obtaining a new wildcard certificate. Just three month ago it worked well with the dns challenge. This Week it wont work, and I can’t find out the problem.

I need one certificate it looks like certbot will make two of it.

Performing the following challenges:
dns-01 challenge for ulrichivens.de
dns-01 challenge for ulrichivens.de

Certbot asked me to put in two challenges, what I’d done. Between every change I waited a couple of hours to let it deploy.

At the end certbot said, that the txt record is incorrect but shows the correct one in the output. What can I do to get the new certificate? I want a manual install on my server configuration, what I’ve done before.

Kind Regards

Ulrich

My domain is:
ulrichivens.de

I ran this command:

certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d 'ulrichivens.de,*.ulrichivens.de'

** and that one in another terminal to check if deployed**

nslookup -type=TXT _acme-challenge.ulrichivens.de ns15.domserver.de
Server:		ns15.domserver.de
Address:	2001:4178:3:a357:62:116:159:35#53

_acme-challenge.ulrichivens.de	text = "Uhk7jfhAZ58INnNFNDjlPjm3va7ZrNJ9ZBQ7V0BnsqA"

nslookup -type=TXT _acme-challenge.ulrichivens.de ns15.domserver.de
Server:		ns15.domserver.de
Address:	2001:4178:3:a357:62:116:159:35#53

_acme-challenge.ulrichivens.de	text = "gNJZEf9PfMbfuhlF1vhFmaINcxG-odIXDWIWd_KgXCM"

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for ulrichivens.de
dns-01 challenge for ulrichivens.de

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: yes

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.ulrichivens.de with the following value:

Uhk7jfhAZ58INnNFNDjlPjm3va7ZrNJ9ZBQ7V0BnsqA

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.ulrichivens.de with the following value:

gNJZEf9PfMbfuhlF1vhFmaINcxG-odIXDWIWd_KgXCM

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. ulrichivens.de (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record "gNJZEf9PfMbfuhlF1vhFmaINcxG-odIXDWIWd_KgXCM" found at _acme-challenge.ulrichivens.de

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: ulrichivens.de
   Type:   unauthorized
   Detail: Incorrect TXT record
   "gNJZEf9PfMbfuhlF1vhFmaINcxG-odIXDWIWd_KgXCM" found at
   _acme-challenge.ulrichivens.de

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):

I manually install the certificate, that had worked in the past.

The operating system my web server runs on is (include version):

Ubuntu 18.04 LTS with all updates

My hosting provider, if applicable, is:

Own Server

I can login to a root shell on my machine (yes or no, or I don’t know):

Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot --version
certbot 0.27.0

Hi @uivens

that’s

expected. You want one certificate with

two domain names. So you need (same time!) two different TXT entries with the same name and different values.

If you overwrite the first value with the second value, the first value is missing -> that’s wrong.

Create two entries with the same domain name _acme-challenge.

3 Likes

Thank you. That worked. In newer versions of certbot there is a hint to that in the cli.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.