DNS Challenge No populating

My domain is: stream.cffradio.com

I ran this command:
sudo certbot certonly --dry-run --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \stream.cffradio.com -d stream.cffradio.com

It produced this output:
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: stream.cffradio.com
Type: unauthorized
Detail: Incorrect TXT record "" found at _acme-challenge.stream.cffradio.com

My web server is (include version):

The operating system my web server runs on is (include version):
Linux Ubuntu 22.04.4-LSA

My hosting provider, if applicable, is: Self
I can login to a root shell on my machine (yes or no, or I don't know): Yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.9.0

I have a Windows 2016 Server running DNS for our websites. This DNS Server has been running for many years.

I created the DNS record for the challenge like this.
#1: Right-click on the domain in the list tree on the left.
#2: Create [New Domain]
#3: stream
#4: Went into the [stream] folder.
#4a: Right-click and choose [other new records], and choose [TXT]
#5: Name: _acme-challenge
Which created the _acme-challenge.stream.cffradio.com
The VALUE of this record is empty.

Yesterday, while testing, I created a record that automatically generated the value, but now, it will not.

I waited a while and then ran the --dry-run script and the information about it from that run.
I have no value in my TXT file.

Hello @carrzkiss,

There are definitely some issue with the DNS for the domain name stream.cffradio.com

No DNS Name Servers

$ nslookup -q=ns stream.cffradio.com ns1.carrz-fox-fire.com.
Server:         ns1.carrz-fox-fire.com.

*** Can't find stream.cffradio.com: No answer

No DNS Name Servers

$ nslookup -q=ns _acme-challenge.stream.cffradio.com ns1.carrz-fox-fire.com.
Server:         ns1.carrz-fox-fire.com.

*** Can't find _acme-challenge.stream.cffradio.com: No answer

Empty TXT found.

$ nslookup -q=txt _acme-challenge.stream.cffradio.com ns1.carrz-fox-fire.com.
Server:         ns1.carrz-fox-fire.com.

_acme-challenge.stream.cffradio.com     text = ""
1 Like

Empty TXT found
This I know.
How come it is not populating?
How can I get the string for it to be placed in it?

Maybe due to other DNS Errors, I am not sure.

1 Like

Why are you using this? This auth hook would apply if you were using the acme-dns service, which you really should be hosting yourself. But if you were using that service, you'd have a CNAME record in place pointing _acme-challenge.stream.cffradio.com to something like 36e5e3a7-95ec-4e7c-8744-74055c636c33.acme-dns.io. Since you don't have any such record in place, I'm thinking you've copied and pasted commands that you don't understand, which is resulting in the problem you're seeing (and will likely result in other problems as well). And that lack of the CNAME record is the reason the DNS record is not populating.


Hey, Dan.
This is the first time I've done this with DNS.
All my others are done through HTTP.
Reason for taking the DNS route.

I run a Windows Server Web Farm behind a PFSense Firewall.
I have recently brought in a Linux Nginx server running for HLS/Liquidsoap Media Server.

However, I have to have an SSL on the subdomain, which is the one posted here. And since I had to use port 8080 in the HAProxy for the subdomain, I had no choice but to go the DNS route.
But, for some reason, the DNS is not working right for this domain, which is confusing.
With Bruce's information, I can see that something is wrong with the domain's DNS records. So, I am working to resolve the issue.

I have changed the subdomain to point to our IIS Webserver to ensure it is working, and then it will be set back to use port 8080. So, at this moment, it is working and displays the page.

With what you stated, Dan, about the acme-dns.
I removed it from the string and ran it; this time, it gave me the challenge code and a link to test the _acme-challenge.
(Which just showed positive for containing the string.)
I got this after inserting the string and then waiting about 5 minutes to test it on the Google Toolbox.

The dry run was successful.

So, now, I can do it for real since I know how to do it. Thank you, Dan.

Also, Bruce or Dan, can either of you provide a link with information on exactly how to perform DNSSEC?
My Registrar was no help, at least the person I chatted with.

Thank you. I am learning, and you were right, Dan. I was using something I knew nothing about, as I had never done the DNS before.
So, now I have to make the script for the


To set up Autorenewal.

Thanks, guys, you both rock.