DNS Challenge seeing old txt records

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: *.benco.proton.ai

I ran this command: certbot-auto certonly --manual --preferred-challenges dna --cert-name -d *.benco.proton.ai

It produced this output:

Please deploy a DNS TXT record under the name
_acme-challenge.benco.proton.ai with the following value:


Before continuing, verify the record is deployed.

Press Enter to Continue
Waiting for verification…
Challenge failed for domain benco.proton.ai
dns-01 challenge for benco.proton.ai
Cleaning up challenges
Some challenges have failed.


  • The following errors were reported by the server:

    Domain: benco.proton.ai
    Type: unauthorized
    Detail: Incorrect TXT record
    “0hdHYcu6UFlEK6gkY04Iyp2QHlrfODVnUL477lA5BNU” found at

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version): nginx/1.16.0

The operating system my web server runs on is (include version): linuxamd64

My hosting provider, if applicable, is: aws

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.38.0

After doing the dns challenge for other certificates (and having no issues) I keep running into problems with this domain. I accidentally deleted the old txt records, so I think that is the source of the issue. I have tried adding new txt records each time I run the command to renew, waiting hours and trying again as well as deleting any txt records, waiting, and trying again. It seems like even if I delete all records, they still are seen by certbot (i.e. the error will show a txt record that has been deleted). How can I go about renewing/obtaining a new cert for the domain, given the only challenge I can do is the dns txt record challenge because of the provider used?

Hi @oliviaandersonm

checking your domain there are some TXT entries ( https://check-your-website.server-daten.de/?q=benco.proton.ai#txt ):

So you have created one correct entry


but a lot of older entries.

Looks like you have something like a wildcard.


  • first remove all of these TXT entries, recheck your domain -> no TXT of that type should be visible.
  • Then try it again.

I am using route53, and through the console I cannot see any of these records to delete them - I’ve previously deleted records and they’ve been visible a day later as well. Is this a route53 problem, or is there a way around this with letsencrypt?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.