DNS challenge seems correct but says wrong TXT record (token matches TXT record)


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
certbot certonly --staging --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d churchwebsitesplus.com -v

It produced this output:

… “token”: “sLFySYZc4V0ycOeNY5PjED5IVoE56OuYpNv7Tv-dAPg”\n }\n ]\n}’
Performing the following challenges:
dns-01 challenge for churchwebsitesplus.com

…then after pressing y and enter…it spit out the following


  • The following errors were reported by the server:

    Domain: churchwebsitesplus.com
    Type: unauthorized
    Detail: Incorrect TXT record
    “sLFySYZc4V0ycOeNY5PjED5IVoE56OuYpNv7Tv-dAPg” found at

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

So why does the output say incorrect TXT record when it’s exactly the same as the “token” “sLFySYZc4V0ycOeNY5PjED5IVoE56OuYpNv7Tv-dAPg”

Isn’t the token the supposed to be the TXT record???



My web server is (include version):

The operating system my web server runs on is (include version):
Ubuntu 16.04LTS

My hosting provider, if applicable, is:
self hosted

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


Not that token. The token to be used is passed as an environment variable to the script you specified with --manual-auth-hook.

Are you trying to complete the challenge manually, or are you trying to use acme-dns? If the former you should just leave off the --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py and certbot will provide instructions to complete the challenge manually. If you want to use acme-dns then… sorry I haven’t tried that yet, but maybe someone else can help.


Firstly, Thanks for the reply.

I was first trying to use acme-dns but I found some errors in my DNS setup (CNAME -> acme-dns) so I tried to troubleshoot by just manually finding the txt record I needed and then adding that TXT record ihe DNS server to see if I can get the cert.

Been trying to get dns challenges working so I can get wildcard certs. My brain is just overloaded.

I think I know what you are saying. I’ll leave off “–manual-auth-hook /etc/letsencrypt/acme-dns-auth.py” and I suppose LE will give me the correct “txt” records.

Then when I want to try using acme-dns, I add it back in. (I think it’s not working right now as the CNAME record on my DNS server is not working correctly to the acme-dns server that I built.



That’s exactly right. There are two tokens, which can be confusing but only one you need to worry about one.

There is this token (when you use --debug-challenges -v):

  "type": "dns-01",
  "status": "pending",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/xxx/yyy",
  "token": "aPrv0n8ILstU8zLesk4PT6hV0I3pH4UETabwGhpcphg"

This is not the final token to use for verification. This token is combined by Certbot along with your ACME private key to produce the final token.

You can find the final token by using --authenticator manual without --manual-auth-hook (as pointed out already):

Please deploy a DNS TXT record under the name
_acme-challenge.example.org with the following value:


Before continuing, verify the record is deployed.


I think I am too tired to think correctly. But it worked!!! :slight_smile:

Thank you everyone for all your help. Initially it didn’t work after I tried again but I had a typo.

Now I’m going to try and get my acme-dns working on Monday.

Thank you so much!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.