DNS challenges failed. Incorrect TXT record

My domain is: iskalar.com
certbot 0.31.0

I ran this command: sudo certbot certonly --manual -d *.iskalar.com -d iskalar.com --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

Please deploy a DNS TXT record under the name
_acme-challenge.iskalar.com with the following value:


Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

Press Enter to Continue
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. iskalar.com (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record “VF2OMqNtJBL8K2uOFx_gjSDdVioQeIwoCMcqiN3-qEQ” found at _acme-challenge.iskalar.com


  • The following errors were reported by the server:

Domain: iskalar.com
Type: unauthorized
Detail: Incorrect TXT record
“VF2OMqNtJBL8K2uOFx_gjSDdVioQeIwoCMcqiN3-qEQ” found at

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

$ nslookup -q=txt _acme-challenge.iskalar.com ns1.digitalocean.com
Server: ns1.digitalocean.com

_acme-challenge.iskalar.com text = “VF2OMqNtJBL8K2uOFx_gjSDdVioQeIwoCMcqiN3-qEQ”

What should I do to make it work.
Can i re run the command. Do I need to delete any files. before re running the command?

Hi @shakthydoss,

From context, I think the part that you missed was probably this:

That is, when you are requesting a single certificate for both *.iskalar.com and iskalar.com, you’ll have two separate values to provide as TXT records for the same name _acme-challenge.iskalar.com. (One of these proves that you, as the domain owner, are the same person who requested for *.iskalar.com to be covered by the new certificate, while the other proves that you, as the domain owner, are the same person who requested for iskalar.com to be covered by the new certificate.) The way that Certbot handles this, they’ll both have to be configured at the same time, not replacing one of them with the other one. However, it looks like when you ran Certbot you replaced the challenge value for iskalar.com with the other challenge value for *.iskalar.com instead of serving both DNS records at the same time.

You can re-run the command. There is a limit to how many times you can try per hour, but there is no penalty for re-trying the command in general.

When you re-run the command, you’ll get completely new values to create as TXT records. In this case, you can delete the existing one (VF2OMqNtJBL8K2uOFx_gjSDdVioQeIwoCMcqiN3-qEQ) from your DNS zone and only use the new ones that will be provided. You don’t have to delete any files or make any other changes before trying again.

A post was split to a new topic: Creating the correct TXT entry

Thank you.
That explains what was the problem.