Dns verification fails?

Hello, I’m new to LE, trying to create a cert for my subdomain only (there is no cert for the primary domain). I’m running the commands on my dev box. The server is not up yet and will be using a non-standard port, so I want to use DNS verification. I’ve placed the challenge TXT value in my cloudflare DNS records, but I’m getting an error that indicates those records are invalid (domain name changed, log reduced).

I’m also not sure how to test of the TXT records exist because ‘nslookup -q=TXT subdomain’ will not work on subdomains, and ‘nslookup -q=TXT primary.domain’ doesn’t show all TXT records of the primary domain for some reason (including the one I added).

sudo certbot certonly --manual --preferred-challenges dns

Plugins selected: Authenticator manual, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c’
to cancel): sub1.sub2.example.com
Performing the following challenges:
dns-01 challenge for sub1.sub2.example.com

Please deploy a DNS TXT record under the name
_acme-challenge.sub1.sub2.example.com with the following value:

Before continuing, verify the record is deployed.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. sub1.sub2.example.com (dns-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct value not found for DNS challenge

Any ideas?
Thank you!

this is not a issuance tech but rather a help

please fill out the fields below so other can investigate and suggest fixes

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

Hi @sagimann,

Are you sure you are creating the right txt record?. In your cloudflare dns conf you need to create a TXT record for _acme-challenge.sub1.sub2 with the right validation token xxxXXxxXXxxXXxxXXxxXxXXXXxXxXxXxXXxx

And to check it, you should first know the ns servers used in your domain.

$ nslookup -q=ns example.com

Non-authoritative answer:
changedns.net   nameserver = bar.ns.cloudflare.com.
changedns.net   nameserver = foo.ns.cloudflare.com.

Authoritative answers can be found from:

Now, once you have added the txt record, you need to query both ns servers and both should answer with the new txt record.

nslookup -q=txt _acme-challenge.sub1.sub2.example.com bar.ns.cloudflare.com

nslookup -q=txt _acme-challenge.sub1.sub2.example.com foo.ns.cloudflare.com

And once both answer the same content, you can continue the certbot process.

I hope this helps.


My domain is: I cannot provide a full name, privacy constraints

I ran this command:
sudo certbot certonly --manual --preferred-challenges dns

It produced this output: see above

My web server is (include version): node 6.10

The operating system my web server runs on is (include version): amazon linux

My hosting provider, if applicable, is: AWS EC2

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I’ve now repeated the process and this time it works, however, I noticed a few things:

  1. After inserting the TXT record into Cloudflare, seems like the primary domain name was omitted by CF automatically, i.e. I inserted _acme-challenge.sub1.sub2.example.com but the final record turned out to contain _acme-challenge.sub1.sub2.

  2. Despite 1, whenever I do nslookup as suggested below, this works (I get the value):
    nslookup -q=TXT _acme-challenge.sub1.sub2.example.com jake.ns.cloudflare.com
    But this does not (REFUSED):
    nslookup -q=TXT _acme-challenge.sub1.sub2 jake.ns.cloudflare.com

  3. I waited a big longer before running the validation (just in case I didn’t wait enough in my previous attempt)

Great :wink:

That is correct, your zone name is example.com so there is no need to write it when adding sub domains or show it on the list of active records.

That is the right way to query your subdomain for a txt record :+1:

As far as I known, nslookup doesn't have a crystal ball... yet :wink: so it is not possible to guess the complete domain if you don't write it. With the above query you are requesting the TXT record for subdomain _acme-challenge that belongs to domain sub1.sub2. So, as you can see, you need to specify the FQDN (in this case is _acme-challenge.sub1.sub2.example.com) when queryng to any ns server.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.