Domain validation is not getting completed failing to verify TXT record

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: stage-us.suitsupply.com

I ran this command:
dig -t TXT _acme-challenge.acceptance.suitsupply.com.

; <<>> DiG 9.10.3-P4-Ubuntu <<>> _acme-challenge.acceptance.suitsupply.com. -t TXT

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28787

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;_acme-challenge.acceptance.suitsupply.com. IN TXT

;; ANSWER SECTION:

_acme-challenge.acceptance.suitsupply.com. 60 IN TXT “QR9c6De5M9eGWwrpZkip2WVu9H3G83EFaZdtV2i2SYM”

;; Query time: 90 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Tue Aug 04 10:14:28 UTC 2020

;; MSG SIZE rcvd: 126

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

The TXT record for one SAN under the CN is not getting validated
SAN: acceptance.suitsupply.com
TXT record for above: “QR9c6De5M9eGWwrpZkip2WVu9H3G83EFaZdtV2i2SYM”

Can you let me know whats the reason for it not getting validated
Server logs:

2020-08-04T10:08:43,866 [le-validate-async-JobID(id=945459)-1 JobID(id=945459)] INFO com.akamai.cps.work_elements.le.LetsEncryptValidationTrackerAsync - Validation check for acceptance.suitsupply.com ran for 70913 millis
2020-08-04T10:08:43,866 [le-validate-async-JobID(id=945459)-1 JobID(id=945459)] INFO com.akamai.cps.work_elements.le.LetsEncryptValidationTrackerAsync - leRequest status: awaiting, leRequest validation_status: DATA_NOT_READY
2020-08-04T10:08:43,866 [le-validate-async-JobID(id=945459)-1 JobID(id=945459)] INFO com.akamai.cps.work_elements.le.LeUtilsImpl - DNSClient and the system resolver failed to match the key authorization: -wIVVoO6d03CmMSRXGOJTbUqZp1__wwVNXPHCGu3mNE
2020-08-04T10:08:43,866 [le-validate-async-JobID(id=945459)-1 JobID(id=945459)] INFO com.akamai.cps.work_elements.le.LeUtilsImpl - System DNS resolver received TXT record: QR9c6De5M9eGWwrpZkip2WVu9H3G83EFaZdtV2i2SYM

Are you trying to manually update the TXT record or something?

It seems that the Akamai ACME client is expecting the updated TXT record to be -wIVVoO6d03CmMSRXGOJTbUqZp1__wwVNXPHCGu3mNE, but its value is QR9c6De5M9eGWwrpZkip2WVu9H3G83EFaZdtV2i2SYM.

The challenge (and required DNS record) will change every time a new certificate order is made.

I’m not too sure how the Akamai client organizes its workflow, but from a Let’s Encrypt perspective, I don’t really see anything wrong. Have you tried asking Akamai for assistance?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.