Domain validation is not getting completed failing to verify TXT record

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
dig -t TXT

; <<>> DiG 9.10.3-P4-Ubuntu <<>> -t TXT

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28787

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1


; EDNS: version: 0, flags:; udp: 4096



;; ANSWER SECTION: 60 IN TXT “QR9c6De5M9eGWwrpZkip2WVu9H3G83EFaZdtV2i2SYM”

;; Query time: 90 msec


;; WHEN: Tue Aug 04 10:14:28 UTC 2020

;; MSG SIZE rcvd: 126

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

The TXT record for one SAN under the CN is not getting validated
TXT record for above: “QR9c6De5M9eGWwrpZkip2WVu9H3G83EFaZdtV2i2SYM”

Can you let me know whats the reason for it not getting validated
Server logs:

2020-08-04T10:08:43,866 [le-validate-async-JobID(id=945459)-1 JobID(id=945459)] INFO com.akamai.cps.work_elements.le.LetsEncryptValidationTrackerAsync - Validation check for ran for 70913 millis
2020-08-04T10:08:43,866 [le-validate-async-JobID(id=945459)-1 JobID(id=945459)] INFO com.akamai.cps.work_elements.le.LetsEncryptValidationTrackerAsync - leRequest status: awaiting, leRequest validation_status: DATA_NOT_READY
2020-08-04T10:08:43,866 [le-validate-async-JobID(id=945459)-1 JobID(id=945459)] INFO com.akamai.cps.work_elements.le.LeUtilsImpl - DNSClient and the system resolver failed to match the key authorization: -wIVVoO6d03CmMSRXGOJTbUqZp1__wwVNXPHCGu3mNE
2020-08-04T10:08:43,866 [le-validate-async-JobID(id=945459)-1 JobID(id=945459)] INFO com.akamai.cps.work_elements.le.LeUtilsImpl - System DNS resolver received TXT record: QR9c6De5M9eGWwrpZkip2WVu9H3G83EFaZdtV2i2SYM

Are you trying to manually update the TXT record or something?

It seems that the Akamai ACME client is expecting the updated TXT record to be -wIVVoO6d03CmMSRXGOJTbUqZp1__wwVNXPHCGu3mNE, but its value is QR9c6De5M9eGWwrpZkip2WVu9H3G83EFaZdtV2i2SYM.

The challenge (and required DNS record) will change every time a new certificate order is made.

I’m not too sure how the Akamai client organizes its workflow, but from a Let’s Encrypt perspective, I don’t really see anything wrong. Have you tried asking Akamai for assistance?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.