Error 403: Incorrect TXT record

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:domiconstruction.gr

I ran this command: install Let's Encrypt on web server

It produced this output: Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/118185737836, Details: Type: urn:ietf:params:acme:error:unauthorized , Status: 403 , Detail: Incorrect TXT record "Wd4lexq_TuBrCsH6gaikhu0gZEnUOePprlc8Qh4GEZc" found at_acme-challenge.domiconstruction.gr"

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): I don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): plesk

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Further information: The emails and dns settings are administered through Microsoft (microsoft admin panel). The txt file referred in the error message is located in the microsoft admin panel.

Hi @Maria23, and welcome to the LE community forum :slight_smile:

Each DNS authentication requires a fresh TXT record.

How are you doing this exactly?:

Please explain:

What is "Microsoft admin panel"?

Is this request separate to the recently renewed cert?:
crt.sh | domiconstruction.gr

4 Likes

Thank you very much for your reply. Let me explain further. The emails are managed through the Microsfot Office 365 account and through a specific administration panel that Microsoft provides. The dns records are set in this panel. I mean, Microsoft manages the dns for the emails and the dns records for the hosting server. I mean, the settings are not in the administration panel of the domain host, as they shoul be. This is the first time I've dealt with such a case and that's why I don't know what to do. I'm responsible for the design and development of the webpage. I tried to install the Let's Encrypt certificate in the plesk panel of the hosting server, like I've done with many websites in the past and got the error. Then I did some search in order to understand the error and noticed that the txt mentioned in the error message is located in the microsoft account. In other words, the file in the acme-challenge folder is different to the one of the microsoft. I hope this helps.

2 Likes

Which name(s) are being served via Plesk?
[maybe you can just get a cert with only those names]
Names that should all resolve to the IP of that same server.

2 Likes

The website domiconstruction.gr is currently running the Plesk web control panel on an nginx server (probably linux, possibly windows) and is apparently hosted on Hetzner judging by the ip address. If none of this means anything to you then you need to get professional support from an IT support company.

Microsoft 365 if probably just your DNS administration(i.e. which names point to which servers) and nothing to do with the website server itself. Since you have set a TXT record in the past I assume you are using DNS validation instead of http validation and I assume you know why you are doing it that way.

If you want to continue using DNS validation instead of http validation you will need to automate it, so you will possible need a plugin for whatever acme client you are using to talk to Azure DNS.

4 Likes

Thank you all very much for your replies. I'm not an expertise in that matter. I followed an automated procedure through the plesk panel to get/ install the certificate on a new subscription. I'll just followed the steps and it always worked fine. But all other subscriptions had nothing to do with Microsoft. I did some research on the web, and the TXT file is required by Microsoft. I'm not familiar how the process with Microsoft involved works actually. It seams that Microsoft handles the dns settings. When you buy the office 360 you get an Microsoft account where you can login and then there is a dns tab where you can add the dns records, like the settings in a domain name provider or in the dns settings section in the plesk panel. I'll hope this helps. Again, thank you very much. I'll try some of the suggestions and I'll definately get professional support on that matter. I'll update when the issue is solved, just in case somebody else, with lack of expertise in this matters like me, faces the same issue in the future.

2 Likes

New update: I got professional help. The issue is as follows: The certificate can't be installed because the DNS handling is unorthodox and not compatible. The nameservers have to be set at the domain host and point to the web hosting server and from there through DNS records, point to microsoft. I hope this makes sense. I will update as soon as I've implemented the solution.

1 Like

I'd suggest that you/they just use standard http validation instead of DNS validation, that way you don't have to update DNS records. You can still make this DNS method work (you just have to update the correct DNS records) but it's a little more complicated and requires a full understanding of how it's all configured etc.

3 Likes