Error issuing/renewingcertificates

I am trying to generate certificate wildcard certificates on a Linux(Ubuntu 18.04 LTS) VM. I have been able to generate the certificates in the past. They are coming up for renewal in a couple of days. Following is the command I ran and the output I got;

*$ sudo certbot certonly --manual -d .drcloudemr.com -d drcloudemr.com --agree-tos --email cs.ops@drcloudemr.com --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
Use of --manual-public-ip-logging-ok is deprecated.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
*Requesting a certificate for .drcloudemr.com and drcloudemr.com
Performing the following challenges:
dns-01 challenge for drcloudemr.com
dns-01 challenge for drcloudemr.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.drcloudemr.com with the following value:

-KquIRQbLMTZd_-aQXKoa8c9EHnMJtRhuw0hw7YzwkU

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.drcloudemr.com with the following value:

k9r-YW2GNVuynAEZB00i1GOGelrmo07HcRTs4dORahM

Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Challenge failed for domain drcloudemr.com
Challenge failed for domain drcloudemr.com
dns-01 challenge for drcloudemr.comstrong text
dns-01 challenge for drcloudemr.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

    • The following errors were reported by the server:*
  • Domain: drcloudemr.com*

  • Type: unauthorized*

  • Detail: Incorrect TXT record*

  • "gER4iVEWxBf938iBgMhNhExGvXdI_OtfJaoAX41u_nw" (and 19 more) found*

  • at _acme-challenge.drcloudemr.com*

  • Domain: drcloudemr.com*

  • Type: unauthorized*

  • Detail: Incorrect TXT record*

  • "fn6xGzNYHRCjf1nGu025RJNYLXTRyil3x553xrj18WE" (and 19 more) found*

  • at _acme-challenge.drcloudemr.com*

  • To fix these errors, please make sure that your domain name was*

  • entered correctly and the DNS A/AAAA record(s) for that domain*

  • contain(s) the right IP address.*

I followed the instructions and updated the TXT records onto my DNS provider(PowWeb).
When I ran "nslookup -q=txt _acme-challenge.drcloudemr.com", it returned about 20 records,. I'm not sure why there are so many entries and which one's are really needed. I don't see those records on my DNS.
I am wondering if the cause for failure is that there are so many entries. If that is indeed the case, is there a way to delete unused/old entries ? How can I get around this error and generate/renew certificates ? Please advise.

Thanks,
Ram Reddy

3 Likes

Welcome to the Let's Encrypt Community, Ram :slightly_smiling_face:

TXT records for dns-01 challenges can always be deleted once the challenges have been completed. There is no purpose in keeping them around.

Delete them then try this command instead:

sudo certbot certonly --cert-name drcloudemr.com --manual --preferred-challenges dns -d "drcloudemr.com,*.drcloudemr.com" --keep

2 Likes

Thanks, Griffin!

Regards,
Ram

3 Likes

You're quite welcome. :slightly_smiling_face: See my (expanded) previous post, please.

2 Likes

I guess the instructions lack the...
You can now delete the requested TXT records.
[at the end of each manual run]

2 Likes

Although it seems Let's Encypt eventually can see the TXT records, it might take some time for the latest to propogate to all DNS servers. You might want to wait some more time between adding the TXT record and continue in certbot.

2 Likes

Should that be included in the guide or within the directions about deploying the text records?

1 Like

Thank you all for the quick replies. I'm looking to delete the existing TXT records on my DNS provider. My DNS provider has only 2 TXT records for _acme-challenge.drcloudemr.com:

_acme-challenge.drcloudemr.com=BMurhLUHDcR17o0twT6YKUsg8274Iasqw2nU3agnmqU
_acme-challenge.drcloudemr.com=KPzrw_K9l13kQZHbd41wNCMjmIkwekW8I8zEKcs1uWM

(These 2 are from the certificates I generated successfully couple of months ago.)

But, when I run: nslookup -q=txt _acme-challenge.drcloudemr.com
I see all the following entries(which are not on my DNS provider):

\Non-authoritative answer:
_acme-challenge.drcloudemr.com canonical name = drcloudemr.com.letsencrypt.vdeck.eigdyn.com
drcloudemr.com.letsencrypt.vdeck.eigdyn.com text =

    "5_PODV-u76lEniSVPRDutu7ima6noDGrOrLKHTiCXfE"

drcloudemr.com.letsencrypt.vdeck.eigdyn.com text =

    "qxzbQZuOQMTLmxflwDmtrD1cuPwwG6YDUO7JmYsrN3Q"

drcloudemr.com.letsencrypt.vdeck.eigdyn.com text =

    "A2_k9cT1mKmHTL5JLeBi-RIGz4EHwhGYwpdyw41e4tE"

drcloudemr.com.letsencrypt.vdeck.eigdyn.com text =

    "kObDOVFTJRYoD7J-4TZ-mzz0pXZAMZ-CxxvV6yfH--M"

drcloudemr.com.letsencrypt.vdeck.eigdyn.com text =

    "_BM1JJtENUgOh17kJtYb-zOHbjhTCJMExiFR-GeTCVg"

drcloudemr.com.letsencrypt.vdeck.eigdyn.com text =

    "gER4iVEWxBf938iBgMhNhExGvXdI_OtfJaoAX41u_nw"

drcloudemr.com.letsencrypt.vdeck.eigdyn.com text =

    "T9SvTW55eHucywKogCv6cC6oR-IMDlag7StdSERGr0Y"

drcloudemr.com.letsencrypt.vdeck.eigdyn.com text =

    "KalRVlV3mHL3y-1V8U3XyMMg1C5QvhFdzWUO5lWo1fA"

drcloudemr.com.letsencrypt.vdeck.eigdyn.com text =

    "iS7aXgjbLLs6bImsAGgebwajjmy4kNw-MA6171UzA1g"

drcloudemr.com.letsencrypt.vdeck.eigdyn.com text =

    "xZ_k0CMRRX6G8bnpVR3ScRiDzHJZBuhR6oC5Z5EHl0c"

drcloudemr.com.letsencrypt.vdeck.eigdyn.com text =

    "UoMJeMhAKOz2lFnrrmZSM-GG0kceZLRInZTGUOERfws"

drcloudemr.com.letsencrypt.vdeck.eigdyn.com text =

    "fn6xGzNYHRCjf1nGu025RJNYLXTRyil3x553xrj18WE"

drcloudemr.com.letsencrypt.vdeck.eigdyn.com text =

    "_ic0AnYj87HtIKLagnekYJlRIa1FD-eH7fZ-8Pa7ZuE"

drcloudemr.com.letsencrypt.vdeck.eigdyn.com text =

    "81fYaP8icWGtU4ZDzWoRru2qvp0g_C73JhjLvYY8OvY"

drcloudemr.com.letsencrypt.vdeck.eigdyn.com text =

    "XC8SG-dov2UryfDqURbwvv7BndgctxPTJ1QfCJHafnw"

drcloudemr.com.letsencrypt.vdeck.eigdyn.com text =

    "77tCYr0LJ7r2AtcBUGH2MplaM5dTRMhmRlSDBQf-xDY"

drcloudemr.com.letsencrypt.vdeck.eigdyn.com text =

    "XBHsJo-pX8PDuhgmjBK6hIdEwtUuRs_6vyCG7Vn9ko8"

drcloudemr.com.letsencrypt.vdeck.eigdyn.com text =

    "3KmFBVicwg1pWfQmm_4CNAuZSohxKlCyXDeWaSs6vAo"

drcloudemr.com.letsencrypt.vdeck.eigdyn.com text =

    "2mJmFKHoVZZpUTN05b4XYsniyNA3c9sen2hgwHGuCYw"

drcloudemr.com.letsencrypt.vdeck.eigdyn.com text =

    "5LpFOnvWwCrUyXtULB2RG-hJDMuzpPbZ55boI3GHtRE"

It seems like until the above TX records get deleted, I won't be able to generate the certificates again. Since, I don't see these TXT records on my DNS provider, I can't delete them from there. Is there a way to get these TXT record deleted ?

Thanks,
Ram

2 Likes

I'm still trying to figure out how that is happening...
I found this along the way:

nslookup -q=txt drcloudemr.com
RETURNS:
drcloudemr.com  text = "_acme-challenge.drcloudemr.com=BMurhLUHDcR17o0twT6YKUsg8274Iasqw2nU3agnmqU"
drcloudemr.com  text = "_acme-challenge.drcloudemr.com=KPzrw_K9l13kQZHbd41wNCMjmIkwekW8I8zEKcs1uWM"
2 Likes

And here is the WHY:

nslookup -q=txt _acme-challenge.drcloudemr.com
_acme-challenge.drcloudemr.com  canonical name = drcloudemr.com.letsencrypt.vdeck.eigdyn.com

The MANY entries are actually at:
nslookup -q=txt drcloudemr.com.letsencrypt.vdeck.eigdyn.com

2 Likes

Correct. There are too many entries there. Everytime I try to generate certificates, it fails with one of those entries, Example:

Domain: drcloudemr.com
Type: unauthorized
Detail: Incorrect TXT record
"fn6xGzNYHRCjf1nGu025RJNYLXTRyil3x553xrj18WE" (and 19 more) found
at _acme-challenge.drcloudemr.com

Seems like I need to delete those entries and am not sure how to do that.

Thanks

2 Likes

Where do you add the TXT records then? Because if I understand you correctly now, if you add a TXT record, you get some kind of "Succes" message in your DNS zone editor, but it doesn't appear in your DNS zone?

Who added the CNAME for the _acme-challenge subdomain? Do you see that entry?

The CNAME delegates to a zone managed by "ns1.yourhostingaccount.com." Does "yourhostingaccount" mean anything to you?

2 Likes

The first two entries are completely useless and should be deleted.
The entries contain all that is between the quotes.
[which included the name of the destination entry itself and an equal sign]
And they are not even located where LE would be looking.

The second set is CNAMEd (redirected) and does contain valid entries (although they have all probably expired and should be deleted).

LE goes here looking for the entries here:
_acme-challenge.drcloudemr.com
That location says [we moved] you can now find us here:
drcloudemr.com.letsencrypt.vdeck.eigdyn.com
That location isn't being updated properly and contains many old/stale records.

You need to understand how the DNS TXT challenge works and how your DNS is setup to deal with it.
If that setup doesn't work, you may need to change it to one that does.

2 Likes

The "EIG" in:
drcloudemr.com.letsencrypt.vdeck.eigdyn.com
Probably refers to the parent company of brands like: HostGator
image

2 Likes

Thanks.

Is there a way to delete entries from drcloudemr.com.letsencrypt.vdeck.eigdyn.com ?

Thanks

2 Likes

There should be.
But you would have to have some level of control over that domain to make any changes.
OR
Just stop using it.
[remove the CNAME in your domain that points to it]

2 Likes