Error when verifying the TXT record

Hello there!

For several days, in a random way the validation of the TXT field has been working and sometimes not. Also, when I run the command below, I can see the TXT field created, but that doesn't mean it works.

My domain is:

illuad.fr

I ran this command:

sudo certbot certonly --dry-run --dns-ovh --dns-ovh-credentials /etc/.ovh.ini --domain illuad.fr --csr /etc/pki/tls/certs/illuad.fr/csr.pem

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-ovh, Installer None
Performing the following challenges:
dns-01 challenge for illuad.fr
Waiting 60 seconds for DNS changes to propagate
Waiting for verification...
Challenge failed for domain illuad.fr
dns-01 challenge for illuad.fr
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: illuad.fr
   Type:   dns
   Detail: DNS problem: NXDOMAIN looking up TXT for
   _acme-challenge.illuad.fr - check that a DNS record exists for this domain

My web server is (include version):

httpd -V
Server version: Apache/2.4.37 (centos)

The operating system my web server runs on is (include version):

cat /etc/centos-release
CentOS Linux release 8.3.2011

My hosting provider, if applicable, is:

OVH

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No, (CLI > GUI)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot --version
certbot 1.9.0
1 Like

Hi @Amon

if you use dns validation, this

may be too short. So try 300 or 600 seconds.

1 Like

Hi @JuergenAuer,

Indeed it works by using the flag --dns-ovh-propagation-seconds 150. But what could be the explanation that sometimes it works with 60 (even 30 sometimes!). Is this necessarily a "problem" on the OVH side?

Thanks!

1 Like

If you have such a result,

that's expected.

Name servers are sometimes slow.

So the propagation time is too low -> random errors.

Use a high enough value -> no problem.

1 Like

HI,

I have same problem since today with same plugin (domain from OVH).
I read your recommandations and test with 30,60,120,300 seconds but results is same.
I have many of other domain from OVH and all are signed by certs with this plugins with 30seconds.
I don't know why it doesn't work today.
I tried to renew all day without success.

There is any possibility that its be a bug?

1 Like

Yes.

But there is also the possibility that the DNS request is being unanswered because it comes from a distant location and is being handled by remote DNS servers (that have not yet synchronized - or are having problems synchronizing).

Without knowing the domain having the problem there is no way for anyone here to check.

2 Likes

About me, I gave my domain name above if you want to research about this issue.

1 Like

If it works with 60 seconds, there is no problem.

Name server synchronization may need some seconds or some minutes. Not everyone is Google or Cloudflare.

That's not a bug, not a problem. And it's nothing to check from other tools. Because these tools can't create a new or updated entry.

It's an internal propagation problem, not an external connection problem.

1 Like

Sorry; But there are now two people (with a similar problem) on this thread/topic.
[maybe someone can split them apart so this type of confusion stops]
I was referring to the other person, who gave no real information.

Your issue can be checked to a certain extent now.
But would be better checked upon your inserting a new record.
[maybe we can coordinate those actions - through this forum]
I have a test script ready - just let me know when you have made a new TXT record.
[the current response shows all four IPs (two IPv4 and two IPv6) have the same SOA record and no TXT record]

2 Likes

Your right, sorry for confusions in this post.
FYI I found the problem: it seems my client has changed his domaine registar.
Thanks again for your reply and for your job.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.