Error when verifying the TXT record

Hello there!

For several days, in a random way the validation of the TXT field has been working and sometimes not. Also, when I run the command below, I can see the TXT field created, but that doesn't mean it works.

My domain is:

illuad.fr

I ran this command:

sudo certbot certonly --dry-run --dns-ovh --dns-ovh-credentials /etc/.ovh.ini --domain illuad.fr --csr /etc/pki/tls/certs/illuad.fr/csr.pem

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-ovh, Installer None
Performing the following challenges:
dns-01 challenge for illuad.fr
Waiting 60 seconds for DNS changes to propagate
Waiting for verification...
Challenge failed for domain illuad.fr
dns-01 challenge for illuad.fr
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: illuad.fr
   Type:   dns
   Detail: DNS problem: NXDOMAIN looking up TXT for
   _acme-challenge.illuad.fr - check that a DNS record exists for this domain

My web server is (include version):

httpd -V
Server version: Apache/2.4.37 (centos)

The operating system my web server runs on is (include version):

cat /etc/centos-release
CentOS Linux release 8.3.2011

My hosting provider, if applicable, is:

OVH

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No, (CLI > GUI)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot --version
certbot 1.9.0

Hi @Amon

if you use dns validation, this

may be too short. So try 300 or 600 seconds.

Hi @JuergenAuer,

Indeed it works by using the flag --dns-ovh-propagation-seconds 150. But what could be the explanation that sometimes it works with 60 (even 30 sometimes!). Is this necessarily a "problem" on the OVH side?

Thanks!

If you have such a result,

that's expected.

Name servers are sometimes slow.

So the propagation time is too low -> random errors.

Use a high enough value -> no problem.

HI,

I have same problem since today with same plugin (domain from OVH).
I read your recommandations and test with 30,60,120,300 seconds but results is same.
I have many of other domain from OVH and all are signed by certs with this plugins with 30seconds.
I don't know why it doesn't work today.
I tried to renew all day without success.

There is any possibility that its be a bug?

Yes.

But there is also the possibility that the DNS request is being unanswered because it comes from a distant location and is being handled by remote DNS servers (that have not yet synchronized - or are having problems synchronizing).

Without knowing the domain having the problem there is no way for anyone here to check.

About me, I gave my domain name above if you want to research about this issue.

If it works with 60 seconds, there is no problem.

Name server synchronization may need some seconds or some minutes. Not everyone is Google or Cloudflare.

That's not a bug, not a problem. And it's nothing to check from other tools. Because these tools can't create a new or updated entry.

It's an internal propagation problem, not an external connection problem.

Sorry; But there are now two people (with a similar problem) on this thread/topic.
[maybe someone can split them apart so this type of confusion stops]
I was referring to the other person, who gave no real information.

Your issue can be checked to a certain extent now.
But would be better checked upon your inserting a new record.
[maybe we can coordinate those actions - through this forum]
I have a test script ready - just let me know when you have made a new TXT record.
[the current response shows all four IPs (two IPv4 and two IPv6) have the same SOA record and no TXT record]

Your right, sorry for confusions in this post.
FYI I found the problem: it seems my client has changed his domaine registar.
Thanks again for your reply and for your job.