Expired wildcard renew TXT record issue


I think my TXT record is public right? No need to hide it, anyhow it all check outs, there isn't a discrepancy that I can see in the txt record and what I'm expecting. I'm doing the renewal on a wildcard cert that is expired, manually...

I believe the TXT record is public, but wasn't sure so I replaced it here with [TXTRECORD] fyi

My domain is: bcae.us

I ran this command:
sudo certbot renew --manual --manual-auth-hook /home/chris/Documents/set_env.sh

(in that set_env.sh I have my TXT record that I export for the function to use, it looks good)

It produced this output:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/bcae.us.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
*Renewing an existing certificate for .bcae.us

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:

  • Domain: bcae.us*
  • Type: unauthorized*
  • Detail: Incorrect TXT record "[TXTRECORD]" found at _acme-challenge.bcae.us*

Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

For each renewal/issuance, the TXT record must be changed to match the current request.

You are using

So, you should be presented with the new TXT record(s) and you should confirm they are fully synchronized before pressing ENTER to continue.

Did you update the TXT record(s) as directed?
If so, did you ensure your authoritative DNS servers had that update?


It is. And, a good site to use to check whether your authoritative servers have sync'd with the new TXT value is below. Is that the value you set from the most recent cert request?

  1. I wasn't directed.
  2. no, since there was none given, the original remains on the DNS

Also Interesting...

I was wondering how it knows what my TXT record is. CERTBOT did not issue me a new TXT record. The TXT record that exists on my DNS is the same from when it was created ( I do remember getting a TXT record at point of creation etc..).

I'm trying understand what you're saying with quoting my "--manual"? You said, "the TXT record must be changed to match the current request. You are using" then my manual parameter there. Can you elaborate on that point please?

Please see the Certbot documentation about validation hooks: User Guide — Certbot 2.6.0 documentation

You should use the environment variable(s) provided by Certbot to the validation script(s) in those script(s). Your script(s) should NOT have a hardcoded TXT RR as that won't work as mentioned by Rudy above.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.