Failed authorization procedure: No TXT record found at _acme-challenge

Help
1

Hello,

I am trying to renew a wildcard certificate for my domain using dns challenge. It is failing with "No TXT record found at _acme-challenge.menke.pl" message, although the record exists during the renewal attempt, eg.:

dig txt @menke.pl _acme-challenge.menke.pl

; <<>> DiG 9.16.6-Debian <<>> txt @menke.pl _acme-challenge.menke.pl
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27922
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: d6af5177baa0f9cf272b90fd5f98811a03dd3de9e52e8611 (good)
;; QUESTION SECTION:
;_acme-challenge.menke.pl.	IN	TXT

;; ANSWER SECTION:
_acme-challenge.menke.pl. 120	IN	TXT	"M6f_X1xDKl3rNaQ8qsnf_VI04Mey3Arw4U9QXaB9UJs"

;; AUTHORITY SECTION:
_acme-challenge.menke.pl. 1	IN	NS	fns1.42.pl.
_acme-challenge.menke.pl. 1	IN	NS	menke.pl.

;; ADDITIONAL SECTION:
fns1.42.pl.		82359	IN	A	79.98.145.34
menke.pl.		86400	IN	A	83.13.234.90

;; Query time: 32 msec
;; SERVER: 83.13.234.90#53(83.13.234.90)
;; WHEN: wto paź 27 21:20:42 CET 2020
;; MSG SIZE  rcvd: 205



dig txt @fns1.42.pl _acme-challenge.menke.pl

; <<>> DiG 9.16.6-Debian <<>> txt @fns1.42.pl _acme-challenge.menke.pl
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43587
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_acme-challenge.menke.pl.	IN	TXT

;; ANSWER SECTION:
_acme-challenge.menke.pl. 120	IN	TXT	"M6f_X1xDKl3rNaQ8qsnf_VI04Mey3Arw4U9QXaB9UJs"

;; AUTHORITY SECTION:
_acme-challenge.menke.pl. 1	IN	NS	menke.pl.
_acme-challenge.menke.pl. 1	IN	NS	fns1.42.pl.

;; ADDITIONAL SECTION:
fns1.42.pl.		86400	IN	A	79.98.145.34
menke.pl.		86400	IN	A	83.13.234.90

;; Query time: 20 msec
;; SERVER: 79.98.145.34#53(79.98.145.34)
;; WHEN: wto paź 27 21:20:46 CET 2020
;; MSG SIZE  rcvd: 177

My domain is:
menke.pl
I ran this command:
certbot certonly --dry-run --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/certbot.ini --dns-rfc2136-propagation-seconds 180 --server https://acme-v02.api.letsencrypt.org/directory -d menke.pl,*.menke.pl
It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-rfc2136, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for menke.pl
Waiting 180 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. menke.pl (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: No TXT record found at _acme-challenge.menke.pl

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: menke.pl
   Type:   unauthorized
   Detail: No TXT record found at _acme-challenge.menke.pl

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):
N/A
The operating system my web server runs on is (include version):
N/A
My hosting provider, if applicable, is:
N/A
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

The log says:

2020-10-27 21:20:21,741:DEBUG:certbot.main:certbot version: 0.31.0
2020-10-27 21:20:21,742:DEBUG:certbot.main:Arguments: ['--dry-run', '--dns-rfc2136', '--dns-rfc2136-credentials', '/etc/letsencrypt/certbot.ini', '--dns-rfc2136-propagation-seconds', '180', '--server', 'https://acme-v02.api.letsencrypt.org/directory', '-d', 'menke.pl,*.menke.pl']
2020-10-27 21:20:21,744:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#dns-rfc2136,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-10-27 21:20:21,761:DEBUG:certbot.log:Root logging level set at 20
2020-10-27 21:20:21,763:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-10-27 21:20:21,765:DEBUG:certbot.plugins.selection:Requested authenticator dns-rfc2136 and installer None
2020-10-27 21:20:21,766:DEBUG:certbot.plugins.selection:Single candidate plugin: * dns-rfc2136
Description: Obtain certificates using a DNS TXT record (if you are using BIND for DNS).
Interfaces: IAuthenticator, IPlugin
Entry point: dns-rfc2136 = certbot_dns_rfc2136.dns_rfc2136:Authenticator
Initialized: <certbot_dns_rfc2136.dns_rfc2136.Authenticator object at 0x7f7df6cb9a58>
Prep: True
2020-10-27 21:20:21,767:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_dns_rfc2136.dns_rfc2136.Authenticator object at 0x7f7df6cb9a58> and installer None
2020-10-27 21:20:21,768:INFO:certbot.plugins.selection:Plugins selected: Authenticator dns-rfc2136, Installer None
2020-10-27 21:20:21,774:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(terms_of_service=None, new_authzr_uri=None, uri='https://acme-staging-v02.api.letsencrypt.org/acme/acct/16326180', body=Registration(key=None, contact=(), status=None, only_return_existing=None, external_account_binding=None, agreement=None, terms_of_service_agreed=None)), 037e7a29398c0d1c0d1e6477a4acdbfc, Meta(creation_dt=datetime.datetime(2020, 10, 27, 15, 50, 21, tzinfo=<UTC>), creation_host='ssh.menke.pl'))>
2020-10-27 21:20:21,777:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
2020-10-27 21:20:21,784:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
2020-10-27 21:20:22,613:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 724
2020-10-27 21:20:22,615:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 27 Oct 2020 20:20:22 GMT
Content-Type: application/json
Content-Length: 724
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "JVgS40a9dmk": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org/docs/staging-environment/"
  },
  "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}
2020-10-27 21:20:22,637:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2020-11-02 18:57:05 UTC.
2020-10-27 21:20:22,638:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2020-10-27 21:20:22,638:INFO:certbot.main:Renewing an existing certificate
2020-10-27 21:20:22,867:DEBUG:acme.client:Requesting fresh nonce
2020-10-27 21:20:22,868:DEBUG:acme.client:Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce.
2020-10-27 21:20:23,059:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2020-10-27 21:20:23,060:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 27 Oct 2020 20:20:22 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0004saVEByr7RQkRiu4dKkBm1VzMn-FBT5LS-7WARJiE4MA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2020-10-27 21:20:23,060:DEBUG:acme.client:Storing nonce: 0004saVEByr7RQkRiu4dKkBm1VzMn-FBT5LS-7WARJiE4MA
2020-10-27 21:20:23,061:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "value": "menke.pl",\n      "type": "dns"\n    },\n    {\n      "value": "*.menke.pl",\n      "type": "dns"\n    }\n  ]\n}'
2020-10-27 21:20:23,067:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInZhbHVlIjogIm1lbmtlLnBsIiwKICAgICAgInR5cGUiOiAiZG5zIgogICAgfSwKICAgIHsKICAgICAgInZhbHVlIjogIioubWVua2UucGwiLAogICAgICAidHlwZSI6ICJkbnMiCiAgICB9CiAgXQp9",
  "protected": "eyJraWQiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzE2MzI2MTgwIiwgIm5vbmNlIjogIjAwMDRzYVZFQnlyN1JRa1JpdTRkS2tCbTFWek1uLUZCVDVMUy03V0FSSmlFNE1BIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciIsICJhbGciOiAiUlMyNTYifQ",
  "signature": "oxYrym_ONENxFCzi6e1RfZebFbm4WxUzYvqOrEWavYquG_1eh3VWDTrQf13JgeClsY-36sdBaz6Bg0nTbyVUShYLOAFkWx4QQwWbQE9y_rsth0SJ48vv0nDt6ViItNCvHVi-qPTaAghjkPVMjT7E64bkizpRWfRPymNDgfl12UY8PDl-Bt_LZALhYTclnjweCTo-dnilSgvEEq3F0z8UrerveHboDTfcvF9y2tZW3svA96-nVj1IaehcQzA3jFspVc_Q74k3eBf12DBU4n9apaA5xC9euIAOP3VC40FIiMYadUcMS6T0Krj4VWAoXSR9roGn1xptUj10E1wj-tMkYw"
}
2020-10-27 21:20:23,301:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 490
2020-10-27 21:20:23,302:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Tue, 27 Oct 2020 20:20:23 GMT
Content-Type: application/json
Content-Length: 490
Connection: keep-alive
Boulder-Requester: 16326180
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/16326180/173540547
Replay-Nonce: 0003uiyE_BPSBpW_HI7qkbdU7UI_31ZriKZNzg2ImgC37Ks
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2020-11-03T20:20:23.194790691Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "*.menke.pl"
    },
    {
      "type": "dns",
      "value": "menke.pl"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/141250003",
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/141367042"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/16326180/173540547"
}
2020-10-27 21:20:23,302:DEBUG:acme.client:Storing nonce: 0003uiyE_BPSBpW_HI7qkbdU7UI_31ZriKZNzg2ImgC37Ks
2020-10-27 21:20:23,303:DEBUG:acme.client:JWS payload:
b''
2020-10-27 21:20:23,307:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/141250003:
{
  "payload": "",
  "protected": "eyJraWQiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzE2MzI2MTgwIiwgIm5vbmNlIjogIjAwMDN1aXlFX0JQU0JwV19ISTdxa2JkVTdVSV8zMVpyaUtaTnpnMkltZ0MzN0tzIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzE0MTI1MDAwMyIsICJhbGciOiAiUlMyNTYifQ",
  "signature": "ignOK2dP0Zjo1i2kTpUrYJQObHbJDAY-mGZxCJ3zEP9i_RrX1820CBWG7BqSgTRIru_qqQ_g_-aw_oVs5MN4MPw3xU7odVE1dnou-EhaOKnTdu48UnHP_z_5jCqDp4rbxIzSY1Gslm6X-4j8nfC-r6K85kAEjMhlZThdrtKKLpE01O9XfzmXhYtT-uk_LWClW31a9fZybVOxDD5A9kaXkJYPsKEctexooUpwo0lYzkUTU7-mRlZ7Reo7aokzi2XjSl1bSSWGpSyssbAsktdoY0R5VoYGeq6bd3faC983VZqVExn0Jo2eLyGRVtnR959-99n3cx9K-dAdN7zf_8rNbg"
}
2020-10-27 21:20:23,508:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/141250003 HTTP/1.1" 200 473
2020-10-27 21:20:23,509:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 27 Oct 2020 20:20:23 GMT
Content-Type: application/json
Content-Length: 473
Connection: keep-alive
Boulder-Requester: 16326180
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0003sBCTgEtoX-tsGRFXcRVAhybSiJC7RihzixwI5d4GOFs
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "menke.pl"
  },
  "status": "valid",
  "expires": "2020-11-26T16:16:08Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "valid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/141250003/le0_Bw",
      "token": "QX1S6v_zHdVmtV8idjc-ShvVn9hYt8OCu-7ZZYaRlY0",
      "validationRecord": [
        {
          "hostname": "menke.pl"
        }
      ]
    }
  ],
  "wildcard": true
}
2020-10-27 21:20:23,509:DEBUG:acme.client:Storing nonce: 0003sBCTgEtoX-tsGRFXcRVAhybSiJC7RihzixwI5d4GOFs
2020-10-27 21:20:23,510:DEBUG:acme.client:JWS payload:
b''
2020-10-27 21:20:23,514:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/141367042:
{
  "payload": "",
  "protected": "eyJraWQiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzE2MzI2MTgwIiwgIm5vbmNlIjogIjAwMDNzQkNUZ0V0b1gtdHNHUkZYY1JWQWh5YlNpSkM3Umloeml4d0k1ZDRHT0ZzIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzE0MTM2NzA0MiIsICJhbGciOiAiUlMyNTYifQ",
  "signature": "qkhCkEAds8CcRfXjXyzdNUMnoaKhF8m4ath95kUc94_T6CTpmX4WqhxUU78WfE77dfwN1cW9ARfEmuBTLd8ttdi6pScFJf-rBW8ddd2DECUpB8X-aNIXNf14_JKAnv0PJx7tlt2fTllE2cafUElkFuI2WvcYD7zIqV3Vdq4ytJdTFC91o9JR9FbEZhCqYwedhFqkbXt0aTnAPFvYa7EnAWBgDLpmZSpnJmWhyhwM9A_fKQhW-SO7P9LAkVC56dndgl-3uSXIrs7heNx1w8o8qJD5Yh1XzXRQ6IfwVCQsQpNkH1xo5YM5HpheCK8qdgXLNLb1C0esb1gMWTA7QUZj5A"
}
2020-10-27 21:20:23,715:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/141367042 HTTP/1.1" 200 807
2020-10-27 21:20:23,717:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 27 Oct 2020 20:20:23 GMT
Content-Type: application/json
Content-Length: 807
Connection: keep-alive
Boulder-Requester: 16326180
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0003yQQ0SBQjRPLw594w0KYPOEyBpGN3iBYyK21MlI6R0k4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "menke.pl"
  },
  "status": "pending",
  "expires": "2020-11-03T20:20:23Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/141367042/PIGkxQ",
      "token": "h3c6cuL98CsIyHVZrgZk3msxB1VpPC3H8m8xXCV7D_k"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/141367042/1_tfJA",
      "token": "h3c6cuL98CsIyHVZrgZk3msxB1VpPC3H8m8xXCV7D_k"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/141367042/vafHJg",
      "token": "h3c6cuL98CsIyHVZrgZk3msxB1VpPC3H8m8xXCV7D_k"
    }
  ]
}
2020-10-27 21:20:23,717:DEBUG:acme.client:Storing nonce: 0003yQQ0SBQjRPLw594w0KYPOEyBpGN3iBYyK21MlI6R0k4
2020-10-27 21:20:23,718:INFO:certbot.auth_handler:Performing the following challenges:
2020-10-27 21:20:23,719:INFO:certbot.auth_handler:dns-01 challenge for menke.pl
2020-10-27 21:20:23,730:DEBUG:certbot_dns_rfc2136.dns_rfc2136:Received authoritative SOA response for _acme-challenge.menke.pl
2020-10-27 21:20:23,737:DEBUG:certbot_dns_rfc2136.dns_rfc2136:Successfully added TXT record
2020-10-27 21:20:23,739:INFO:certbot.plugins.dns_common:Waiting 180 seconds for DNS changes to propagate
2020-10-27 21:23:23,840:INFO:certbot.auth_handler:Waiting for verification...
2020-10-27 21:23:23,841:DEBUG:acme.client:JWS payload:
b'{\n  "resource": "challenge",\n  "type": "dns-01"\n}'
2020-10-27 21:23:23,845:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/141367042/1_tfJA:
{
  "payload": "ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJ0eXBlIjogImRucy0wMSIKfQ",
  "protected": "eyJraWQiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzE2MzI2MTgwIiwgIm5vbmNlIjogIjAwMDN5UVEwU0JRalJQTHc1OTR3MEtZUE9FeUJwR04zaUJZeUsyMU1sSTZSMGs0IiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsLXYzLzE0MTM2NzA0Mi8xX3RmSkEiLCAiYWxnIjogIlJTMjU2In0",
  "signature": "k3adQUWTfh8AHrsyh2aFmo2d-XVGUj3uYNFV4W3A7NB_92Vb_c0e8iFoNipSt8esB9SyDHkg8nu1wSlIFO829Fb3pJKj7AoRk0yThu3h6jFE_-x8RfPA-aRYULeW0f4TocjmZNManyTpMkNdRszEBqtXWLP1IaXuE2nWN-3FnMvaf5PdlxB10hlKmV7OEqHYT4XlOGZzTrrYQ_Ao2pBIOxXUPU7un5gzZHYeA_bklOtkzkLb9wJocqAVSNeXRy3UGy5Eu39B1j71BG4_a7hGn2tNxGldqYj8JE5jvI6nzD3ie6-sM8ZKeDp44KjTYiqWpFqD5N2E4T0q1bJpV98egQ"
}
2020-10-27 21:23:24,051:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/141367042/1_tfJA HTTP/1.1" 200 191
2020-10-27 21:23:24,052:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 27 Oct 2020 20:23:23 GMT
Content-Type: application/json
Content-Length: 191
Connection: keep-alive
Boulder-Requester: 16326180
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/141367042>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/141367042/1_tfJA
Replay-Nonce: 0003KExcvCmTPXftPpJq7_1R77lpe0-y4FW1_NseS6-SlY4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "dns-01",
  "status": "pending",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/141367042/1_tfJA",
  "token": "h3c6cuL98CsIyHVZrgZk3msxB1VpPC3H8m8xXCV7D_k"
}
2020-10-27 21:23:24,053:DEBUG:acme.client:Storing nonce: 0003KExcvCmTPXftPpJq7_1R77lpe0-y4FW1_NseS6-SlY4
2020-10-27 21:23:27,056:DEBUG:acme.client:JWS payload:
b''
2020-10-27 21:23:27,060:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/141367042:
{
  "payload": "",
  "protected": "eyJraWQiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzE2MzI2MTgwIiwgIm5vbmNlIjogIjAwMDNLRXhjdkNtVFBYZnRQcEpxN18xUjc3bHBlMC15NEZXMV9Oc2VTNi1TbFk0IiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzE0MTM2NzA0MiIsICJhbGciOiAiUlMyNTYifQ",
  "signature": "J9niO1NZq1ebR3-MImUkUmX4DzQNqJ5aJl6yesPEh4tud1S1D0dm_5C51C5f3NYsOLCFmM-iVn6J1L7TdpiHNTnZXDlttANuZXBtvfvpFl9jysaR9D8XIp95UrAwPKZmC-KSqUYdgFGxprAoRHaZp-ICL7Xb8Oc-h_6qUo8FGJg2YW4NGhg1pgw3g_SdP8LgEZOR4gUlJeUbdXvLzVvizAoMZAJl4atDCEakMdpvbbIbcvX94WaHiQ55NClSni-mNPZIQwooX2tQxXWoIcR07L4iw52vIr2iSeES4sEuwTZkhV27nYF90emWhPzjELfPnNZm7JqCV_FM10y2Q_XI8g"
}
2020-10-27 21:23:27,257:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/141367042 HTTP/1.1" 200 543
2020-10-27 21:23:27,259:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 27 Oct 2020 20:23:27 GMT
Content-Type: application/json
Content-Length: 543
Connection: keep-alive
Boulder-Requester: 16326180
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0004hgNqVVwy9lP2kLUxxFfaR9UHdCLq0yDU9K_BsiruCIk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "menke.pl"
  },
  "status": "invalid",
  "expires": "2020-11-03T20:20:23Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "No TXT record found at _acme-challenge.menke.pl",
        "status": 403
      },
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/141367042/1_tfJA",
      "token": "h3c6cuL98CsIyHVZrgZk3msxB1VpPC3H8m8xXCV7D_k"
    }
  ]
}
2020-10-27 21:23:27,259:DEBUG:acme.client:Storing nonce: 0004hgNqVVwy9lP2kLUxxFfaR9UHdCLq0yDU9K_BsiruCIk
2020-10-27 21:23:27,261:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: menke.pl
Type:   unauthorized
Detail: No TXT record found at _acme-challenge.menke.pl

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2020-10-27 21:23:27,262:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. menke.pl (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: No TXT record found at _acme-challenge.menke.pl

2020-10-27 21:23:27,262:DEBUG:certbot.error_handler:Calling registered functions
2020-10-27 21:23:27,262:INFO:certbot.auth_handler:Cleaning up challenges
2020-10-27 21:23:27,268:DEBUG:certbot_dns_rfc2136.dns_rfc2136:Received authoritative SOA response for _acme-challenge.menke.pl
2020-10-27 21:23:27,274:DEBUG:certbot_dns_rfc2136.dns_rfc2136:Successfully deleted TXT record
2020-10-27 21:23:27,275:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1250, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 116, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 310, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 353, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 389, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. menke.pl (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: No TXT record found at _acme-challenge.menke.pl

I am stuck and don't really know why there's this error. Please help.

1 Like
2

Welcome Back to the Let's Encrypt Community :slightly_smiling_face:

In your dig output I'm only seeing one TXT record for _acme-challenge.menke.pl where there should be two TXT records (one for menke.pl and one for *.menke.pl). It looks like the TXT records are created serially though, so if the first dns-01 challenge fails, the second record is never created.

Try the following command and check for the _acme-challenge.menke.pl TXT records using Dig when the command pauses:
certbot certonly --cert-name menke.pl --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/certbot.ini --dns-rfc2136-propagation-seconds 300 -d "menke.pl,*.menke.pl" --keep --debug-challenges

3

Just an FYI: the options you've specified in bold are contradictory because --dry-run uses the staging servers even though you've explicitly specified to use the production servers. Usage of the --server option is exceedingly rare and almost always in error.

Staging/Testing:
https://acme-staging-v02.api.letsencrypt.org/directory

Production:
https://acme-v02.api.letsencrypt.org/directory

1 Like
4

At least one of your authoritative nameservers (ipa.menke.pl) is using an entirely different zonefile to the others:

menke.pl.               86400   IN      NS      menke.pl.
menke.pl.               86400   IN      NS      fns1.42.pl.
menke.pl.               86400   IN      NS      ipa.menke.pl.
menke.pl.               86400   IN      NS      ipa2.menke.pl.
menke.pl.               86400   IN      NS      fns2.42.pl.
menke.pl.               86400   IN      NS      ns.tpnet.pl.

I don't know if Let's Encrypt's resolver is picking on those further nameservers in addition to the 4 you have delegated at your registrar, but it could provide one explanation.

2 Likes
5

@_az

Is there some way to know which nameserver is being queried? Some kind of ultra-verbose option perhaps? My initial instinct was that 3 minutes might have been insufficient to propagate, but if what you've identified is having an impact, 3 years wouldn't matter (without retrying a different nameserver, which would be a nice function to have in Boulder for robustness if it's not already implemented that way).

6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.