Failed authorization procedure via DNS

I have lets encrypt setup and working, but I am wanting to renew the certificate and I am getting the following error:

Attempting to renew cert (*) from *.conf produced an unexpected error: Failed authorization procedure. * (dns-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record “textstring” found at _acme-challenge.*. Skipping.

Due to our setup I can not do tls-sni or http verification, only DNS. I can provide more information or logs if need be but I am at a loss. I have checked our DNS and can confirm the txt files are there and correct. When I check the logs they are coming back as a 403 error. The renewal has worked before, but not anymore.

Redacting your domain and error message makes it super hard to help you. Please provide as many of the following details as you know:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

My domain is: crowdcontent.com

I ran this command: certbot renew --config-dir=/home/servers/certbot/config --work-dir=/home/servers/certbot/work --logs-dir=/home/servers/certbot/logs --manual-auth-hook /home/servers/ssl_authenticator.sh --manual-cleanup-hook /home/servers/ssl_cleanup.sh --preferred-challenges dns --dry-run

It produced this output: Attempting to renew cert (crowdcontent.com) from /home/servers/certbot/config/renewal/crowdcontent.com.conf produced an unexpected error: Failed authorization procedure. crowdcontent.com (dns-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record “3r6soJfsXwcKs7F704nUelDJnlo4CeHESbJxA1sNN4c” found at _acme-challenge.crowdcontent.com, same for all subdomains Skipping.

My web server is (include version): haproxy 1.8.3

The operating system my web server runs on is (include version): Ubuntu 16.04.3

Have full access to the server, root, reboots, etc.

This script creates the TXT record(s) with the passed CERTBOT_VALIDATION environment variable, then?

Are we able to see the script (remove any credentials as required)?

edit: Also, does this happen without --dry-run?

That ssl_authenticator.sh script is an empty bash file, as certbot would not run before without it.

Just ran certbot without it and it produced the same result.

Yes, same thing happens without --dry-run.

Right.

So, certbot renew is a non-interactive command. The reason it will not run without passing the auth-hook scripts is that Certbot needs to be able to update your TXT records automatically with new challenge values. That is what the hooks are for.

The initial TXT records you created are most likely no longer valid. In the best case, they only authorize you to issue certificates for the domain for 30 days. After that time (or earlier), the value of the challenge changes, and the TXT records must be updated to a new challenge value.

The way you are calling certbot renew does not do this, because your empty scripts are meant to be updating the TXT records, but they do nothing.

If you wish to do the manual DNS challenge again (interactively, rather than non-interactively), then you need to run certbot certonly using the same parameters that you used the first time. certbot renew doesn’t do what you want.

Yea, I just realised that. Been a long day. Going to try something then let you know if that worked.

Yup, it was me not thinking. I got it now, thanks for your help and explanation. Missed the stuff about the TXT records changing after 30 days.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.