Failed DNS-01 challenge

Help
1

My domain is: markert.live

I ran this command:
sudo certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/dns_rfc2136_credentials.ini -d markert.live -d '*.markert.live'

It produced this output:

Requesting a certificate for markert.live and *.markert.live
Waiting 60 seconds for DNS changes to propagate

Certbot failed to authenticate some domains (authenticator: dns-rfc2136). The Certificate Authority reported these problems:
  Domain: markert.live
  Type:   unauthorized
  Detail: No TXT record found at _acme-challenge.markert.live

  Domain: markert.live
  Type:   unauthorized
  Detail: No TXT record found at _acme-challenge.markert.live

Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-rfc2136. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-rfc2136-propagation-seconds (currently 60 seconds).

My web server is (include version):
n/a (but I can install nginx if required)

The operating system my web server runs on is (include version):
Debian 12

My hosting provider, if applicable, is:
Hostinger

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
2.1.0

P.S. the output of letsencrypt.log is:

2025-09-23 05:14:36,574:DEBUG:certbot._internal.main:certbot version: 2.1.0
2025-09-23 05:14:36,575:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2025-09-23 05:14:36,575:DEBUG:certbot._internal.main:Arguments: ['--dns-rfc2136', '--dns-rfc2136-credentials', '/etc/letsencrypt/dns_rfc2136_credentials.ini', '-d', 'markert.live', '-d', '*.markert.live']
2025-09-23 05:14:36,575:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#dns-rfc2136,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2025-09-23 05:14:36,603:DEBUG:certbot._internal.log:Root logging level set at 30
2025-09-23 05:14:36,605:DEBUG:certbot._internal.plugins.selection:Requested authenticator dns-rfc2136 and installer None
2025-09-23 05:14:36,606:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * dns-rfc2136
Description: Obtain certificates using a DNS TXT record (if you are using BIND for DNS).
Interfaces: Authenticator, Plugin
Entry point: dns-rfc2136 = certbot_dns_rfc2136._internal.dns_rfc2136:Authenticator
Initialized: <certbot_dns_rfc2136._internal.dns_rfc2136.Authenticator object at 0x7f2f1990f090>
Prep: True
2025-09-23 05:14:36,607:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_dns_rfc2136._internal.dns_rfc2136.Authenticator object at 0x7f2f1990f090> and installer None
2025-09-23 05:14:36,607:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator dns-rfc2136, Installer None
2025-09-23 05:14:36,820:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/2678457611', new_authzr_uri=None, terms_of_service=None), e78b4f04e90df860b2ddb9b204cc7b4a, Meta(creation_dt=datetime.datetime(2025, 9, 23, 0, 0, 43, tzinfo=<UTC>), creation_host='vmhomeserver.local.markert.live', register_to_eff=None))>
2025-09-23 05:14:36,822:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2025-09-23 05:14:36,825:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2025-09-23 05:14:38,025:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 995
2025-09-23 05:14:38,027:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 23 Sep 2025 05:14:37 GMT
Content-Type: application/json
Content-Length: 995
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "profiles": {
      "classic": "https://letsencrypt.org/docs/profiles#classic",
      "shortlived": "https://letsencrypt.org/docs/profiles#shortlived (not yet generally available)",
      "tlsserver": "https://letsencrypt.org/docs/profiles#tlsserver"
    },
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-v02.api.letsencrypt.org/acme/renewal-info",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert",
  "xULanfNg86w": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417"
}
2025-09-23 05:14:38,028:DEBUG:certbot._internal.display.obj:Notifying user: Requesting a certificate for markert.live and *.markert.live
2025-09-23 05:14:38,036:DEBUG:certbot.crypto_util:Generating ECDSA key (2048 bits): /etc/letsencrypt/keys/0041_key-certbot.pem
2025-09-23 05:14:38,043:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0041_csr-certbot.pem
2025-09-23 05:14:38,046:DEBUG:acme.client:Requesting fresh nonce
2025-09-23 05:14:38,047:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2025-09-23 05:14:38,345:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2025-09-23 05:14:38,346:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 23 Sep 2025 05:14:38 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: JV8I8jm1Dg6nfeCA8aHx09si56v26EcmjcT3XiQsvJbQmlZzcps
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2025-09-23 05:14:38,347:DEBUG:acme.client:Storing nonce: JV8I8jm1Dg6nfeCA8aHx09si56v26EcmjcT3XiQsvJbQmlZzcps
2025-09-23 05:14:38,348:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "markert.live"\n    },\n    {\n      "type": "dns",\n      "value": "*.markert.live"\n    }\n  ]\n}'
2025-09-23 05:14:38,357:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjY3ODQ1NzYxMSIsICJub25jZSI6ICJKVjhJOGptMURnNm5mZUNBOGFIeDA5c2k1NnYyNkVjbWpjVDNYaVFzdkpiUW1sWnpjcHMiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciJ9",
  "signature": "bJXQ9VW0UXxMCcuH4GH55gXbzXffKy2nE88P1W_JgtvaFFGHME5mNSeBvCNaNTP0wOM9LK25ZRs6YX9sE2TL0HedCOCMdZ5rICDIaSh4okIpK3qRBZ1KPwjezRX1pwPmIR0cbY8bpTA6C3OFb8uZsmX8OFEGYhYgzc-wXTN1dV4oENHilfMX44LCFmlOoAi-HdwMb6Yw2aNJzopPPp3QozJRcKY2P_dOpQx3g_evvXdWIfsOyUiKOAz_vokjVxup946qRIxKbSMnhkLDS2XWhAKlscUQrVQ75qNe0xJrVN77AwmXeUmtysdvT7R3W7vBeAcfIjJcJWsUmqB4kTUlzg",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogIm1hcmtlcnQubGl2ZSIKICAgIH0sCiAgICB7CiAgICAgICJ0eXBlIjogImRucyIsCiAgICAgICJ2YWx1ZSI6ICIqLm1hcmtlcnQubGl2ZSIKICAgIH0KICBdCn0"
}
2025-09-23 05:14:38,819:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 491
2025-09-23 05:14:38,820:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Tue, 23 Sep 2025 05:14:38 GMT
Content-Type: application/json
Content-Length: 491
Connection: keep-alive
Boulder-Requester: 2678457611
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/2678457611/430932893451
Replay-Nonce: qRkKkMTFl62FnJcgqnFFUiD5ltNtwhqRLFsUVMZpcqYZ3Gc7LhA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2025-09-30T05:14:38Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "*.markert.live"
    },
    {
      "type": "dns",
      "value": "markert.live"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz/2678457611/587574071981",
    "https://acme-v02.api.letsencrypt.org/acme/authz/2678457611/587574072111"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/2678457611/430932893451"
}
2025-09-23 05:14:38,820:DEBUG:acme.client:Storing nonce: qRkKkMTFl62FnJcgqnFFUiD5ltNtwhqRLFsUVMZpcqYZ3Gc7LhA
2025-09-23 05:14:38,821:DEBUG:acme.client:JWS payload:
b''
2025-09-23 05:14:38,826:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/2678457611/587574071981:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjY3ODQ1NzYxMSIsICJub25jZSI6ICJxUmtLa01URmw2MkZuSmNncW5GRlVpRDVsdE50d2hxUkxGc1VWTVpwY3FZWjNHYzdMaEEiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LzI2Nzg0NTc2MTEvNTg3NTc0MDcxOTgxIn0",
  "signature": "BhUW09h3-71G1LTsvgVGbuK4BgZXUHhvlMmh5huwPWWIrs38kBHJv0UfOo4EG9erOooL8FukTF_XS1HVWlSdykfS40YrZtf1-CDSW5dQN2sMNZHdVUVaOImD280zlLM95PCNTwrQGfWd_jJiZl2pJnrHaHSN6FFaIAKefbU0MuPfJC5lp7RsyRKfHWgE_SojK79T1MGKZlg_6jylswdq9B3dU7yeMyDhUYpAUj3ZNovLVOUBeW2So0OQ3MGkTl5HPg5JSDuPCX4R9inREDpR6mzHMXd7XN_32LANZo1R2pSKqqMZkslJIOOM_sZZWg5aCOqApRiu3UliIn8z9tMluQ",
  "payload": ""
}
2025-09-23 05:14:39,136:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz/2678457611/587574071981 HTTP/1.1" 200 394
2025-09-23 05:14:39,138:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 23 Sep 2025 05:14:38 GMT
Content-Type: application/json
Content-Length: 394
Connection: keep-alive
Boulder-Requester: 2678457611
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: qRkKkMTFeuL7GdPJ068SvbfoD0aq-9r43L8gMiUKU168xEbbBaI
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "markert.live"
  },
  "status": "pending",
  "expires": "2025-09-30T05:14:38Z",
  "challenges": [
    {
      "type": "dns-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall/2678457611/587574071981/uWUVZw",
      "status": "pending",
      "token": "jrtDLRpTkiTVLQN6nCJVj5e6n0rPVzMQ3deNtdkFQQc"
    }
  ],
  "wildcard": true
}
2025-09-23 05:14:39,138:DEBUG:acme.client:Storing nonce: qRkKkMTFeuL7GdPJ068SvbfoD0aq-9r43L8gMiUKU168xEbbBaI
2025-09-23 05:14:39,139:DEBUG:acme.client:JWS payload:
b''
2025-09-23 05:14:39,145:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/2678457611/587574072111:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjY3ODQ1NzYxMSIsICJub25jZSI6ICJxUmtLa01URmV1TDdHZFBKMDY4U3ZiZm9EMGFxLTlyNDNMOGdNaVVLVTE2OHhFYmJCYUkiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LzI2Nzg0NTc2MTEvNTg3NTc0MDcyMTExIn0",
  "signature": "dSuZT1OvpqrCIslXQJG8ZouiPECdiuzZBSmWiyhA0URO8mD_LY0gWLfP5sVxRYTpE40WKXK6NxNN88Wxx4iVdvv2c92X-aOYecnZLxpP0W0C7J8vFj0UMYw0-lgNMzvBfkaFclynXIGgPoBn6fCDPG4DRc-MQ9Sz_pCOep0AIYWDXfvvGT-01n__9BSbt_0JgU2DD24MggX4RWd1qbiiXcTxGla_T1xSTZaS1XZS3qT_YkeWu1GZxHZ3FAEeSbZu9zYhGVjE0xQzVQGpeQDbgaPdvuS05vS3SErMV2Bd1vCB7GfhDo7yOV8WO7rxblV9TiOMiWvN5t3Vn9ug0xqc_g",
  "payload": ""
}
2025-09-23 05:14:39,990:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz/2678457611/587574072111 HTTP/1.1" 200 820
2025-09-23 05:14:39,991:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 23 Sep 2025 05:14:39 GMT
Content-Type: application/json
Content-Length: 820
Connection: keep-alive
Boulder-Requester: 2678457611
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: JV8I8jm1DOwNjcAIsoz5SCmfnGQA1fOeF0D-sNzOrQ8mv--I-yw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "markert.live"
  },
  "status": "pending",
  "expires": "2025-09-30T05:14:38Z",
  "challenges": [
    {
      "type": "dns-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall/2678457611/587574072111/Mc_rnA",
      "status": "pending",
      "token": "v31debSX76sqyvTPe3DSL4X8LIeOBtFOx2PLg68m40A"
    },
    {
      "type": "tls-alpn-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall/2678457611/587574072111/Vf1P4Q",
      "status": "pending",
      "token": "v31debSX76sqyvTPe3DSL4X8LIeOBtFOx2PLg68m40A"
    },
    {
      "type": "http-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall/2678457611/587574072111/Eg2GyA",
      "status": "pending",
      "token": "v31debSX76sqyvTPe3DSL4X8LIeOBtFOx2PLg68m40A"
    }
  ]
}
2025-09-23 05:14:39,991:DEBUG:acme.client:Storing nonce: JV8I8jm1DOwNjcAIsoz5SCmfnGQA1fOeF0D-sNzOrQ8mv--I-yw
2025-09-23 05:14:39,993:INFO:certbot._internal.auth_handler:Performing the following challenges:
2025-09-23 05:14:39,993:INFO:certbot._internal.auth_handler:dns-01 challenge for markert.live
2025-09-23 05:14:39,994:INFO:certbot._internal.auth_handler:dns-01 challenge for markert.live
2025-09-23 05:14:39,994:WARNING:certbot.plugins.dns_common:Unsafe permissions on credentials configuration file: /etc/letsencrypt/dns_rfc2136_credentials.ini
2025-09-23 05:14:40,009:DEBUG:certbot_dns_rfc2136._internal.dns_rfc2136:Received authoritative SOA response for _acme-challenge.markert.live
2025-09-23 05:14:40,028:DEBUG:certbot_dns_rfc2136._internal.dns_rfc2136:Successfully added TXT record _acme-challenge.markert.live
2025-09-23 05:14:40,037:DEBUG:certbot_dns_rfc2136._internal.dns_rfc2136:Received authoritative SOA response for _acme-challenge.markert.live
2025-09-23 05:14:40,051:DEBUG:certbot_dns_rfc2136._internal.dns_rfc2136:Successfully added TXT record _acme-challenge.markert.live
2025-09-23 05:14:40,052:DEBUG:certbot._internal.display.obj:Notifying user: Waiting 60 seconds for DNS changes to propagate
2025-09-23 05:15:40,055:DEBUG:acme.client:JWS payload:
b'{}'
2025-09-23 05:15:40,064:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall/2678457611/587574071981/uWUVZw:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjY3ODQ1NzYxMSIsICJub25jZSI6ICJKVjhJOGptMURPd05qY0FJc296NVNDbWZuR1FBMWZPZUYwRC1zTnpPclE4bXYtLUkteXciLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsLzI2Nzg0NTc2MTEvNTg3NTc0MDcxOTgxL3VXVVZadyJ9",
  "signature": "O62CakNlbAFWtv3HVKL7odIoZz6wtSR36NN12lFuY5TesRf7hiG1DTkQgAzzgn04v6zkPcNabVCvC6lQFj9cZi3UUIMDL3HRqiP5iuQ5nJEwZuH_LadlV2AWTNyWpPWVHp0WMsbcvDhWEwTV0DGWznNd4fzsWIp2-mwScn0sas1QeGsedzzS35PDawIkw-u4GTzPrL3LqrSI_VMPDfOpwEW0b651jzrhw331T5tkDORPHaR7Lv9_EQxKnzoiBkVB2AwxnNL8IZhI4OYVg7lhanyk8SGISMJZLVLOIK5PXbdNLPUGMYevOoRwUUNvANk2DCn9jHC5y5yVNaWoAzBNkw",
  "payload": "e30"
}
2025-09-23 05:15:40,400:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall/2678457611/587574071981/uWUVZw HTTP/1.1" 200 194
2025-09-23 05:15:40,402:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 23 Sep 2025 05:15:40 GMT
Content-Type: application/json
Content-Length: 194
Connection: keep-alive
Boulder-Requester: 2678457611
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz/2678457611/587574071981>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall/2678457611/587574071981/uWUVZw
Replay-Nonce: JV8I8jm1g_s4GyX_tDTFSD-t2CJkvcRV1aUr3wvsZYbFVQg-U1I
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "dns-01",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall/2678457611/587574071981/uWUVZw",
  "status": "pending",
  "token": "jrtDLRpTkiTVLQN6nCJVj5e6n0rPVzMQ3deNtdkFQQc"
}
2025-09-23 05:15:40,402:DEBUG:acme.client:Storing nonce: JV8I8jm1g_s4GyX_tDTFSD-t2CJkvcRV1aUr3wvsZYbFVQg-U1I
2025-09-23 05:15:40,404:DEBUG:acme.client:JWS payload:
b'{}'
2025-09-23 05:15:40,409:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall/2678457611/587574072111/Mc_rnA:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjY3ODQ1NzYxMSIsICJub25jZSI6ICJKVjhJOGptMWdfczRHeVhfdERURlNELXQyQ0prdmNSVjFhVXIzd3ZzWlliRlZRZy1VMUkiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsLzI2Nzg0NTc2MTEvNTg3NTc0MDcyMTExL01jX3JuQSJ9",
  "signature": "cyljFKZJhdhtnoKrk5XK3XgMAyIYWY-4P8SNKzNAAFC9rr-9yYvzNls548Klv4V1duWo5NRcXQVUA7qsZV9zon5gCcz66zZlU_CsrELeAc2bD_6G7a8LbeILjwWdvWAU6F8hqI0zjg5_wHdCX6KGIs-yWzvpKyXvLgWI0ZXAWw3xA4ysKhzfnN2VzE2luOZPe2yBsVb8PgPNP9DCrALq3isqo4yMcVUxLEJ_ATxX9F0CNfecIicNI5hRIN3wq57CdHZFVbVknQOfYFWgjrKXYQ6EPaT1d7fy1SrCIJEjNP9EdCGuJMGcW9AwbJwscm1c1zktpDhFs2NazkJjcTF9hA",
  "payload": "e30"
}
2025-09-23 05:15:41,030:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall/2678457611/587574072111/Mc_rnA HTTP/1.1" 200 194
2025-09-23 05:15:41,031:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 23 Sep 2025 05:15:40 GMT
Content-Type: application/json
Content-Length: 194
Connection: keep-alive
Boulder-Requester: 2678457611
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz/2678457611/587574072111>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall/2678457611/587574072111/Mc_rnA
Replay-Nonce: qRkKkMTFiSA8DgulnUm-C83GvHPaRoix5hZa7JUbzAclH50lBys
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "dns-01",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall/2678457611/587574072111/Mc_rnA",
  "status": "pending",
  "token": "v31debSX76sqyvTPe3DSL4X8LIeOBtFOx2PLg68m40A"
}
2025-09-23 05:15:41,032:DEBUG:acme.client:Storing nonce: qRkKkMTFiSA8DgulnUm-C83GvHPaRoix5hZa7JUbzAclH50lBys
2025-09-23 05:15:41,032:INFO:certbot._internal.auth_handler:Waiting for verification...
2025-09-23 05:15:42,033:DEBUG:acme.client:JWS payload:
b''
2025-09-23 05:15:42,038:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/2678457611/587574071981:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjY3ODQ1NzYxMSIsICJub25jZSI6ICJxUmtLa01URmlTQThEZ3VsblVtLUM4M0d2SFBhUm9peDVoWmE3SlViekFjbEg1MGxCeXMiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LzI2Nzg0NTc2MTEvNTg3NTc0MDcxOTgxIn0",
  "signature": "rHHB4ERazmYFsvgODUjZzea1rb-SdHOSfp30sU1A1ArBKjRzyozdfQ23txqvJenb36Wc6YponacXiLRTzz5YYFCnSPnJvR7xglLrEG5S--1h0-1byAYG_E3J9DMDwaKjnWmRbPu91CncQHPODZj29jGrlt_dhDHkyYfpiasFoQhWuSd6uMQdGxwthLFvEe2nI04gE6L7nUklR6WFJNElhOUiTlqWAsDm6cCft2nIsSsfGcfvFTT0PvTU16nD1ts8LWCkk8TgRzjdJfpoutj2FH38VkNLdo_3RSi1Br_M5mBW27ptT5bF5lIGDIwvYDzeGc6Wox3ypqcAp8tNqUGhFw",
  "payload": ""
}
2025-09-23 05:15:42,343:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz/2678457611/587574071981 HTTP/1.1" 200 617
2025-09-23 05:15:42,344:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 23 Sep 2025 05:15:42 GMT
Content-Type: application/json
Content-Length: 617
Connection: keep-alive
Boulder-Requester: 2678457611
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: qRkKkMTFDHDzoibBVFrl9Gx28kgaqHOuYwbOvire_bXl1wnkp68
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "markert.live"
  },
  "status": "invalid",
  "expires": "2025-09-30T05:14:38Z",
  "challenges": [
    {
      "type": "dns-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall/2678457611/587574071981/uWUVZw",
      "status": "invalid",
      "validated": "2025-09-23T05:15:40Z",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "No TXT record found at _acme-challenge.markert.live",
        "status": 403
      },
      "token": "jrtDLRpTkiTVLQN6nCJVj5e6n0rPVzMQ3deNtdkFQQc"
    }
  ],
  "wildcard": true
}
2025-09-23 05:15:42,345:DEBUG:acme.client:Storing nonce: qRkKkMTFDHDzoibBVFrl9Gx28kgaqHOuYwbOvire_bXl1wnkp68
2025-09-23 05:15:42,346:DEBUG:acme.client:JWS payload:
b''
2025-09-23 05:15:42,351:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/2678457611/587574072111:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjY3ODQ1NzYxMSIsICJub25jZSI6ICJxUmtLa01URkRIRHpvaWJCVkZybDlHeDI4a2dhcUhPdVl3Yk92aXJlX2JYbDF3bmtwNjgiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LzI2Nzg0NTc2MTEvNTg3NTc0MDcyMTExIn0",
  "signature": "KbdtcMUbo4KUQg01Zg121JNJqYUMTm5AhC4AtieLfA91xGF1VTXyFSEOAWTlXjlMPpCZxJX0AmnntKJh4vadGrYixu-EJ9AzTzO06OlozEnS7fTmyKgSLgOHhVy9NGcWdaWqikaJigSmHz-cjSbQvdpU7CUUVEHEWMGi9UpOtqshFtq5e8r-N4NPoznkvszNunMzr_culOZ_j7CpFBAiFrpYKZ_6X0NaeLJ-4XF-q9hAqOoACT6iokUtGf1EfzojQ-zOobG8hKHO2yj-goD2bdzST6oJQ5Nuk9GWC7aXTkqLhOey04cw7EnFCBSF_QO7j5D5y2MOTif5q-qACf0F6A",
  "payload": ""
}
2025-09-23 05:15:42,973:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz/2678457611/587574072111 HTTP/1.1" 200 597
2025-09-23 05:15:42,974:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 23 Sep 2025 05:15:42 GMT
Content-Type: application/json
Content-Length: 597
Connection: keep-alive
Boulder-Requester: 2678457611
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: qRkKkMTF5dGcRBlSUEQRDO35-XLvAY4nCKsQK-oMknOIdUF8QNI
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "markert.live"
  },
  "status": "invalid",
  "expires": "2025-09-30T05:14:38Z",
  "challenges": [
    {
      "type": "dns-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall/2678457611/587574072111/Mc_rnA",
      "status": "invalid",
      "validated": "2025-09-23T05:15:40Z",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "No TXT record found at _acme-challenge.markert.live",
        "status": 403
      },
      "token": "v31debSX76sqyvTPe3DSL4X8LIeOBtFOx2PLg68m40A"
    }
  ]
}
2025-09-23 05:15:42,974:DEBUG:acme.client:Storing nonce: qRkKkMTF5dGcRBlSUEQRDO35-XLvAY4nCKsQK-oMknOIdUF8QNI
2025-09-23 05:15:42,975:INFO:certbot._internal.auth_handler:Challenge failed for domain markert.live
2025-09-23 05:15:42,976:INFO:certbot._internal.auth_handler:Challenge failed for domain markert.live
2025-09-23 05:15:42,976:INFO:certbot._internal.auth_handler:dns-01 challenge for markert.live
2025-09-23 05:15:42,976:INFO:certbot._internal.auth_handler:dns-01 challenge for markert.live
2025-09-23 05:15:42,977:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: dns-rfc2136). The Certificate Authority reported these problems:
  Domain: markert.live
  Type:   unauthorized
  Detail: No TXT record found at _acme-challenge.markert.live

  Domain: markert.live
  Type:   unauthorized
  Detail: No TXT record found at _acme-challenge.markert.live

Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-rfc2136. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-rfc2136-propagation-seconds (currently 60 seconds).

2025-09-23 05:15:42,980:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2025-09-23 05:15:42,981:DEBUG:certbot._internal.error_handler:Calling registered functions
2025-09-23 05:15:42,981:INFO:certbot._internal.auth_handler:Cleaning up challenges
2025-09-23 05:15:42,994:DEBUG:certbot_dns_rfc2136._internal.dns_rfc2136:Received authoritative SOA response for _acme-challenge.markert.live
2025-09-23 05:15:43,010:DEBUG:certbot_dns_rfc2136._internal.dns_rfc2136:Successfully deleted TXT record _acme-challenge.markert.live
2025-09-23 05:15:43,017:DEBUG:certbot_dns_rfc2136._internal.dns_rfc2136:Received authoritative SOA response for _acme-challenge.markert.live
2025-09-23 05:15:43,031:DEBUG:certbot_dns_rfc2136._internal.dns_rfc2136:Successfully deleted TXT record _acme-challenge.markert.live
2025-09-23 05:15:43,032:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot==2.1.0', 'console_scripts', 'certbot')())
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1736, in main
    return config.func(config, plugins)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1590, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 138, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 516, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 428, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2025-09-23 05:15:43,039:ERROR:certbot._internal.log:Some challenges have failed.
2

Your domain DNS is hosted with dns-parking.com, is that correct? You may need to allow more time for the DNS challenge TXT record to be copied to all of your domains nameservers.

I notice you are using the nsupdate rfc2136 method to update DNS, make sure that's actually updating your public DNS records and not just something local only you can see.

3 Likes
3

That is the Hostinger DNS system. @maggiv8 Certbot does not have direct support for Hostinger but other ACME Clients do like this one: Lego :: Let’s Encrypt client and ACME library written in Go.

Or, change your DNS configuration to use a different DNS system supported by Certbot. Certbot can even use the lego one but I personally think it is easier to use lego directly and not have to configure both Certbot and lego.

2 Likes
4

Thank you Mike and webprofusion. Hostinger seems to be supported with the next version of Lego (v4.27 - latest one is v4.26). I will try Lego with v4.27 and see how it goes.

2 Likes
5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.