Failing DNS Challenge, Google show token as requested

My domain is:

I ran this command:

sudo certbot certonly
--manual
--key-type rsa
--email ---------
-d pendingdelete.com
--agree-tos
--preferred-challenges=dns
--config-dir ~/lets-encrypt
--work-dir ~/lets-encrypt
--logs-dir ~/lets-encrypt -v

It produced this output:

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: pendingdelete.com
Type: dns
Detail: DNS problem: SERVFAIL looking up CAA for pendingdelete.com - the domain's nameservers may be malfunctioning

The version of my client is

certbot 2.9.0

running on MacOS Catalina

This is what I was asked to do:

Please deploy a DNS TXT record under the name:

_acme-challenge.pendingdelete.com.

with the following value:

mgtGtoYi75j9Vq8VS6LeOSeQAJrURZ8n0z-7Vgqjg-Y

This is what Google says:

TTL:
5 minutes
VALUE:
"mgtGtoYi75j9Vq8VS6LeOSeQAJrURZ8n0z-7Vgqjg-Y"

I have tried this over and over, and am unable to get any success. When I place "" around the token in the DNS record, I did receive a different response:

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: pendingdelete.com
Type: unauthorized
Detail: Incorrect TXT record "\"hPCnYeXE7daqb3eR1j-JFETvckJ_s9hLWUWmEV8HVV8\"" found at _acme-challenge.pendingdelete.com

The token is correct, but bounded by extra chars.

The DNS records is still:

TTL:

5 minutes

VALUE:

"mgtGtoYi75j9Vq8VS6LeOSeQAJrURZ8n0z-7Vgqjg-Y"

At this moment.

Which results in:

Certbot failed to authenticate some domains (authenticator: manual).

Please help. Thank you!

Welcome @JustMe

The CAA error is the more serious. You had the correct TXT value but your DNS server is returning a SERVFAIL when Let's Encrypt checks your CAA record. A CAA record is not required. But, your DNS server must response with a proper "not found". Yours does not. See this DNS test tool which reproduces this error
https://dns.google/query?name=pendingdelete.com&rr_type=CAA&ecs=

The second failure of wrong TXT value is just wrong. Use your original format. Let's Encrypt saw a valid value and then tried your CAA record which failed. Your incorrect TXT record was an immediate failure.

You also have these other DNS tree configuration problems. You should review both Errors and at least the first Warning (about NS in delegation but not authoritive)
https://dnsviz.net/d/pendingdelete.com/dnssec/

Further, is that really necessary? People forget they did this and have problems later. The config-dir can make things especially awkward. In some cases doing that is needed. If not I recommend leaving the defaults as they are.

Thank you very much for your quick help Mike! I do appreciate it.

Regarding those three lines, the script was provided as a "working" template from someone else. I just used as is, will remove those lines. Just trying to get anything by way of a cert at this moment so was ignoring all the other details.

Thank you also for those debug tool links. Never seen dnsviz before, that is really nice! Adding that to my tool box. Thanks again.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.