How to know which _acme-challenge DNS record to configure?


For some strange reason, my Let's encrypt certificate does not renew automatically so I tried to re-issue a new one using cPanel.

When using dns-01 validation method, an error of the TXT record is shown.

How to know which TXT record to configure?

On the other hand, I have tried several times to issue the certificate and now this error is shown:

  • Error creating new order: acme: error code 429 "urn:ietf:params:acme:error:rateLimited": Error creating new order :: too many failed authorizations recently: see Rate Limits - Let's Encrypt

How to solve this too?


If you are on hosted service, speak with your provider about this.
If you are the admin, look for cPanel updates and ensure the O/S is not part of the problem.
Like: Old Let’s Encrypt Root Certificate Expiration and OpenSSL 1.0.2 - OpenSSL Blog

1 Like

Hello @rg305 ... I am the admin, so I should solve this problem. I have updated cPanel and WHM to the last version but the same occurs.

Do you know how to determine which TXT record to add in my name server? My NS is not the same as my cPanel server, so I should add that entry manually.


1 Like

Well the renewal process is either automated or manually driven.
You can't have it both ways or half and half.
How exactly do you execute the renewal request?

Since renewal did not work automatically, I removed certificate and try to reissue it just using cPanel:

Be more specific.
Removed it form where?
Also from cPanel?

Also, what happens when you click "ISSUE"?

Removed using "Remove" button in cPanel.

when I click issue, this happens:

Had it ever issued a wildcard cert before?

Yes.... I have other certificates in this server for other domains. And in fact, as I told you, the certificate for this same domain was issued before but expired on october 3rd.


I don't use cPanel for wildcards so I can't be sure...
But is there any place to inform it about how to handle DNS authentication?

That's why I posted the question here. To use DNS authentication I need to know how to generate _acme-challange value.

That process should provide the info for you to put into DNS.

That does not happen... cPanel does not provide that information.

I will try to use http authentication instead. This is a Gitlab application so I will find out where I should put the acme challenge file. When using http authentication, I can know which file it is trying to load because Let's Encrypt includes it in the error message. It would be great if the error message when using DNS validation could include which text is trying to find in the NS entry.

From my hosting support, they told me that the problem is caused because domain has DNSSEC activated.

If that is the problem, how can I install let's encrypt with DNSSEC on?


1 Like

I have finally found where the problem is.

When I try to issue the certificate, the challenge TXT entry is modified in the DNS. Let's Encrypt is assuming that the name server is the same server where the domain being protected by SSL is hosted, but this is not the case. So, when the new TXT entry is generated, it does not match the actual TXT entry in the actual name server.

How can I avoid the challenge TXT key to be generated every time I try to issue the certificate?


1 Like

No, Let's Encrypt does not assume anything. Let's Encrypt looks at your domain's authoritative DNS server for the TXT record. I run my own server, but my DNS is handled by Cloudflare which is where Let's Encrypt goes to look for my TXT entries.

Your client is assuming that cpanel is hosting that authoritative DNS server and is only updating it there.

By authoritative DNS server, I'm referring to what is configured with your registrar


I don't think so. Domain is and according to registrar ( authoritative name server is Cloudns which is correct.

Let's Encrypt is updating local server, however, when validating DNS challenge it is using the authoritative server, and since it updates local server, of course that information does not match authoritative information.

Besides I notice there is some contradiction on what you are saying. Why is Let's Encrypt capable of updating the TXT record of a remote name server? For security reasons, I am pretty sure it is impossible.

I am wondering if there is possible to avoid Let's Encrypt to update the TXT entry in local server, by mean of a configuration or something .

On the other hand, I asked the hosting technician to give me a hand on this investigation because DNS validation is the only way for me.

If I could use HTTP validation, solution would be easy, but this is not the case.


Your domain and NS1 respond to different servers. Your DNS is hosted by CloudDNS and your website is hosted by Linode. So it makes perfect sense that any DNS changes made on your server at Linode won't affect the actual DNS zone for your domain.

This is the same as the situation I posted, I host my own server, but rely on a 3rd party to run my DNS. I have my ACME client configured to use my DNS providers API to update the TXT record.

This is accurate, your ACME client hasn't been given credentials or information on how to update your authoritative server

It isn't, your ACME client is responsible for updating your DNS server entries, Let's Encrypt just checks the server published by your registrar once the ACME client indicates it has completed updating them.

Probably, You'd have to ask the developer or check the documentation for your ACME client how reconfigure it to update the correct server

1 Like

That is far from accurate.

Do you mean certbot?
LE doesn't modify anything anywhere - it only verifies things and issues certs when all OK.

Certbot doesn't do stuff you don't tell it to do.

So my question is: how did you configure your certbot to do that?

Nevermind, cPanel, not certbot.. Your cPanel is updating the incorrect DNS servers. Please refer to your hosting provider or cPanel assistance or documentation on how to configure your cPanel properly for your application (i.e.: using Cloudflare as DNS server for the challenge record).

1 Like