I accidently delete the acme_challenge txt record value from Route53 for my domain. Now when I tried to issue certificates again, it did not give me an acme _challnege value so that I can create a new record

saurabh.nikam07 · March 22, 2022, 4:37pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: *.staging-smartonline.com.au

I ran this command: root@ip-172-31-44-240:/home/ubuntu# sudo certbot certonly --agree-tos --email support@invezzatechnologies.com --manual --preferred-challenges=dns -d *.staging-smartonline.com.au --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/staging-smartonline.com.au-0001.conf)

What would you like to do?

1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for *.staging-smartonline.com.au

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/staging-smartonline.com.au-0001/fullchain.pem
Key is saved at: /etc/letsencrypt/live/staging-smartonline.com.au-0001/privkey.pem
This certificate expires on 2022-06-20.
These files will be updated when the certificate renews.

NEXT STEPS:

This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.

It produced this output:

My web server is (include version): Server version: Apache/2.4.46 (Ubuntu)

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: AWS Route53

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.25.0

saurabh.nikam07 · March 22, 2022, 4:55pm

Urgent, Need help asap. My staging sites are down.

Osiris · March 22, 2022, 5:05pm

You've renewed an already perfectly fine certificate. You're using certonly so you need to make sure your service is actually using the correct certificate, NOT re-issue an already fine certificate.

Please appreciate the two useless renewals you've done the last 2 days here:

The first certificate issued on 21 March would suffice.

Please don't add unnecessary load to the Let's Encrypt infrastructure, thanks.

saurabh.nikam07 · March 22, 2022, 5:08pm

I just tried to generate a new _acme-challenge record. I assumed renewing would generate a new record TXT which I will further add to Route53.

But, it did not work as expected. Could you please help here.

Osiris · March 22, 2022, 5:10pm

Why do you need a new _acme-challenge record to begin with? You already have two working certificate issued yesterday and one perfectly fine issued certificate today!

saurabh.nikam07 · March 22, 2022, 5:13pm

If you can please follow:

you can search and the step where it says "Once you execute the command, you will receive a TXT record which you need to add to your DNS server."

I am just trying to add that, as I got it accidently deleted.

Osiris · March 22, 2022, 5:18pm

But why do you want to add that? Just because it says so in a guide? You need to make sure you understand all the steps in the process and it seems you don't really understand it.

For every hostname in a certificate, there needs to be a valid authorization. Valid authorizations are cached for 30 days. If there is no valid authorization, a challenge needs to be performed. For the dns-01 challenge, a TXT record with a temporary token needs to be placed in the DNS. As said, this token is temporary: for every new challenge, the token will be different. If there already is a cached valid authorization present for a certain hostname, this cached authorization will be used and NO new challenge is required. If all the hostnames in a certain certificate issuance request all already have valid cached authorizations, the entire certificate can be issued without any challenge required, so also no TXT records required.

Please read the basics about the process here:

And the challenges mentioned above here:

saurabh.nikam07 · March 22, 2022, 5:23pm

Thank you. I will go through this.

danb35 · March 23, 2022, 11:44am

One thing you might be missing here--the _acme-challenge record is used only for Let's Encrypt to validate that you have control over your domain. It's used once, and should be deleted once the certificate is obtained. It isn't intended to be a permanent DNS record like, e.g., some things that Google wants to do.

So, once you got the cert, you should have deleted this record. And the next time you get a cert, if it needs to validate again, it will give you a new value, you'll create a new TXT record, get the new cert, and then delete the record again. If, that is, you're still following this strongly-discouraged procedure.

saurabh.nikam07 · March 23, 2022, 6:57pm

Thank you Dan.

It was useful information.

My certificates are working fine now, seems like for some of the wordpress websites the http was not working and only sites were working with https.

Hence, I thought it is because the record got deleted.

system · April 22, 2022, 6:57pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.