Incorrect TXT record error even after the token matches

My domain is:

I modified code in GitHub - diafygi/acme-tiny: A tiny script to issue and renew TLS certs from Let's Encrypt to suit my purpose. I can add that also here if required.

You can view this Challenge URL:

The response is

  "type": "dns-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "Incorrect TXT record \"n_hJr-MdFaQenA6va0-NSVXDBdy-WKXJR9M3H9QtZd0\" found at",
    "status": 403
  "url": "",
  "token": "n_hJr-MdFaQenA6va0-NSVXDBdy-WKXJR9M3H9QtZd0",
  "validated": "2022-09-23T17:53:26Z"

Here, I can see that the token and the txt response matches. So, Why is it giving unauthorized? Am I missing something?

Hi @saichander17, and welcome to the LE community forum :slight_smile:

The record found (and there now) appears to be incorrect:

Note: Each time the ACME process "runs" it creates a new TXT record.


Hi @rg305 , Thanks for responding quickly, But from the response, you can see that token value and the value in the error message is the same. I'm sorry if I'm missing something very obvious here! Would like to get help in understanding

1 Like

There must be something in the logs that hasn't been shown.
Can you show more/all of it?


Technically they are not exactly the same:


[as seen/displayed by the error message]
[but that could be a wild goose chase - let's see the full logs]


Yes, I have also observed the backslash, but it's same for other domains as well for me where I used certbot to manually generate challenges and updated my Route53. That works quite well in general. Right now, I'm using the above mentioned script which is internally using letsencrypt APIs is what I understood.

Shall I provide you with responses from all the APIs I'm calling? I don't have any logs as of now as I'm not using certbot

Anything is better than nothing.
[something must explain what is going on]


@rg305 , Please find the logs I could generate below.
If you need help in understanding any line from the logs, I can give an explanation around that easily. Thanks again for helping!

Parsing account key...
Parsing CSR...
Found domains: *
Getting directory...
Directory found!
Registering account...
Already registered! Account ID:
Creating new order...
{'status': 'pending', 'expires': '2022-09-30T18:42:44Z', 'identifiers': [{'type': 'dns', 'value': '*'}], 'authorizations': [''], 'finalize': ''}
Order created!
{'identifier': {'type': 'dns', 'value': ''}, 'status': 'pending', 'expires': '2022-09-30T18:42:44Z', 'challenges': [{'type': 'dns-01', 'status': 'pending', 'url': '', 'token': 'cHyEpLY5a3W5TN7RwJSa3QrbifwoY6HClws3qlqWFSQ'}], 'wildcard': True}
Challenge: {'type': 'dns-01', 'status': 'pending', 'url': '', 'token': 'cHyEpLY5a3W5TN7RwJSa3QrbifwoY6HClws3qlqWFSQ'}...
Token: cHyEpLY5a3W5TN7RwJSa3QrbifwoY6HClws3qlqWFSQ...
Updating Route53!
({'type': 'dns-01', 'status': 'pending', 'url': '', 'token': 'cHyEpLY5a3W5TN7RwJSa3QrbifwoY6HClws3qlqWFSQ'}, 200, <http.client.HTTPMessage object at 0x10d2b23d0>)
Traceback (most recent call last):
  File "", line 287, in <module>
  File "", line 282, in main
    signed_crt = get_crt(account_key_path, csr_path, contact='')
  File "", line 219, in get_crt
    raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization))
ValueError: Challenge did not pass for {'identifier': {'type': 'dns', 'value': ''}, 'status': 'invalid', 'expires': '2022-09-30T18:42:44Z', 'challenges': [{'type': 'dns-01', 'status': 'invalid', 'error': {'type': 'urn:ietf:params:acme:error:unauthorized', 'detail': 'Incorrect TXT record "cHyEpLY5a3W5TN7RwJSa3QrbifwoY6HClws3qlqWFSQ" found at', 'status': 403}, 'url': '', 'token': 'cHyEpLY5a3W5TN7RwJSa3QrbifwoY6HClws3qlqWFSQ', 'validated': '2022-09-23T18:47:59Z'}], 'wildcard': True}

Response from dig -t txt

; <<>> DiG 9.10.6 <<>> -t txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49496
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 1280

;; ANSWER SECTION: 300 IN TXT "cHyEpLY5a3W5TN7RwJSa3QrbifwoY6HClws3qlqWFSQ"

;; Query time: 13 msec
;; WHEN: Sat Sep 24 02:44:36 +08 2022
;; MSG SIZE  rcvd: 122

You should probably look at this thread. Same problem as yours. If I understand correctly, you are not using the token correctly


Thanks @MikeMcQ , Let me check and get back here.


Thank you so much @MikeMcQ . It worked. My bad in assuming that the token should be same as the TXT response. Based on the API response, I assumed that. Thanks for quick help.