Incorrect TXT Record Error


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: infosecfor.me

I ran this command: sudo certbot -d $DOMAIN -d $WILDCARD --manual --preferred-chal
lenges dns certonly

It produced this output: The following errors were reported by the server:

Domain: infosecfor.me
Type: unauthorized
Detail: Incorrect TXT record
“2D3CexlsQjd33EGwOKC-_2W7zPdyA7jklZYgqm20Lnw” found at
_acme-challenge.infosecfor.me

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
bitnami@ip-172-26-12-217:~$ The client lacks sufficient authorization :: Incorrect TXT re
cord "2D3CexlsQjd33E

GwOKC-_2W7zPdyA7jklZYgqm20Lnw" found at _acme-challenge.infosecfor.me

My web server is (include version): Lightsail LAMP PHP 7.1

The operating system my web server runs on is (include version): Linux

My hosting provider, if applicable, is: Amazon Lightsail

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.28.0


#2

Hi @tychoash

your TXT entries are good ( https://check-your-website.server-daten.de/?q=infosecfor.me ):

TXT - Entries

Domainname TXT Entry Status ∑ Queries ∑ Timeout
infosecfor.me ok 1 0
_acme-challenge.infosecfor.me 2D3CexlsQjd33EGwOKC-_2W7zPdyA7jklZYgqm20Lnw looks good 1 0
_acme-challenge.infosecfor.me mYo3scuxxHA6oo0ZVTCZOeTUd1HGtwTfSO9uEtwyMrY looks good 1 0

But: You need two different txt entries with the same name and different values.

So it looks that you have removed the wrong entry.

At the end of your action, both txt entries must have correct (and different) values.

So start new:

  • create the first entry
  • create the second entry
  • check, if both entries are visible
  • then confirm (next step using certbot)

#3

Wow thanks for the prompt reply! I am using this guide to help me set it up.

https://lightsail.aws.amazon.com/ls/docs/en/articles/amazon-lightsail-using-lets-encrypt-certificates-with-wordpress

What step do I need to go back to in order to correct my error?

Thanks in advance for the help,

Aaron


#4

Start a new order.

I don’t see really an error. Your entries are ok, so the only thing:

You have added value 1. Then you have added value 2, but you overwrite value 1. So if Letsencrypt checks, one value is missing.

Two domain names (*.example.com + example.com) -> two different values, but both with the same domain name _acme-challenge.example.com.

Letsencrypt must see both values (same time).


#5

STEP #4, Line 7. Says:
Repeat steps 3 through 6 to add the second set of TXT records specified by the Let’s Encrypt certificate request.

But those instructions are not clear; In that it may not work as expected with all DNS systems.

Some (menu driven) DNS systems will only allow for one TXT record to exist for any single FQDN.
That said, you should be able to create entry one single with multiple lines.

So you simple need to combine the two records with a carriage return (line break) into one entry:

instead of:
TXT = “textstring#1”
TXT = “textstring#2”

could be:
TXT = “textstring#1
textstring#2”


#6

Since you guys were awesome with helping with the other cert issue I am hoping you can help with me setting up my personal one.

Failed authorization procedure. bregg.com (dns-01): urn:ietf:params:acme:error:unauthorize
d :: The client lacks sufficient authorization :: Incorrect TXT record “3jvoE7-Ng4q1hayXzT
_pUtrLcU3gTPWjTq5HN9cBMpg” (and 1 more) found at _acme-challenge.bregg.com

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: bregg.com
    Type: unauthorized
    Detail: Incorrect TXT record
    “3jvoE7-Ng4q1hayXzT_pUtrLcU3gTPWjTq5HN9cBMpg” (and 1 more) found at
    _acme-challenge.bregg.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

I am getting this error even after I created an ‘A’ record for www.bregg.com. I am not sure why I am getting this error after I corrected the mistake it told me to correct.

Any help would be greatly appreciated!


#7

Hi @tychoash

I see, you have already checked your domain via https://check-your-website.server-daten.de/?q=bregg.com

There are two DNS TXT entries:

XT - Entries

Domainname TXT Entry Status ∑ Queries ∑ Timeout
bregg.com v=spf1 include:zoho.com ~all ok 1 0
bregg.com zoho-verification=zb15511938.zmverify.zoho.com ok 1 0
www.bregg.com ok 1 0
_acme-challenge.bregg.com 3jvoE7-Ng4q1hayXzT_pUtrLcU3gTPWjTq5HN9cBMpg looks good 1 0
_acme-challenge.bregg.com zV8m62iNTw54ZOWfesh__Xmo5C1-EGrNNk8yq-DRbZQ looks good 1 0

What command did you used?

If you want a wildcard certificate with *.bregg.com + bregg.com, then you have to create two different entries with the same name and different values.

So start certbot again, replace these two values with new entries. Then recheck your domain. If you see the new values, do the next step.

PS: Perhaps change both values in one step.

Certbot shows first new value -> copy it in a document
Certbot shows second new value -> copy it too -> GoTo your DNS settings -> change both values. Wait 3 - 5 minutes -> recheck


#8

Wow that was a fast response. I am following the instructions for using Let’s Encrypt with AWS Lightsail:

https://lightsail.aws.amazon.com/ls/docs/en/articles/amazon-lightsail-using-lets-encrypt-certificates-with-lamp

How do I replace the values so I can create the new entries?


#9

The tutorial uses --manual, so use your DNS menu of your domain to change these two entries.


#10

Ok if I am understanding you correctly I should create a new TXT record in my bregg.com DNS zone that would say _acme-challenge.www.bregg.com (the .www would be the new part)?


#11

Ah nevermind I understand what you mean now. That time it worked! Thanks and I will definitely have to make a donation.

You rock!


#12

Happy to read that. Yep, now there is a new wildcard certificate:

CN=bregg.com
	27.02.2019
	28.05.2019
expires in 90 days	*.bregg.com, bregg.com - 2 entries

And you have created two new TXT entries:

TXT - Entries

Domainname TXT Entry Status ∑ Queries ∑ Timeout
bregg.com v=spf1 include:zoho.com ~all ok 1 0
bregg.com zoho-verification=zb15511938.zmverify.zoho.com ok 1 0
www.bregg.com ok 1 0
_acme-challenge.bregg.com 3jvoE7-Ng4q1hayXzT_pUtrLcU3gTPWjTq5HN9cBMpg looks good 1 0
_acme-challenge.bregg.com gddZ3cxz7Slml81MizSAPdA_-gzYpn59g-OZaV2D6GY looks good 1 0

ns-1055.awsdns-03.org is your nameserver, but I don’t know if these nameservers support an API to automate that.


#13

Hi J-man! I was able to use the awesome server checking tool to finish my .htaccess and SSL changes. My score went from a ‘C’ to an ‘A’. Thanks!!!


#14

Happy to read that the tool is helpful.

But: C is good. There are a lot of sites with a lot of errors :wink:

Ok, A is better.


closed #15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.