Incorrect TXT record for a correct TXT record

lfernandez · January 27, 2021, 9:03pm

My domain is: consorcio.cl

I ran this command:
sudo certbot -d ... *.banco.cert.acmee.digital.consorcio.cl ... --manual --preferred-challenges dns certonly
It produced this output:
Please deploy a DNS TXT record under the name
_acme-challenge.banco.cert.acmee.digital.consorcio.cl with the following value:

v8wfi91ezJhKrGlCL6RkMte-hSbocXx3ZUb0aQ65xCI

- The following errors were reported by the server:

Domain: banco.cert.acmee.digital.consorcio.cl
Type: dns
Detail: During secondary validation: DNS problem: query timed out
looking up CAA for cl

The following errors were reported by the server:

Domain: banco.cert.acmee.digital.consorcio.cl
Type: unauthorized
Detail: Incorrect TXT record
"v8wfi91ezJhKrGlCL6RkMte-hSbocXx3ZUb0aQ65xCI" found at
_acme-challenge.banco.cert.acmee.digital.consorcio.cl

My web server is (include version): it's a wildcard for several microservices

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0

Osiris · January 27, 2021, 9:07pm

The ".." dots from the command you've used suggests to me you're also adding other domains to that certificate, perhaps also the non-wildcard domain banco.cert.acmee.digital.consorcio.cl?

lfernandez · January 27, 2021, 9:09pm

Thanks for your answer.

Indeed. Omitted what I thought to be unnecessary information.

Osiris · January 27, 2021, 9:27pm

If you're trying to authorize the hostnames banco.cert.acmee.digital.consorcio.cl and *.banco.cert.acmee.digital.consorcio.cl, the Let's Encrypt validation servers requires two distinct TXT records for the same _acme-challenge.banco.cert.acmee.digital.consorcio.cl hostname. I think this is where the confusion comes from. You've added a single TXT record for just one of those two hostnames where Let's Encrypt expects to see a second one too.

lfernandez · January 27, 2021, 9:27pm

You were right. I removed banco.cert.acmee.digital.consorcio.cl and it worked. Just leaved the wildcard and the rest of the hostnames.

Thanks!

Osiris · January 27, 2021, 9:53pm

Well, that's not really the solution I had in mind, because now your certificate won't work for the hostname banco.cert.acmee.digital.consorcio.cl but only for subdomains thereof.

The solution would have been for you to add both TXT records when requested by certbot. All properly designed DNS zone editors should be able to handle multiple TXT records for the same hostname.

system · February 26, 2021, 9:53pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.