Incorrect TXT record for a correct TXT record

My domain is: consorcio.cl

I ran this command:
sudo certbot -d ... *.banco.cert.acmee.digital.consorcio.cl ... --manual --preferred-challenges dns certonly
It produced this output:
Please deploy a DNS TXT record under the name
_acme-challenge.banco.cert.acmee.digital.consorcio.cl with the following value:

v8wfi91ezJhKrGlCL6RkMte-hSbocXx3ZUb0aQ65xCI

- The following errors were reported by the server:

Domain: banco.cert.acmee.digital.consorcio.cl
Type: dns
Detail: During secondary validation: DNS problem: query timed out
looking up CAA for cl

  • The following errors were reported by the server:

    Domain: banco.cert.acmee.digital.consorcio.cl
    Type: unauthorized
    Detail: Incorrect TXT record
    "v8wfi91ezJhKrGlCL6RkMte-hSbocXx3ZUb0aQ65xCI" found at
    _acme-challenge.banco.cert.acmee.digital.consorcio.cl

My web server is (include version): it's a wildcard for several microservices

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0

The ".." dots from the command you've used suggests to me you're also adding other domains to that certificate, perhaps also the non-wildcard domain banco.cert.acmee.digital.consorcio.cl?

Thanks for your answer.

Indeed. Omitted what I thought to be unnecessary information.

1 Like

If you're trying to authorize the hostnames banco.cert.acmee.digital.consorcio.cl and *.banco.cert.acmee.digital.consorcio.cl, the Let's Encrypt validation servers requires two distinct TXT records for the same _acme-challenge.banco.cert.acmee.digital.consorcio.cl hostname. I think this is where the confusion comes from. You've added a single TXT record for just one of those two hostnames where Let's Encrypt expects to see a second one too.

1 Like

You were right. I removed banco.cert.acmee.digital.consorcio.cl and it worked. Just leaved the wildcard and the rest of the hostnames.

Thanks!

1 Like

Well, that's not really the solution I had in mind, because now your certificate won't work for the hostname banco.cert.acmee.digital.consorcio.cl but only for subdomains thereof.

The solution would have been for you to add both TXT records when requested by certbot. All properly designed DNS zone editors should be able to handle multiple TXT records for the same hostname.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.