Incorrect TXT record found on _acme-challenge.nerdonthefairway.com

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:nerdonthefairway.com

I ran this command: I ran traefik reverse proxy in a docker container. Traefik in turn used let's encrypt and Cloudflare to download a SSL certificate for my domain nerdonthefairway.com. This operation generated an error:

It produced this output: Unable to obtain ACME certificate for domains error
="unable to generate a certificate for the domains [nerdonthefairway.com *.nerdonthefairway.com]: error: one or more domains had a problem:\n[
*.nerdonthefairway.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Incorrect TXT record "SPSxL3Fn8LFlykBemVVMjL26tw01cED5
x1-4g9IIY0U" (and 1 more) found at _acme-challenge.nerdonthefairway.com\n[nerdonthefairway.com]

My web server is (include version): Its a reverse proxy Traefix

The operating system my web server runs on is (include version): Traefix runs on docker on top of Proxmos

My hosting provider, if applicable, is: Cloudflare

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): No

I ran this tool and this is what I see...

image1278×1252 264 KB

I also checked with this tool and this is what I see.

image966×1188 84.8 KB

from different propagation test tool

image615×727 52.8 KB

Sounds like propagation delay in Cloudflare's system. You may try to increase the wait time with this setting to see whether it helps:

Propogation is complete now, but I still can't get the certs. Thanks.

Using the online tool https://unboundtest.com/ I see these results
https://unboundtest.com/m/TXT/_acme-challenge.nerdonthefairway.com/UQTYKJ5V

Query results for TXT _acme-challenge.nerdonthefairway.com

Response:
;; opcode: QUERY, status: NOERROR, id: 35911
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 1232

;; QUESTION SECTION:
;_acme-challenge.nerdonthefairway.com.	IN	 TXT

;; ANSWER SECTION:
_acme-challenge.nerdonthefairway.com.	0	IN	TXT	"OlczmhFgL5eWSK5gYlljZf42tdUOTlY_J_aI_ZBty_0"
_acme-challenge.nerdonthefairway.com.	0	IN	TXT	"SPSxL3Fn8LFlykBemVVMjL26tw01cED5x1-4g9IIY0U"
_acme-challenge.nerdonthefairway.com.	0	IN	TXT	"nfjkZYYlxiaWGwmzEMffPnVn1I6SS_l_c-c8nnRtozY"
_acme-challenge.nerdonthefairway.com.	0	IN	TXT	"HDuRat05w4cvbxPKk0RUp-HZZF-FmGoh6H1tg5-30A0"

----- Unbound logs -----

Commonly ACME Clients clean up after themselves by removing the TXT Records they added after the DNS-01 challenge completes.
But presently as shown above there are still 4 TXT present.

Thanks. The reason the records are still there is because when let encrypt queries cloudflare for these records, it's gets an an error, different errors like sometime I see a 403 (forbidden), or sometimes I see that the authoritative server returned a SERVFAIL. In any case, since it never gets a valid response back, I don't get the SSL cert, and the records don't go away. Thanks.

Manually removing them from DNS Authoritative Name Servers would be wise in that case.

I can remove them manually, but the purpose hasn't been fulfilled i.e. the domain has not been validated because of the errors I mentioned. Should I still go ahead and remove them? I think acme will add them again.

In case it helps, I am now seeing this error:
ERR github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:553 > Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains
[nerdonthefairway.com .nerdonthefairway.com]: error: one or more domains had a problem:\n[.nerdonthefairway.com] propagation: time limit exceeded: last error: authoritative nameservers: NS ed
.ns.cloudflare.com.:53 returned SERVFAIL for _acme-challenge.nerdonthefairway.com.\n[nerdonthefairway.com] propagation: time limit exceeded: last error: authoritative nameservers: NS ed.ns.clou
dflare.com.:53 returned SERVFAIL for _acme-challenge.nerdonthefairway.com.\n" ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/
directory domains=["nerdonthefairway.com","*.nerdonthefairway.com"] providerName=cloudflare.acme routerName=traefik-secure@docker rule=Host([dashboard.nerdonthefairway.com](http://dashboard.nerdonthefairway.com))

which indicates propagation is not complete, but it should be since it's been over 48 hours. Thanks for everyone's help.

Yes, as each try generates a new set.

I deleted them. I see new sets being generated, they get propagated to the name servers, however ACME is still not able to find them and validate my domain.

Good.

Good; I assume you specifically mean the Authoritative Name Servers for the domain name.

Kindly wait for more knowledgeable Let's Encrypt community volunteers to assist.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
nerdonthefairway.com

I ran this command:
I'm trying to configure Traefik as a reverse proxy and I need SSL certs for my domain. The certs I'm trying to get are for the following domains/sans:
nerdonthefairway.com
*.nerdonthefairway.com
*.home.nerdonthefairway.com

Unfortunately, ACME is not able to validate my domain. I see the TXT records being added to the DNS in Cloudflare. I see the records get propagated to the name servers, however the lookup is not successful.

It produced this output:
The output I see is the following:
025-03-03T19:01:24Z DBG github.com/go-acme/lego/v4@v4.21.0/log/logger.go:48 > [INFO] [.home.nerdonthefairway.com] acme: Obtaining bundled SAN certificate lib=lego
2025-03-03T19:01:24Z DBG github.com/go-acme/lego/v4@v4.21.0/log/logger.go:48 > [INFO] [nerdonthefairway.com, .nerdonthefairway.com] acme: Obtaining bundled SAN certificate lib=lego
2025-03-03T19:01:24Z DBG github.com/go-acme/lego/v4@v4.21.0/log/logger.go:48 > [INFO] [.home.nerdonthefairway.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/2260862345/484326759715 lib=lego
2025-03-03T19:01:24Z DBG github.com/go-acme/lego/v4@v4.21.0/log/logger.go:48 > [INFO] [.home.nerdonthefairway.com] acme: use dns-01 solver lib=lego
2025-03-03T19:01:24Z DBG github.com/go-acme/lego/v4@v4.21.0/log/logger.go:48 > [INFO] [.home.nerdonthefairway.com] acme: Preparing to solve DNS-01 lib=lego
2025-03-03T19:01:24Z DBG github.com/go-acme/lego/v4@v4.21.0/log/logger.go:48 > [INFO] [.nerdonthefairway.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/2260862345/484326761235 lib=lego
2025-03-03T19:01:24Z DBG github.com/go-acme/lego/v4@v4.21.0/log/logger.go:48 > [INFO] [nerdonthefairway.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/2260862345/484326761365 lib=lego
2025-03-03T19:01:24Z DBG github.com/go-acme/lego/v4@v4.21.0/log/logger.go:48 > [INFO] [*.nerdonthefairway.com] acme: use dns-01 solver lib=lego

.....
2025-03-03T19:03:28Z DBG github.com/go-acme/lego/v4@v4.21.0/log/logger.go:48 > [INFO] [nerdonthefairway.com] acme: Trying to solve DNS-01 lib=lego
2025-03-03T19:03:28Z DBG github.com/go-acme/lego/v4@v4.21.0/log/logger.go:48 > [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz/2260862345/484326759715 lib=lego
2025-03-03T19:03:29Z DBG github.com/go-acme/lego/v4@v4.21.0/log/logger.go:48 > [INFO] [nerdonthefairway.com] acme: Checking DNS record propagation. [nameservers=1.1.1.1:53,1.0.0.1:53] lib=lego
2025-03-03T19:03:29Z ERR github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:553 > Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [*.home.nerdonthe

.....
2025-03-03T19:05:21Z DBG github.com/go-acme/lego/v4@v4.21.0/log/logger.go:48 > [INFO] [nerdonthefairway.com] acme: Waiting for DNS record propagation. lib=lego
2025-03-03T19:05:23Z DBG github.com/go-acme/lego/v4@v4.21.0/log/logger.go:48 > [INFO] [nerdonthefairway.com] acme: Waiting for DNS record propagation. lib=lego
2025-03-03T19:05:25Z DBG github.com/go-acme/lego/v4@v4.21.0/log/logger.go:48 > [INFO] [nerdonthefairway.com] acme: Waiting for DNS record propagation. lib=lego
2025-03-03T19:05:27Z DBG github.com/go-acme/lego/v4@v4.21.0/log/logger.go:48 > [INFO] [nerdonthefairway.com] acme: Waiting for DNS record propagation. lib=lego
2025-03-03T19:05:29Z DBG github.com/go-acme/lego/v4@v4.21.0/log/logger.go:48 > [INFO] [nerdonthefairway.com] acme: Waiting for DNS record propagation. lib=lego
2025-03-03T19:05:31Z DBG github.com/go-acme/lego/v4@v4.21.0/log/logger.go:48 > [INFO] [*.nerdonthefairway.com] acme: Cleaning DNS-01 challenge lib=lego
2025-03-03T19:05:32Z DBG github.com/go-acme/lego/v4@v4.21.0/log/logger.go:48 > [INFO] [nerdonthefairway.com] acme: Cleaning DNS-01 challenge lib=lego
2025-03-03T19:05:32Z DBG github.com/go-acme/lego/v4@v4.21.0/log/logger.go:48 > [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz/2260862345/484326761235 lib=lego
2025-03-03T19:05:32Z DBG github.com/go-acme/lego/v4@v4.21.0/log/logger.go:48 > [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz/2260862345/484326761365 lib=lego
2025-03-03T19:05:32Z ERR github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:553 > Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [nerdonthefairway

My web server is (include version):
I'm running traefix on proxmox

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:
Cloudflare

I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Any ideas what I should check to see why the ACME doesn't find the TXT records?

I do see the _acme-challenge records (3) added to cloudflare, but only 2 get replicated to the authoritative name server, and they are both as root domains, not as the wildcard.

image1897×177 33.6 KB

Check that your ACME client is allowing enough time for your DNS nameserver to replicate changes amongst themselves. Usually they need at least 30 seconds and on some providers they need a minute or more. It's usually adjustable somewhere in your ACME client configuration.

I see you have two thread for the same topic, please try to avoid that as it wastes volunteers time.

Note from @griffin:

Per @webprofusion's observation, I moved all posts from the duplicate topic into this topic.