Incorrect TXT record found

I'm doing a multi-domain DNS challenge via --dns-cloudflare on certbot 1.21.0 and I've encountered this issue multiple times where it seems that the TXT records are being mixed up. The error I'm getting is:

Certbot failed to authenticate some domains (authenticator: dns-cloudflare). The Certificate Authority reported these problems:
(...)
  Detail: Incorrect TXT record "1cbWW33xpKwwkV6WlnEI3pKTzM7IqRia7R01jnEQJ2A" found at (...)

Note that the TXT record itself changes every time I run it (so the creation of the record does work), but I think it's getting the records mixed up. The command I'm running is:

# certbot certonly --dry-run --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/cloudflare.ini -d example.tld,*.example.tld --agree-tos --email foo@bar.baz --preferred-challenges dns-01 -v

So I'm guessing that rather than putting both the challenges (or one of them at a time in the correct order, I don't know), it only puts one and it's the one for the wrong -d entry.

This has worked in the past, and the last time I switched the domains around which resolved the issue, but now it's started happening again. Does anyone know what the issue is? Is it the cloudflare plugin messing things up, or have I missed something?

Hi @baleygr, and welcome to the LE community forum

Before anything else, please update that to a more recent version.
The latest is now: 2.9.0

Then...

• how many TXT records exist in that zone [right now]?
• how many DNS servers does your domain use?
• how quickly do they syncronize?

Thanks for the heads up, I'm using the certbot package from the Ubuntu 22 repos so I'll see if I can manage to get a hold of a newer one.

There are currently five TXT records, none of them are related to acme renewals, it's just DMARC, SPF and stuff like that.

This is using Cloudflare's DNS servers so SOA is [something].ns.cloudflare.com and dns.cloudflare.com, I have no idea how many actual "servers" that corresponds to in reality.

Don't use apt for certbot, see: Certbot (eff.org)
[for recommended installation instructions]

Try adding a delay in the process, see: Welcome to certbot-dns-cloudflare’s documentation! — certbot-dns-cloudflare 0 documentation
["--dns-cloudflare-propagation-seconds"]

Ok, so I'm now running certbot via snap:

# certbot --version
certbot 2.9.0

I removed the "certbot" apt package as well as the "python3-cloudflare" package followed by:

snap install certbot
snap set certbot trust-plugin-with-root=ok
snap install certbot-dns-cloudflare

When I ran the same certbot certonly command as in the initial post I initially got the same error, but then I remembered I also had to remove the "python3-cloudflare" package, and then it worked.

It's a bit unfortunate that snap is enforced to run certbot (even on Debian), it would be nice to be able to just run it in a python venv or something, but anyway it works so thanks for the pointers.

That's also possible using pip, but is not the recommendation as it's just partially supported by the Certbot team.

That's how I run it on Debian. I use a cron job to autoupdate certbot, too.

Not everyone has the skills for that method. The fact that you are aware of python venv suggests that you do.

Certbot docs for installing with Pip in a venv are here.

The certbot team recommends snap because it’s isolated and updates automatically, which is a good option for many people, but it isn’t the only option.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.