Incorrect TXT record "v=spf1 -all" found at _acme-challenge.serv.org.com

I have a local domain: serv.org.com, which is the Domain name for my application Domino Lotus Note.

Therefore, I would like to create a wild-card domain for IAM services.

auth.serv.org.com, *.serv.org.com.

However, I run the following commands with the following error.

certbot certonly --manual --preferred-challenges dns -m cora.kwok@ectest.com.tw -d serv.org.com -d *.serv.org.com
Saving debug log to C:\Certbot\log\letsencrypt.log
Requesting a certificate for serv.org.com and *.serv.org.com
letsencrypt.log..txt (9.2 KB)

Press Enter to Continue

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: serv.org.com
Type: unauthorized
Detail: Incorrect TXT record "v=spf1 -all" found at _acme-challenge.serv.org.com

Domain: serv.org.com
Type: unauthorized
Detail: Incorrect TXT record "v=spf1 -all" found at _acme-challenge.serv.org.com

Hint: The Certificate Authority failed to verify the manually created DNS TXT records. Ensure that you created these in the correct location, or try waiting longer for DNS propagation on the next attempt.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.

I have add one more txt when the system is request.

1 Like

You say "local domain". Is that domain name actually in your posession and under your controle? I.e., will remote DNS servers be able to resolve the resource records for this domain?

4 Likes

Yes, I could, so that I could attached a dump screen with DNS name: serv.org.com.
I have a web application that is using the same domain name to show the records at Domino Lotus Notes.

1 Like

Are you sure that it doesn't work for you due to split DNS / being in some internal network / VPN?

1 Like

To clarify what Osiris is asking you: is org.com actually registered to you or your organisation? Like, your organisation is the official registrant of the domain, according to ICANN?

It appears to be owned by a domain portfolio company. I am not convinced that you own the domain.

You will be unable to get a Let's Encrypt certificate for this domain, unless you have control this domain on the internet. Having the domain resolve on your internal network is not sufficient.

5 Likes

No. It is just internal domain only, not official registered according to ICANN.
What your meaning that I could not create a Let's Encrypt certificate for the internal testing domain.

What should I do, if I required a trust CA certificate for the testing environment ?
​​
​​​
​​​​
​​​​

It is just an internal testing network, that should not connect to the Internet.

1 Like

You cannot obtain valid certificates (in the sense of: trusted by browsers without installing your own root CA certificate) from any public CA for an internal domain name. Neither from Let's Encrypt, nor from any other public CA. This is part of the CA/B Forum Baseline Requirements that all browsers and CAs agreed upon (Baseline Requirements | CAB Forum).

5 Likes

To elaborate on why this is:

Anyone could generate a non-publicly trusted certificate for any hostname. E.g., I could generate a certificate for whitehouse.gov using my own locally generated CA. If my locally generated CA would be trusted by browsers, I could do a Man in the Middle attack for whitehouse.gov!

Luckily, browsers only trust, by default, a certain set of root certificates of publicly trusted CAs. And these CAs need to abide to the rules mentioned earlier to keep the trust in their certificates. Without trust, the whole system collapses.

9 Likes

That entry would only answer to:
_acme-challenge.serv.org.com.serv.org.com.[unknown-chararcter-zone]

2 Likes


why I change to use the domain name ectest.com.tw, the result is still failed.
Sure I would have the access rights of ectest.com.tw, since my valid email is [redacted]@ectest.com.tw.

letsencrypt-.log.txt (1.0 KB)

Having an email address at a domain doesn't automatically give anyone the right to add TXT records into the domain zone.

You would need to add a TXT record into the authoritative DNS servers for that domain, namely:

ectest.com.tw   nameserver = ns12.domaincontrol.com
ectest.com.tw   nameserver = ns11.domaincontrol.com

[which is likely by way of a GoDaddy domain control web page/panel]

4 Likes

I have add the TXT file, but still failed.


letsencrypt.log.AddTxt.txt (27.2 KB)

You need to put the txt record in the public facing DNS server, not the local server. If you do actually control that domain

It would need to resolve globally

6 Likes