Incorrect TXT record

#1

My domain is: camptrac.com

I ran this command: certbot certonly --agree-tos --manual --preferred-challenges=dns -d camptrac.com -d *.camptrac.com

It produced this output: # certbot certonly --agree-tos --renew-by-default --manual --preferred-challenges=dns -d camptrac.com -d *.camptrac.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for camptrac.com
dns-01 challenge for camptrac.com


NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.

Are you OK with your IP being logged?


(Y)es/(N)o: Y


Please deploy a DNS TXT record under the name
_acme-challenge.camptrac.com with the following value:

FXbTE0_wG7LxIVmhcD_5wIMDuwH0XGvirPTaR7Z6QFc

Before continuing, verify the record is deployed.


Press Enter to Continue


Please deploy a DNS TXT record under the name
_acme-challenge.camptrac.com with the following value:

5dSOMpgO-vuQvnPILc-8GY1CK5ybP4gYfWyCWY2w9xc

Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)


Press Enter to Continue
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. camptrac.com (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record “k81yXf9CkKJ_5VIk_jdROVaxQOoB3hSZ3CBHzmKiDNY” (and 1 more) found at _acme-challenge.camptrac.com, camptrac.com (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record “k81yXf9CkKJ_5VIk_jdROVaxQOoB3hSZ3CBHzmKiDNY” (and 1 more) found at _acme-challenge.camptrac.com

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: camptrac.com
    Type: unauthorized
    Detail: Incorrect TXT record
    “k81yXf9CkKJ_5VIk_jdROVaxQOoB3hSZ3CBHzmKiDNY” (and 1 more) found at
    _acme-challenge.camptrac.com

    Domain: camptrac.com
    Type: unauthorized
    Detail: Incorrect TXT record
    “k81yXf9CkKJ_5VIk_jdROVaxQOoB3hSZ3CBHzmKiDNY” (and 1 more) found at
    _acme-challenge.camptrac.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version): HA-Proxy version 1.5.18

The operating system my web server runs on is (include version): CentOS 7

My hosting provider, if applicable, is: Cygate AB

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.30.2

I first ran the command and updated the TXT records.

dig -t TXT _acme-challenge.camptrac.com @ns1.loopia.se +short
“k81yXf9CkKJ_5VIk_jdROVaxQOoB3hSZ3CBHzmKiDNY”
“rQNMAW1wuvoJXfZIjDYOdK6OvvXRJc1pNhHwHvK19X0”

But when I run the command to generate the certificate the value of the TXT record was changed and the authorization failed.

#2

But those aren’t the values requested by certbot, right? :roll_eyes:

1 Like
#3

Hi @asakth

if you start a new certificate order, two new TXT values are created.

So

  • change / add the first _acme-challenge … value
  • change / add the second _acme-challenge … value
  • then check it manual
  • then confirm, so certbot sends a notification to Letsencrypt, Letsencrypt checks these two different txt entries.
#4

You may be interested in acme.sh, which supports automatic DNS validation via loopia.se natively: https://github.com/Neilpang/acme.sh/tree/master/dnsapi#44-use-loopiase-api

This is much better than manually setting up TXT records every 60-90 days.

3 Likes
#5

Yes. I don’t have access to the registrar portal so every time I ask the customer to update TXT records in the DNS zone. Once after it’s updated when I issue the command a new set of values are generated.

#6

Hello @JuergenAuer

I added the values in DNS and when I check it manually to confirm another set of values are generated, one for the base domain and wildcard.

certbot certonly --agree-tos --manual --preferred-challenges=dns -d xyz.com -d *.xyz.com

Please correct me if I’m wrong.

#7

That command will walk you through the DNS authentication.
You will need to create two TXT records to pass.

Some DNS systems overwrite the first TXT record with the second (only allowing one record to exist at a time).
Check the resulting entry with:
nslookup -q=txt _acme-challenge.xyz.com
to insure both records are shown before continuing.

If only one record is shown, you may have to combine both records into a single TXT record entry.
[separated by a carriage return or linefeed]

#8

Hello,

I got it to work. Thanks :slight_smile:

2 Likes
#9

Excellent!

#10

Then you have finished the first order (too much spaces), so you start a new order.

After creating the second value, don’t confirm, first check. But now

you have found the solution :wink:

closed #11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.