Issues with multiple TXT records (*.domain.tld + domain.tld)

dahlecr · April 2, 2018, 4:08pm

Hi guys

I am having problems issueing a certificate for *.domain.tld and domain.tld in one request. Even though I created both TXT DNS records and both records match the required acme-challenge values, it won’t check all TXT records I created in Cloudflare DNS settings.

/letsencrypt/certbot-auto -d f######net.com -d *.f######net.com --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory certonly

FailedChallenges: Failed authorization procedure. f######net.com (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record “O########################A” found at _acme-challenge.f######net.com

Any ideas what I am doing wrong?

sahsanu · April 2, 2018, 4:18pm

Hi @dahlecr,

Are you sure you are putting both TXT records at the same time?. I mean, as you want to issue a cert covering f######net.com and *.f######net.com you must put two txt records for _acme-challenge.f######net.com every one with its respective token. Also, you need to wait a few seconds or minutes till your authoritative dns servers answer the same when the txt records are requested.

dig @dan.ns.cloudflare.com _acme-challenge.f######net.com txt

should give the same answer as the other one:

dig @gina.ns.cloudflare.com _acme-challenge.f######net.com txt

And of course, both servers must answer with at least the 2 txt records you have added.

Also, checking your real domain I can see only 1 txt record for _acme-challenge.f######net.com

Cheers,
sahsanu

dahlecr · April 2, 2018, 6:13pm

You are right, even though both TXT DNS records were created, it only gives back one of them.

For everyone else experiencing the same problem using Cloudflare: it can take up to five minutes, before multiple TXT DNS records are propagated properly.

Problem solved.

Thanks again for your help!

jvanasco · April 2, 2018, 7:37pm

This behavior happens with multiple cloud/enterprise providers. I think the first set of a TXT for a given key (or an A record) writes to an internal cache, and then is stuck for several minutes until it expires (usually the TTL).

mnordhoff · April 2, 2018, 7:38pm

With Cloudflare, I sleep 5 seconds after adding each record. It almost always works.

jvanasco · April 2, 2018, 8:39pm

I haven’t used them. Namecheap takes 90-120s on a 60s TTL. I had access to Linode and Dreamhost accounts, both were about 5mins for the second record to happen.

Until I finalize a move to acme-dns, I patched certbot to sleep after writing all the auths (and before verification. that solves all my problems.

system · May 2, 2018, 8:40pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.