Letsencrypt failing on _acme_challenge error

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: turbine2.co.uk

I ran this command: certbot certonly --manual --preferred-challenges=dns --email --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.turbine2.co.uk

It produced this output:
IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: turbine2.co.uk
    Type: unauthorized
    Detail: Incorrect TXT record
    "eZde30Y1aoMJpk6QCNUSzjI-TqfXr3H23igYvVIujBw" found at
    _acme-challenge.turbine2.co.uk

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version): N/A

The operating system my web server runs on is (include version): Raspbian GNU/Linux 10 (buster)

My hosting provider, if applicable, is: GoDaddy

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

I have changed the record in DNS for the _acme_challenge value as per normal, checked that this is correct with another provider (I used Network Tools: DNS,IP,Email ) which came up with the changhed txt record however when certbot runs it is complaining that the old txt record is there. Given I can't just leave the certbot at the waiting promtp for long how can I update my certificate?

image
image1471×483 28.7 KB

Note that check with mxtoolbox was completed before enter was pressed to continue.

Many thanks,

David

1 Like
2

Try waiting a few minutes after you deploy the txt record

(and consider changing dns host, godaddy has no apis anymore for small clients)

2 Likes
3

Also, use https://unboundtest.com to verify the TXT record

It uses a lookup of the authoritive DNS servers similar to how Let's Encrypt does it

Or do this yourself to check one of your auth servers

dig TXT _acme-challenge.turbine2.co.uk @ns03.domaincontrol.com
2 Likes
4

Thanks for that. Out of interest how long is the timeout for the letsencrypt challenge? Last time I had something like this (problem at gospdaddy’s end quelle surprise) it would timeout if I left it too long.

1 Like
5

Thanks for that, I will give that a go but I thought that’s what Mxtoolbox did.

1 Like
6

Okay, tried that, but it's reporting the correct _acme_challenge where letsencrypt isn't.

image
image1355×803 66.9 KB

7

I am not sure but you should easily be able to wait 10-15 minutes and probably several hours. At the step you are asked to set and verify the TXT record the challenge has not been sent to Let's Encrypt server yet. That only happens once you press enter to the "Press Enter to Continue" prompt.

We are just waiting for the authoritive DNS servers to sync. Try waiting 10 minutes for the next test. Should be plenty of time.

As for using dig or unboundtest.com to check that is to use methods that are closer to what Let's Encrypt itself actually does. I don't know how the MXtoolbox DNS queries are structured.

2 Likes
8

Finally got it to work. Left it 10 minutes and this time it has propogated correctly. Thanks for the help.

2 Likes
9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.