Letsencrypt is reading an outdated DNS TXT record

I’ve been trying to get Certbot to renew my wildcard certificate. I ran into a couple of wrong DNS settings at first, but after I corrected these errors, no matter what I do, Certbot seems to be reading my outdated TXT record for my acme challenge.

TXT _acme-challenge.domain.com mPzCnkvcka88Os2EXDOkmpo0_mNU6PW5flhouSbCQxM
TXT _acme-challenge.domain.site 1ul5coofkwYCaaOVUVuOF83VtZ1mdtpUp5apUDizrCE

These are the TXT records for my domains. When I try to generate the wildcard cert:

 certbot certonly --manual -d domain.com -d *.domain.com -d domain.site -d *.domain.site --agree-tos --server https://acme-v02.api.letsencrypt.org/directory

I always get this same error:

- The following errors were reported by the server:

Domain: domain.com
Type:   unauthorized
Detail: Incorrect TXT record
"br9OZ2WLmKQWN3QOFaYppyzSxhkhSu7bU-ISR-kzdeY" found at
_acme-challenge.domain.com

The problem is that br9OZ2WLmKQWN3QOFaYppyzSxhkhSu7bU-ISR-kzdeY doesn’t exist! It has been overwritten with a new value, but Certbot keeps reading this as the value and giving me an error.

Is there anything I’m doing wrong? Or is Certbot not re-reading my TXT record?

Hi @terresquall

please share your domain name.

One thing that can be a factor is TTL. Let’s Encrypt will (as of today) cache an individual DNS record for a maximum of 60 seconds.

This means if you have a TTL of 3600, it will be cached for 60 seconds. However, if you have a TTL of 1, it will only be cached for 1 second.

If you have control over TTL, you should always set it to 0 (or 1) for _acme-challenge TXT records.

The other possibility is that your authoritative nameservers just haven’t synced the new TXT record yet, or there is some other user error. But since you have obscured your domain, we can’t advise you much further.

I’ve checked my DNS records in a couple of places. In some places, the TXT record of_acme-challenge returns the latest value. In dnschecker.org/all-dns-records-of-domain.php however, there is an entry with the wrong value LetsEncrypt keeps fetching, along with a TTL of 21599.

I wonder why the value is there. I’ve never set any of my Acme Challenges with a TTL of 21599 before. I have only set them to 86400 and 3600.

I retried getting the certificate after an hour, but it is still not retrieving the updated records. Maybe my name server is having some delay in updating the records. I use DigitalOcean.

Thanks for all the replies by the way. Really appreciate it!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.