I’ve been trying to get Certbot to renew my wildcard certificate. I ran into a couple of wrong DNS settings at first, but after I corrected these errors, no matter what I do, Certbot seems to be reading my outdated TXT record for my acme challenge.
- The following errors were reported by the server:
Domain: domain.com
Type: unauthorized
Detail: Incorrect TXT record
"br9OZ2WLmKQWN3QOFaYppyzSxhkhSu7bU-ISR-kzdeY" found at
_acme-challenge.domain.com
The problem is that br9OZ2WLmKQWN3QOFaYppyzSxhkhSu7bU-ISR-kzdeY doesn’t exist! It has been overwritten with a new value, but Certbot keeps reading this as the value and giving me an error.
Is there anything I’m doing wrong? Or is Certbot not re-reading my TXT record?
One thing that can be a factor is TTL. Let’s Encrypt will (as of today) cache an individual DNS record for a maximum of 60 seconds.
This means if you have a TTL of 3600, it will be cached for 60 seconds. However, if you have a TTL of 1, it will only be cached for 1 second.
If you have control over TTL, you should always set it to 0 (or 1) for _acme-challenge TXT records.
The other possibility is that your authoritative nameservers just haven’t synced the new TXT record yet, or there is some other user error. But since you have obscured your domain, we can’t advise you much further.
I’ve checked my DNS records in a couple of places. In some places, the TXT record of_acme-challenge returns the latest value. In dnschecker.org/all-dns-records-of-domain.php however, there is an entry with the wrong value LetsEncrypt keeps fetching, along with a TTL of 21599.
I wonder why the value is there. I’ve never set any of my Acme Challenges with a TTL of 21599 before. I have only set them to 86400 and 3600.
I retried getting the certificate after an hour, but it is still not retrieving the updated records. Maybe my name server is having some delay in updating the records. I use DigitalOcean.
Thanks for all the replies by the way. Really appreciate it!