I ran this command: sudo certbot -d $DOMAIN -d $WILDCARD --manual --preferred-challenges dns certonly
DOMAIN=wyn.ie
WILDCARD=*.$DOMAIN
echo $DOMAIN && echo $WILDCARD
wyn.ie
*.wyn.ie
It produced this output:
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. wyn.ie (dns-01): urn:ietf:params:acme:error:unautho
rized :: The client lacks sufficient authorization :: Incorrect TXT record "3FDWn6c
M90VkdNSim3ZUUrwTrW05sbkShhScQTTA8SQ" (and 1 more) found at _acme-challenge.wyn.ie,
wyn.ie (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks suffi
cient authorization :: Incorrect TXT record "Ad7tS9MG0Ct8qvV8t0hNldeJuR5hKMjndafhkZ
Lihsg" (and 1 more) found at _acme-challenge.wyn.ie
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: wyn.ie
Type: unauthorized
Detail: Incorrect TXT record
"3FDWn6cM90VkdNSim3ZUUrwTrW05sbkShhScQTTA8SQ" (and 1 more) found at
_acme-challenge.wyn.ie
Domain: wyn.ie
Type: unauthorized
Detail: Incorrect TXT record
"Ad7tS9MG0Ct8qvV8t0hNldeJuR5hKMjndafhkZLihsg" (and 1 more) found at
_acme-challenge.wyn.ie
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version): Amazon Lightsail
The operating system my web server runs on is (include version): Linux
My hosting provider, if applicable, is: Amazon Lightsail
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0
I checked my TXT records here: Network Tools: DNS,IP,Email using _acme-challenge.wyn.ie and they look fine. I re-ran the steps and added the next TXT records but it didnt help.
I dont see a problem with my IP address or my domain records.
I don't think time is the issue here.
The two records found by LE:
Are the same two that are seen there now.
_acme-challenge.wyn.ie text = "3FDWn6cM90VkdNSim3ZUUrwTrW05sbkShhScQTTA8SQ"
_acme-challenge.wyn.ie text = "Ad7tS9MG0Ct8qvV8t0hNldeJuR5hKMjndafhkZLihsg"
So waiting didn't change anything.
Requires changing the TXT records to the new ones provided by certbot. and waiting until they are seen at all the authoritative DNS servers:
How can I confirm this has happened? Is it just a case of waiting 24-48 hours or is there someplace I can check? Apologies for the question, I'm a little new to this.
If you're using AWS Route 53 for your DNS, you might want to explore using the Certbot Route 53 DNS plugin rather than manually updating TXT records. I've found challenges having it installed on the same system is the AWS CLI tools, since they seem to want different version of Python, but having some sort of automated DNS update lets you have certificates renew automatically rather than needing to manually update the DNS to get a new certificate every couple months.
I confirmed that the TXT records are now there. What command can I run to get back to the verification step so I can confirm with certbot that the TXT files are there? Sorry for the continued questions, very very new to all this. I really appreciate everyone's help though.
The problem you're likely facing is that the TXT records will change each time when validation fails. This is why delaying some time after setting up the TXT records (whether manually or programmatically) before telling Let's Encrypt to validate them is often necessary to ensure proper propagation to all of your nameservers. How long depends upon the performance of your nameservers. I usually find 5 minutes to be far more than sufficient. As @sahsanu and I both mentioned, you can always check each nameserver via dig to ensure everything is ready. If only some nameservers have the correct TXT records, there is a chance that validation will succeed, but it's a gamble. You should seriously consider the wise advice given by @petercooperjr. It will simplify your life considerably.
In particular, the Route 53 API allows one to determine when all the AWS servers are in sync with the change that's requested. While I haven't used the Certbot Route 53 plugin myself (like I said, I had problems having it installed the same time as the AWS CLI due to some python version conflicts I never figured out), I'm assuming that it uses that to help know when the TXT records are ready for the Let's Encrypt servers to check.
I tried this again and it still failed. I confirmed using the command:
for i in $(dig wyn.ie ns +short); do echo "Checking $i"; dig @$i '_acme-challenge.wyn.ie' txt +short;echo ""; done
that the TXT files were present and I still waited an extra 60 minutes to be sure. The error I got back is:
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: wyn.ie
Type: unauthorized
Detail: Incorrect TXT record
"8RlY7GcBWhOL8SIV9wvKOz1q4H3tI6N5-lDkWh_VJnk" (and 1 more) found at
_acme-challenge.wyn.ie
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
