Lightsail Certbot incorrect TXT record error

WilliamW · February 21, 2021, 11:54am

Hello,

My domain is: www.wyn.ie

I ran this command: sudo certbot -d $DOMAIN -d $WILDCARD --manual --preferred-challenges dns certonly
DOMAIN=wyn.ie
WILDCARD=*.$DOMAIN
echo $DOMAIN && echo $WILDCARD
wyn.ie
*.wyn.ie

It produced this output:

Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. wyn.ie (dns-01): urn:ietf:params:acme:error:unautho
rized :: The client lacks sufficient authorization :: Incorrect TXT record "3FDWn6c
M90VkdNSim3ZUUrwTrW05sbkShhScQTTA8SQ" (and 1 more) found at _acme-challenge.wyn.ie,
wyn.ie (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks suffi
cient authorization :: Incorrect TXT record "Ad7tS9MG0Ct8qvV8t0hNldeJuR5hKMjndafhkZ
Lihsg" (and 1 more) found at _acme-challenge.wyn.ie

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: wyn.ie
Type: unauthorized
Detail: Incorrect TXT record
"3FDWn6cM90VkdNSim3ZUUrwTrW05sbkShhScQTTA8SQ" (and 1 more) found at
_acme-challenge.wyn.ie

Domain: wyn.ie
Type: unauthorized
Detail: Incorrect TXT record
"Ad7tS9MG0Ct8qvV8t0hNldeJuR5hKMjndafhkZLihsg" (and 1 more) found at
_acme-challenge.wyn.ie

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version): Amazon Lightsail

The operating system my web server runs on is (include version): Linux

My hosting provider, if applicable, is: Amazon Lightsail

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

I checked my TXT records here: Network Tools: DNS,IP,Email using _acme-challenge.wyn.ie and they look fine. I re-ran the steps and added the next TXT records but it didnt help.

I dont see a problem with my IP address or my domain records.

How can I resolve these errors?

griffin · February 21, 2021, 6:12pm

Welcome to the Let's Encrypt Community, William

You might just need to wait longer to let the TXT records propagate through the DNS systems before hitting "enter" to verify. Say... 5 minutes.

Confirm here before hitting "enter":

https://toolbox.googleapps.com/apps/dig/#TXT/

rg305 · February 21, 2021, 11:19pm

I don't think time is the issue here.
The two records found by LE:

Are the same two that are seen there now.

_acme-challenge.wyn.ie  text = "3FDWn6cM90VkdNSim3ZUUrwTrW05sbkShhScQTTA8SQ"
_acme-challenge.wyn.ie  text = "Ad7tS9MG0Ct8qvV8t0hNldeJuR5hKMjndafhkZLihsg"

So waiting didn't change anything.

Requires changing the TXT records to the new ones provided by certbot.
and waiting until they are seen at all the authoritative DNS servers:

wyn.ie  nameserver = ns-152.awsdns-19.com
wyn.ie  nameserver = ns-965.awsdns-56.net
wyn.ie  nameserver = ns-1197.awsdns-21.org
wyn.ie  nameserver = ns-1759.awsdns-27.co.uk

[I do like how they used four different TLDs - one brownie point for AWS]

WilliamW · February 22, 2021, 10:40am

Hey all, thanks for the responses. In regards to:

Requires changing the TXT records to the new ones provided by certbot .
and waiting until they are seen at all the authoritative DNS servers:

wyn.ie  nameserver = ns-152.awsdns-19.com
wyn.ie  nameserver = ns-965.awsdns-56.net
wyn.ie  nameserver = ns-1197.awsdns-21.org
wyn.ie  nameserver = ns-1759.awsdns-27.co.uk

How can I confirm this has happened? Is it just a case of waiting 24-48 hours or is there someplace I can check? Apologies for the question, I'm a little new to this.

sahsanu · February 24, 2021, 3:11pm

Hello @WilliamW,

No need to wait so much time, just ask every of your authoritative dns servers for the txt records.

Something like this:

for i in $(dig wyn.ie ns +short); do echo "Checking $i"; dig @$i _acme-challenge.wyn.ie txt +short;echo ""; done

And you should get an output similar to this (of course, txt records will vary if you add/delete/modify them):

Checking ns-1197.awsdns-21.org.
"3FDWn6cM90VkdNSim3ZUUrwTrW05sbkShhScQTTA8SQ"
"Ad7tS9MG0Ct8qvV8t0hNldeJuR5hKMjndafhkZLihsg"

Checking ns-152.awsdns-19.com.
"3FDWn6cM90VkdNSim3ZUUrwTrW05sbkShhScQTTA8SQ"
"Ad7tS9MG0Ct8qvV8t0hNldeJuR5hKMjndafhkZLihsg"

Checking ns-1759.awsdns-27.co.uk.
"3FDWn6cM90VkdNSim3ZUUrwTrW05sbkShhScQTTA8SQ"
"Ad7tS9MG0Ct8qvV8t0hNldeJuR5hKMjndafhkZLihsg"

Checking ns-965.awsdns-56.net.
"3FDWn6cM90VkdNSim3ZUUrwTrW05sbkShhScQTTA8SQ"
"Ad7tS9MG0Ct8qvV8t0hNldeJuR5hKMjndafhkZLihsg"

Cheers,
sahsanu

WilliamW · February 22, 2021, 5:39pm

Thanks for your reply. I tried what you suggested:

and the output was:

Checking ns-965.awsdns-56.net.
dig: couldn't get address for '-challenge.wyn.ie': not found

Checking ns-1197.awsdns-21.org.
dig: couldn't get address for '-challenge.wyn.ie': not found

Checking ns-1759.awsdns-27.co.uk.
dig: couldn't get address for '-challenge.wyn.ie': not found

Checking ns-152.awsdns-19.com.
dig: couldn't get address for '-challenge.wyn.ie': not found

rg305 · February 22, 2021, 5:43pm

I think you may need to wrap that part with single quotes, like:

for i in $(dig wyn.ie ns +short); do echo "Checking $i"; dig @$i '_acme-challenge.wyn.ie' txt +short;echo ""; done

Or perhaps double quotes:

for i in $(dig wyn.ie ns +short); do echo "Checking $i"; dig @$i "_acme-challenge.wyn.ie" txt +short;echo ""; done

petercooperjr · February 22, 2021, 6:40pm

If you're using AWS Route 53 for your DNS, you might want to explore using the Certbot Route 53 DNS plugin rather than manually updating TXT records. I've found challenges having it installed on the same system is the AWS CLI tools, since they seem to want different version of Python, but having some sort of automated DNS update lets you have certificates renew automatically rather than needing to manually update the DNS to get a new certificate every couple months.

WilliamW · February 23, 2021, 10:20am

I confirmed that the TXT records are now there. What command can I run to get back to the verification step so I can confirm with certbot that the TXT files are there? Sorry for the continued questions, very very new to all this. I really appreciate everyone's help though.

griffin · February 23, 2021, 1:25pm

The problem you're likely facing is that the TXT records will change each time when validation fails. This is why delaying some time after setting up the TXT records (whether manually or programmatically) before telling Let's Encrypt to validate them is often necessary to ensure proper propagation to all of your nameservers. How long depends upon the performance of your nameservers. I usually find 5 minutes to be far more than sufficient. As @sahsanu and I both mentioned, you can always check each nameserver via dig to ensure everything is ready. If only some nameservers have the correct TXT records, there is a chance that validation will succeed, but it's a gamble. You should seriously consider the wise advice given by @petercooperjr. It will simplify your life considerably.

petercooperjr · February 23, 2021, 1:54pm

In particular, the Route 53 API allows one to determine when all the AWS servers are in sync with the change that's requested. While I haven't used the Certbot Route 53 plugin myself (like I said, I had problems having it installed the same time as the AWS CLI due to some python version conflicts I never figured out), I'm assuming that it uses that to help know when the TXT records are ready for the Let's Encrypt servers to check.

WilliamW · February 23, 2021, 3:42pm

Thanks all, I will give this a go again. I will also look at the plugins you suggested as they look useful.

WilliamW · February 24, 2021, 2:17pm

I tried this again and it still failed. I confirmed using the command:

for i in $(dig wyn.ie ns +short); do echo "Checking $i"; dig @$i '_acme-challenge.wyn.ie' txt +short;echo ""; done

that the TXT files were present and I still waited an extra 60 minutes to be sure. The error I got back is:

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: wyn.ie
Type: unauthorized
Detail: Incorrect TXT record
"8RlY7GcBWhOL8SIV9wvKOz1q4H3tI6N5-lDkWh_VJnk" (and 1 more) found at
_acme-challenge.wyn.ie

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

WilliamW · February 24, 2021, 2:33pm

Hey all, you can ignore this as I tried again and it worked. Im good for now. Thanks all.