Long Waiting Time - TXT Record Verification Fails

thebigk · January 26, 2021, 1:29pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:jatra.club

I ran this command:
sudo certbot certonly
--agree-tos
--email my@email-id.com
--manual
--preferred-challenges=dns
-d *.jatra.club -d jatra.club
--server https://acme-v02.api.letsencrypt.org/directory

It produced this output:

Please deploy a DNS TXT record under the name
_acme-challenge.jatra.club with the following value:

QSWJgKa7tIkl335etstsdgsgsdg9AzVWBKaSbSo

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue                  

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.jatra.club with the following value:

XhiH_ozZKlk45lkj5lkjessdfCf9EWP8_-Pc

Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue 
Waiting for verification...
Challenge failed for domain jatra.club
Challenge failed for domain jatra.club
dns-01 challenge for jatra.club
dns-01 challenge for jatra.club
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: jatra.club
   Type:   dns
   Detail: DNS problem: NXDOMAIN looking up TXT for
   _acme-challenge.jatra.club - check that a DNS record exists for
   this domain

My web server is (include version): 1.18 (NGINX)

The operating system my web server runs on is (include version): uBuntu 20.10

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

===============================

I create the TXT record but it takes lot of time to reflect. I waited for about ~20 minutes, patiently refreshing the DNS Propagation Checker; but only a few locations show the required output.

I'm wondering if I'm doing this right. I want to obtain a wildcard certificate so that I can have secured, unlimited domains on my main domain.

Would appreciate any help.

JuergenAuer · January 26, 2021, 2:04pm

Hi @thebigk

your name server answer - https://check-your-website.server-daten.de/?q=jatra.club#txt

14. TXT - Entries

Domainname	Status	∑ Queries
jatra.club	Refused - The name server refuses to perform the specified operation for policy reasons	1
_acme-challenge.jatra.club	Refused - The name server refuses to perform the specified operation for policy reasons	1
_acme-challenge.jatra.club.jatra.club	Refused - The name server refuses to perform the specified operation for policy reasons	1

Looks like your dns domain settings are wrong.

ns1.digitalocean.com is one of your name servers. Looks like that name server doesn't like your domain.

thebigk · January 26, 2021, 3:42pm

@JuergenAuer - mea culpa! After posting above question; I went on to delete all the trial servers I had created - and ended up deleting this server as well!

I've set the server again and ran the command again. Please find the output below-

Please deploy a DNS TXT record under the name
_acme-challenge.jatra.club with the following value:

Z7-sF2La85Kpg-Yv7IiGRyQoo4Ht-cyu0QzJR8QO7wA

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.jatra.club with the following value:

a6AiRmat4rKV476c4e-5DPrj8e9JpETmHskdHo-rk9s

Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Challenge failed for domain jatra.club
dns-01 challenge for jatra.club
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: jatra.club
   Type:   unauthorized
   Detail: Incorrect TXT record
   "Z7-sF2La85Kpg-Yv7IiGRyQoo4Ht-cyu0QzJR8QO7wA" found at
   _acme-challenge.jatra.club

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

This time, I saw that the DNS propagation checker actually returned the value starting with Z7-s.... , however, the verification still failed.

See: DNS Checker - DNS Propagation Check & DNS Lookup

Would really appreciate some help here. Already spent a day trying to figure this out on my own.

JuergenAuer · January 26, 2021, 4:22pm

If you see only that result, the fail is expected.

Rechecked your domain - https://check-your-website.server-daten.de/?q=jatra.club#txt - three entries and no wrong entry visible

14. TXT - Entries

Domainname	TXT Entry	Status	∑ Queries
jatra.club		ok	1
_acme-challenge.jatra.club	a6AiRmat4rKV476c4e-5DPrj8e9JpETmHskdHo-rk9s	looks good, correct length, correct characters	1
_acme-challenge.jatra.club	XsHzYyNC1T_BM1jqc12G0pvx8GO9tT0z9QuHCbjJVdo	looks good, correct length, correct characters	1
_acme-challenge.jatra.club	Z7-sF2La85Kpg-Yv7IiGRyQoo4Ht-cyu0QzJR8QO7wA	looks good, correct length, correct characters	1
_acme-challenge.jatra.club.jatra.club		Name Error - The domain name does not exist	1

Looks like you should wait longer.

rg305 · January 26, 2021, 4:54pm

Agreed.

Don't hit enter/next as soon as you create the TXT record.
In another window, confirm it has replicated to all your DNS servers first; with:

nslookup -q=txt jatra.club ns1.digitalocean.com
nslookup -q=txt jatra.club ns2.digitalocean.com
nslookup -q=txt jatra.club ns3.digitalocean.com

When all three have the correct information, then hit enter/next.

thebigk · January 26, 2021, 5:07pm

Does that mean I should wait at the prompt? The three entries are from my two attempts.

I have already tried waiting for about 20 minutes, but the error didn't go away. For every new attempt at getting the certificate, I am asked to add new TXT record.

In general how long should I have to wait? Few mins or few hours?

JuergenAuer · January 26, 2021, 5:14pm

Yes, that's required.

Normally, 20 minutes should be ok. Curious. You want to create a certificate with two domain names, so two TXT entries are required. But both are (now) visible.

Create the first, then the second - then check, if all three name servers have the new result.

PS:

That wouldn't help.

nslookup -q=txt _acme-challenge.jatra.club ns1.digitalocean.com

is required.

thebigk · January 27, 2021, 10:59am

Update:

As @JuergenAuer suggested; I had to wait (~30 minutes) for the records to update before hitting ENTER key to continue. But it worked; and subdomains are working as expected.

This solves only 50% of the problem for me though.

I want to let me members map their respective sub-domains or domains to my multi-tenant application. I learned that they can do so by configuring the CNAME record.

However, in that case; how would the SSL certificates work?

For example, a user points abc.com to subdomain.mydomain.com. How can I ensure that abc.com loads with HTTPS?

JuergenAuer · January 27, 2021, 11:29am

Thanks reporting back. So now we know, the digitalocean - name servers sometimes very slow.

So that external domain has your ip address -> so you can use http validation to create a certificate.

There is no real difference if a customer uses an A- or a CNAME record to point to your ip.

Create a port 80 vHost -> then use your preferred client with http validation.

Dns validation is a little bit trickier.

thebigk · January 27, 2021, 11:49am

Umm, yeah; but is that how these multi-tenant application providers do it? Because they've 100s (or 1000s) of subdomains; and also allow users to map their own custom domains.

I'm sure this whole process is automated. Is there any article / tutorial on how to do it? Would really appreciate. I've been scanning entire StackOverflow since last 2 days but without luck.

JuergenAuer · January 27, 2021, 5:32pm

Create your own program to do that.

There are a lot of libraries you can use.

system · February 26, 2021, 5:33pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.