Lost TXT records - how to generate new ones?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.vantasist.com

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: AWS Lightsail

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

I was trying to install my certificate for the first time yesterday and, long story short, have now lost one of the TXT records. How can I generate new records?

How did you get the TXT records this time?

If you follow the same procedure, your ACME client should give you appropriate records – the same ones, if possible, or new ones.

Can you answer the other questions?

Additionally, if you don’t mind, are you using manual DNS validation? If so, why? Do you need a wildcard certificate? Can you use a DNS service and ACME client that support automated DNS validation? If not, can you use a non-wildcard certificate and one of the other validation methods?

I followed these instructions to install certbot and get the certificates:

https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-using-lets-encrypt-certificates-with-wordpress

I followed the steps again thinking I would get new records but instead I got a message saying that the certificates had been renewed.

Hi,

Why do you need a new record?
The records actually change to a new one when you renew (after the authorization period expired). You are currently in a authorization period so that’s why you won’t need a txt record.

Thanks

Are you using manual DNS validation? If so, why?
I don’t know. The instructions were to add TXT records for validation - is this manual validation or automatic?

Do you need a wildcard certificate?
No

Can you use a DNS service and ACME client that support automated DNS validation?
I’m using 123-reg for managing DNS records. Not sure what an ACME client is.

If not, can you use a non-wildcard certificate and one of the other validation methods?
Yes I can use a non-wildcard certificate.

Ideally I’d just like to generate new TXT records as my validation is 95% complete using this method. I’m not technical so I’m just following the instructions on the AWS tutorial to the letter.

Ok thanks - how long does the authorization period usually last? And how will I know when it is finished?

That tutorial gives bad advice, telling people to repeat a manual, error-prone process every 2-3 months instead of allowing fully automated renewal. :frowning_face:

If you followed that tutorial, using Certbot's --manual option, without also using the --manual-auth-hook option, and copying and pasting the DNS records into your DNS service, it was manual.

You should strongly consider switching to a non-wildcard certificate and HTTP validation, since it can be easily automated.

I don't think they have an API for changing DNS records. :slightly_frowning_face:

But if you switch to HTTP validation, that doesn't matter.

The software implementing the ACME protocol that you use to get certificates. You're using Certbot.

Why do you want to validate again?

If you don't want to issue more certificates, it hardly matters whether your Let's Encrypt account happens to have any valid authorizations for some names.

If you do want to issue more certificates, why? You already have two.

It's subject to change, but currently an authorization is normally valid for 30 days.

Certbot doesn't show that information, but it is recorded in letsencrypt.log.

Certificates are, of course, valid for 90 days.

Why do you need to know?

You can check the expiration date in the log files, or you would know when you try to issue a certificate and Certbot needs to validate the name again.

2 Likes

To expand on a couple of the things that @mnordhoff said here:

Yes, we would recommend finding a solution where you don’t have to manually intervene to get new certificates. Certbot itself is meant to do this automatically, when used with --apache, --nginx, or --webroot options (and in some other cases that are a little more complicated to set up).

(The methods that I mentioned above will do this, assuming that they work with your setup and that you don’t specify any names with the *. at the beginning for the certificate.)

Note that the TXT records are required in order to get the certificate, but not in order to use it. There is no expectation or requirement that you have them continually posted (unlike some other services that also use TXT records for validation of control over domain name names). You’ll only need them very briefly during the actual process of certificate issuance and renewal, and not at all if you’re using the HTTP validation method instead.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.