No TXT record found at _acme-challenge.thinkprep.ca

My domain is: thinkprep.ca

I ran this command: certbot certonly --agree-tos --manual --preferred-challenges=dns -d thinkprep.ca -d *.thinkprep.ca


It produced this output:
Challenge failed for domain thinkprep.ca
dns-01 challenge for thinkprep.ca
 - The following errors were reported by the server:
   Domain: thinkprep.ca
   Type:   unauthorized
   Detail: No TXT record found at _acme-challenge.thinkprep.ca

My web server is (include version): VPS

The operating system my web server runs on is (include version): CentOS 7

My hosting provider, if applicable, is: hostitbro.in

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): WHM

The version of my client is (e.g. output of `certbot --version` or `certbot-auto --version` if you're using Certbot): certbot 1.3.0

When i am running AutoSSL check from WHM it shows this error:
3:53:07 PM ERROR “Let’s Encrypt™” DNS DCV error (*.thinkprep.ca): 403 urn:ietf:params:acme:error:unauthorized (The client lacks sufficient authorization) (No TXT record found at _acme-challenge.thinkprep.ca)

ERROR Impediment: TOTAL_DCV_FAILURE: Every domain failed DCV.
1 Like

Do you understand how DNS challenges work and their requirements?

There is no TXT record found:
nslookup -q=txt _acme-challenge.thinkprep.ca

1 Like

Sorry I see now that you are using a control panel “WHM”
The problem may be within the control panel.

But you are also using cerbot…

You shouldn’t use certbot if the control panel can provide certs for you.

2 Likes

You won’t be able to issue a wildcard via AutoSSL unless you change the nameservers for your domain from GoDaddy to your WHM nameservers (i.e. your WHM DNSOnly cluster, or just your WHM server itself).

This limitation is called out on https://documentation.cpanel.net/display/CKB/The+Let's+Encrypt+Plugin :

You cannot use this plugin to obtain wildcard certificates if you use third-party DNS hosting. You must host DNS on your local cPanel & WHM server or within the server’s DNS cluster.

Using GoDaddy nameservers counts as third-party DNS hosting.

1 Like

I am using VPS server I have only IP address of server: 49.12.106.255 not any nameservers, so how would I do that?

1 Like

Every domain has at least two DNS servers.
They are responsible for maintaining all the DNS entries for your DNS zone.
The current DNS servers (GoDaddy) may not be compatible with the DNS plugin that WHM uses.
You can try switching your DNS provider / DNS servers to another that is compatible.

1 Like

It would be a little complicated.

You would first have to setup glue records at GoDaddy for server.thinkprep.ca, pointing to 49.12.106.255.

Then you would change the nameserver registration for your domain (again, at GoDaddy) from the present values (ns03.domaincontrol.com, ns04.domaincontrol.com), to (server.thinkprep.ca).

However, there are some consequences to doing this. Your domain’s DNS would no longer be redundant and it could cause outages.

Usually hosts who run cPanel servers will also run a couple of WHM DNSOnly servers, in order to not be vulnerable to downtime.

If I were you … I would try to figure out a way to survive without needing wildcard SSL, because in your case, it comes at a very high complexity and risk.

2 Likes

Thanks for your suggestion, I have now added ip4 IP in ns1 record and ip6 IP in ns2 record and lets encrypt works well for wildcard sub-domains now… :slight_smile:

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.