My domain is: dev.sepe.property.education.govt.nz

I ran this command:

export AZUREDNS_SUBSCRIPTIONID="subid"
export AZUREDNS_TENANTID="tennantid"
export AZUREDNS_APPID="appid"
export AZUREDNS_CLIENTSECRET='secret'
acme.sh --staging --issue --dns dns_azure -d dev.sepe.property.education.govt.nz

It produced this output:

[dev.sepe.property.education.govt.nz] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Incorrect TXT record "K2w5CzfrLmjAdejbmpOJAS2QuDUFE19i6XlSq3W4Xok" (and 4 more) found at _acme-challenge.dev.sepe.property.education.govt.nz

My web server is (include version): NA

The operating system my web server runs on is (include version): NA

My hosting provider, if applicable, is: Azure DNS

I can login to a root shell on my machine (yes or no, or I don't know): NA

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NA

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): acme.sh 2.9.0

I believe the error is because of old TXT entries, however I have been unable to get around this error after waiting 4 days for the google dns to propagate. I can still see a lot of global DNS servers having these old entries.

Even after adding a new record in the DNS for _acme-challenge.dev.sepe.property.education.govt.nz with the value "hello". I thought this might kick it back into action but it hasn't.

How would I be able to remove these old entries from other DNS servers?

image1082×343 17.4 KB

They are NOT in Azure DNS if I query the Azure DNS server:

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62237
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_acme-challenge.dev.sepe.property.education.govt.nz. IN        TXT

;; ANSWER SECTION:
_acme-challenge.dev.sepe.property.education.govt.nz. 60 IN TXT "hello"

;; Query time: 150 msec
;; SERVER: 40.90.4.8#53(40.90.4.8)
;; WHEN: Tue Jul 06 14:02:59 NZST 2021
;; MSG SIZE  rcvd: 98

There may exist a possibility that LE will only read up to a certain number of TXT records (but I doubt it).
Can you manually delete all of the TXT records that are no longer needed (and try again)?

My bet is on DNS not syncing properly OR not being defined properly.

I see two different responses:

nslookup -q=ns dev.sepe.property.education.govt.nz ns1-06.azure-dns.com
dev.sepe.property.education.govt.nz     canonical name = matasepe00core0000dt1.azurewebsites.net

nslookup -q=ns dev.sepe.property.education.govt.nz ns1-08.azure-dns.com
dev.sepe.property.education.govt.nz     canonical name = matasepedevui.azurewebsites.net

With two different IPs:

Name:    waws-prod-sy3-045.cloudapp.net
Address: 13.70.72.44
Aliases: matasepe00core0000dt1.azurewebsites.net
         waws-prod-sy3-045.sip.azurewebsites.windows.net

Name:    waws-prod-sy3-055-a965.australiaeast.cloudapp.azure.com
Address: 20.37.196.196
Aliases: matasepedevui.azurewebsites.net
         waws-prod-sy3-055.sip.azurewebsites.windows.net

That pointed me to think there was a Split DNS somewhere. And there was. Once I removed the old TXT records it worked. Thanks!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.