My domain is (local, using _acme TXT)
joomla.barrett.com.au
I ran this command:
/usr/local/bin/certbot-auto certonly --manual --manual-public-ip-logging-ok -n --no-bootstrap --no-self-upgrade --preferred-challenges=dns --manual-auth-hook /etc/letsencrypt/send_DNS_TXT_reload_named -d joomla.barrett.com.au
It produced this output:
See below for lengthy explanation about the problem
My web server is (include version):
Apache/2.4.6
The operating system my web server runs on is (include version):
CentOS 7.X
My hosting provider, if applicable, is:
Datacenter
I can login to a root shell on my machine (yes or no, or I don't know):
Yep, SSH
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Not using
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot):
1.3.0
The Error the command produces:
Waiting for verification...
Challenge failed for domain joomla.barrett.com.au
dns-01 challenge for joomla.barrett.com.au
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: joomla.barrett.com.au
Type: unauthorized
Detail: Incorrect TXT record
"L-XHbwOEOeuTwcomrv2qEp_eYVCOEMVa7xOknfw78pI" found at
_acme-challenge.joomla.barrett.com.au
The TXT record is a record from a LONG time ago and is NOT FOUND CURRENTLY in the zone files on the name server.
Explanation /etc/letsencrypt/send_DNS_TXT_reload_named
Its a wrapper so I can pick up $CERTBOT_DOMAIN and $CERTBOT_VALIDATION
It basically launches an SSH shell on the NAME SERVER to change the _acme_validation for the domain:
ssh ns1.barrettconsulting.com.au "/etc/named/change_acme_validation_reload_named -d $CERTBOT_DOMAIN -v $CERTBOT_VALIDATION"
Explanation /etc/named/change_acme_validation_reload_named
- check for proper parameters
- changes a FILE in /etc/named with domain name containing the validation (I have many, hence this)
- executes a script that changes ALL acme_validation domains with validation found in the files
- changes the SERIAL number 1 up
- restarts the name server
- it waits 15 seconds for the DNS to take effect
- exit 0 to the caller
What I have checked
- I have checked that in fact the _acme-challenge.joomla txt record HAS changes, I know it has
- I know the validation of the zone record is correct
- I look at the zone files, everything IS correct.
- I use this script on other machines/domains and I KNOW it works
What is strange
The validation certbot-auto tells me it found "L-XHbwOEOeuTwcomrv2qEp_eYVCOEMVa7xOknfw78pI" IS OLD!
I searched the entire named tree for a matching string, it cannot be found.
I really do not have a clue where the old TXT record comes from.