Problem with certbot-auto, LOCAL domain and manual-auth-hook

My domain is (local, using _acme TXT)

I ran this command:

/usr/local/bin/certbot-auto certonly --manual --manual-public-ip-logging-ok -n --no-bootstrap --no-self-upgrade --preferred-challenges=dns --manual-auth-hook /etc/letsencrypt/send_DNS_TXT_reload_named -d

It produced this output:
See below for lengthy explanation about the problem

My web server is (include version):

The operating system my web server runs on is (include version):
CentOS 7.X

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
Yep, SSH

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Not using

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

The Error the command produces:

Waiting for verification…
Challenge failed for domain
dns-01 challenge for
Cleaning up challenges
Some challenges have failed.

  • The following errors were reported by the server:
    Type: unauthorized
    Detail: Incorrect TXT record
    “L-XHbwOEOeuTwcomrv2qEp_eYVCOEMVa7xOknfw78pI” found at

The TXT record is a record from a LONG time ago and is NOT FOUND CURRENTLY in the zone files on the name server.

Explanation /etc/letsencrypt/send_DNS_TXT_reload_named

Its a wrapper so I can pick up $CERTBOT_DOMAIN and $CERTBOT_VALIDATION
It basically launches an SSH shell on the NAME SERVER to change the _acme_validation for the domain:

ssh “/etc/named/change_acme_validation_reload_named -d $CERTBOT_DOMAIN -v $CERTBOT_VALIDATION”

Explanation /etc/named/change_acme_validation_reload_named

  1. check for proper parameters
  2. changes a FILE in /etc/named with domain name containing the validation (I have many, hence this)
  3. executes a script that changes ALL acme_validation domains with validation found in the files
  4. changes the SERIAL number 1 up
  5. restarts the name server
  6. it waits 15 seconds for the DNS to take effect
  7. exit 0 to the caller

What I have checked

  • I have checked that in fact the _acme-challenge.joomla txt record HAS changes, I know it has
  • I know the validation of the zone record is correct
  • I look at the zone files, everything IS correct.
  • I use this script on other machines/domains and I KNOW it works

What is strange
The validation certbot-auto tells me it found “L-XHbwOEOeuTwcomrv2qEp_eYVCOEMVa7xOknfw78pI” IS OLD!
I searched the entire named tree for a matching string, it cannot be found.

I really do not have a clue where the old TXT record comes from.

$ dig +noall +answer txt 86400 IN TXT "L-XHbwOEOeuTwcomrv2qEp_eYVCOEMVa7xOknfw78pI"

$ dig +noall +answer txt 86400 IN TXT "Bs5Y9l83hW1XbxTv1QP_zW2HJrJKBaKxdEOh3m9GwwI"

Gotta check out what’s happening on your ns1 server.

1 Like

Hi @jobst

then your zone files are not used. This is your TXT record -


Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2020-03-13 2020-06-11 - 1 entries duplicate nr. 1

you have created a new certificate.

it’s claiming to have a zone serial newer than the master nameserver itself. 2020031384 vs the master’s 2020031365

# for ns in `dig +short ns`; do printf "$ns: "; dig +short @$ns soa ; done 2020031365 10800 3600 1209600 3600 2020031384 10800 3600 1209600 3600

Thanks for all the pointers, people!

I will need to check the serial number creation, there has to be a flaw in it.
I just ran out of day to do anything about it, had too much one today.

I start again in the morning and report on my fixes/findings.