We are also experiencing the same issue. "No TXT record found at _acme-challenge.domain.tld" renewal worked on October 17th 2023 but does not now. I have 52 wildcard SAN on the certificate, hence 52 TXT RR for _acme-challenge.acme.xversal.com. My understanding is Let's Encrypt supports 100 SAN, so it should support 100 TXT records. I also have single certificates using dns-01 using the same dns server and they renew fine.
Even if I reduce the number to less than 50, I get the same result.
Interestingly I see
13-Jan-2024 16:00:10.535 security: debug 3: client @0x7f7930c795e0 220.127.116.11#13627 (_acMe-ChAllENgE.aCmE.XVerSAL.Com): query '_acMe-ChAllENgE.aCmE.XVerSAL.Com/TXT/IN' approved
on the dns server. I recall seeing something like this once before when dns-01 was broken.
I have left the TXT records in place in case it is any help to anyone, usually they are deleted immediately after the certificate is issued.
Any assistance would be much appreciated.
But, your problem is not exactly the same as @tootai whose lookups fail even with unbound 1.16
I have asked a mod to split your post to a different thread.
You are affected by an upgrade to the unbound system that Let's Encrypt uses to verify domains. If you use https://unboundtest.com and check your TXT record with 1.16 it will work. But, 1.18 and 1.19 fail. There was some sort of change regarding packet sizes with udp / tcp and the DNS query. I don't understand all the implications.
It seems that now up to around 20 TXT records would work. See
And, while it is reasonable to expect 100 TXT records to work given the 100 SAN limit you could have 100 SANs using all HTTP Challenges so no TXT lookup at all.
I understand why you would think 100 TXT records would be the limit. But, I don't know that LE ever said how many were allowed. You wouldn't need any TXT records for a 100 SAN cert that used the HTTP challenge. The size concerns are affected by different underlying technologies.
The earlier failures were service providers combining multiple customer names on one cert (sometimes using CNAME from customer domain). If this is your case too you may need a more granular partition scheme depending on LE response.
For future viewers, below was from prior thread which provides more info about the TXT and SAN limits described above.
From here: Challenge Types - Let's Encrypt
You can have multiple TXT records in place for the same name. For instance, this might happen if you are validating a challenge for a wildcard and a non-wildcard certificate at the same time. However, you should make sure to clean up old TXT records, because if the response size gets too big Let’s Encrypt will start rejecting it.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.