Renewal failed: DNS challenges fail (No TXT record found)

nicolashainaux · March 24, 2021, 12:05am

My domain is: hainaux.net, *.hainaux.net

I ran this command: certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /usr/local/etc/letsencrypt/renewal/hainaux.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator dns-ovh, Installer None
Renewing an existing certificate for hainaux.net and *.hainaux.net
Performing the following challenges:
dns-01 challenge for hainaux.net
dns-01 challenge for hainaux.net
Waiting 30 seconds for DNS changes to propagate
Waiting for verification...
Challenge failed for domain hainaux.net
Challenge failed for domain hainaux.net
dns-01 challenge for hainaux.net
dns-01 challenge for hainaux.net
Cleaning up challenges
Failed to renew certificate hainaux.net with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /usr/local/etc/letsencrypt/live/hainaux.net/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: hainaux.net
   Type:   unauthorized
   Detail: No TXT record found at _acme-challenge.hainaux.net
  
   Domain: hainaux.net
   Type:   unauthorized
   Detail: No TXT record found at _acme-challenge.hainaux.net

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): nginx 1.18

The operating system my web server runs on is (include version): FreeBSD 12.2-RELEASE

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is: certbot 1.13.0

From my previous discussion, I understood the DNS plugin for OVH would handle the TXT record of the correct subdomain in order to pass the challenge. Is that correct?

If yes, then what is actually failing then, how may I fix this?

If no, then does it mean I should manually create the TXT record? (and fill it with which value?)

Should I better discard the automatic renewal and create a new certificate from scratch, via the command I issued the first time? (certbot certonly --dns-ovh --dns-ovh-credentials /root/.ssl/ovh.ini -d hainaux.net -d "*.hainaux.net")

Many thanks for your help!

_az · March 24, 2021, 12:43am

I don't think you've done anything wrong, but the 30 seconds propagation time might have been a little too short for OVH's nameservers to update in time.

Try:

 certbot renew --dns-ovh-propagation-seconds 360

and see whether it makes a difference.

nicolashainaux · March 24, 2021, 5:36am

This did the trick! Many thanks!!

system · April 23, 2021, 5:36am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.