Second DNS challenge fails using custom manual_auth_hook

  • I am using a manual_auth_hook that directly pushes dns challenges onto my own dns server.

  • The first challenge is always successful. I a second challenge is issued, it fails, claiming that a wrong dns entry was found

  • in the log below

    • my manual_auth_hook script logs the requested challenges
    • the ‘wrong’ challenge logged by certbot in the very end is exactly the same than the one requested to my script
  • my TXT entries have TTL 1

  • in this attempt, my script already had a waiting of 5 secs after updating the DNS record

My domain is: *

I ran this command: certbot renew

It produced this output:
Processing /etc/letsencrypt/renewal/

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator manual, Installer None
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for
dns-01 challenge for
Running manual-auth-hook command: /etc/letsencrypt/
Output from manual-auth-hook command
ssh -p6554 ./updateacme KXlgbS-krNBvcIoFMBjgT6A5AHPR8-IwwMVwF46-6do

Running manual-auth-hook command: /etc/letsencrypt/
Output from manual-auth-hook command
ssh -p6554 ./updateacme M_Buq1fuEZVdVe9JMn3ukU6OS0kF8oybyE5QKWmzkHI

Waiting for verification…
Challenge failed for domain
dns-01 challenge for
Cleaning up challenges
Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: Some challenges have failed… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ (failure)

Running post-hook command: /etc/letsencrypt/renewal-hooks/post/restart-dovecot
Running post-hook command: /etc/letsencrypt/renewal-hooks/post/restart-nginx
Running post-hook command: /etc/letsencrypt/renewal-hooks/post/restart-postfix
1 renew failure(s), 0 parse failure(s)


  • The following errors were reported by the server:

    Type: unauthorized
    Detail: Incorrect TXT record
    “M_Buq1fuEZVdVe9JMn3ukU6OS0kF8oybyE5QKWmzkHI” found at

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version): unused

The operating system my web server runs on is (include version):
Linux 5.2.17-200.fc30.x86_64 #1 SMP Mon Sep 23 13:42:32 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is: own web server, own DNS servers

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.38.0

1 Like

Hi @Philadelphia

checking your domain via - you have created today two certificates:

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2020-06-06 2020-09-04 *, - 2 entries duplicate nr. 2
Let’s Encrypt Authority X3 2020-06-06 2020-09-04 *, - 2 entries duplicate nr. 1
Let’s Encrypt Authority X3 2020-03-20 2020-06-18 *, - 2 entries

So I don’t understand your question.

Use one of these, don’t create the next certificate, there is a rate limit.

1 Like

Yes - it worked - because there was just one challenge. It had 60 secs delay (before 5 secs)
I had a couple of dry-runs with two challenges who failed.
I thought it might be interesting for you to fix it.
The log indicates a letsencrypt failure, correct ? Or did I draw a wrong conclusion ?
I later might be able to provide wireshark logs from the DNS server and the certbot logfiles.
Right now, I obviously reached a limit - the OK comes without DNS communication

1 Like

Letsencrypt validations are cached and 30 days re-used.

So if you validate one domain name, the other fails. Next step, you need only one validation.

Checking your domain that looks wrong -

There is only one TXT entry visible.

If you want a certificate with two domain names (both via dns validation), two TXT entries with the same name, but different values are required.


looks that your script creates one entry, then overwrites the value with the second entry, that’s wrong.

Two entries with the same domain name, but different values should be visible after you have created these two entries and before Letsencrypt checks the result.

1 Like

Yes, you are right. The script was called twice for two different certs. Obviously the renewals are executed asynchronously, running in parallel, the later not waiting for the former to finish.
The right way to handle this is then

  • add the _acme-challenge TXT record using the manual_auth_hook

  • remove the specific record from a second script hooked to the manual_clenaup_hook

Problem solved, thanx a lot

1 Like