SSL renew failure

When attempting to renew, I get a failure as shown below. I’m attempting via dns and not HTTP as the cert needs to go on a node (load) balancer at linode which distributes http requests via many systems, so an http request is unlikely to go to the system I’m conducting the update no.

I have successfully renewed with the --test-cert option, but have not been successful while running live. (Command:

certbot certonly --test-cert --break-my-certs --manual --preferred-challenges dns -d

My associate has control of the domain and has been modifying the txt record as I’ve instructed, successfully for test runs, but not for live, so I believe he’s doing it correctly.

Attempting both with and without the “break certs” option on live renew attempts seems to make no difference.

Thank you for whatever assistance I can receive!

My domain is:

I ran this command: certbot certonly --manual --preferred-challenges dns -d

It produced this output:
[skipping routine Q &A ]

Please deploy a DNS TXT record under the name with the following value:


Before continuing, verify the record is deployed.

Press Enter to Continue
Waiting for verification…
Cleaning up challenges
An unexpected error occurred:
The request message was malformed :: Unable to update challenge :: authorization must be pending

My web server is (include version): Apache2

The operating system my web server runs on is (include version): Debian 9

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0

Hi @cjm

sounds like a bug.

You have created the correct entry

9. TXT - Entries

Domainname TXT Entry Status ∑ Queries ∑ Timeout ok 1 0 _d-cBQhivdnPbPP747QVooWsKm8WB1vcPt5Fx8vyolA looks good 1 0

so this isn’t the problem.

Only idea: Is it possible to update Certbot?

Hi, and thanks. My apt-get tells me certbot is already the latest.
But it is Debian which is known to obtain trade stability with not being on the latest cutting edge.

Other question: Isn’t it possible to redirect such a GET request

to another server / domain name (sample: A new own subdomain, so that there is only one single instance?

Then run Certbot on that server with the webroot option. And you can use http-01 validation.

Letsencrypt follows http and https redirects, if no special port is used.

Interesting. If it follows redirects then I guess it should work. If that opens the door to auto renews, that would be a good thing, though the cert has to be installed on the load balancer, but that might be possible to automate.

But for the moment, we don’t have to run the certbot on any particular system as it works via dns challenge and not http. So I’ll try that route for now. I was able to do the exact same renewal on a different domain, but on my desktop and it worked fine, so I guess that’s the key. Thank you!

1 Like

Success. I ran it on my home system which worked for my live test on an alternate domain and it worked, in spite of my home desktop certbot version being a more antiquated version of 0.23.

I guess if it ain’t broke, I shouldn’t fix it!

Thanks for your help! I was getting frustrated.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.