Staging server refers to TXT-records that have been deleted

I’m using Apache httpd with mod-md, to set up using dns-01 on the staging environment. Ordering seems to work, and the TXT-records have been created as requested. The domain lives with cloudflare, and the TXT-records have TTL=120

There has been a lot of back-and-forth with many restarts, so there has been many TXT records created.

My main question now is that the staging server keeps returning an error message that refers to a TXT record that was deleted more than 12 hours ago. It sounds like the letsencrypt staging server refers to old DNS-data, which again sounds weird. Is this significant? What should I do?

The current error message: is “Incorrect TXT record \“jh84NoW5kYUY5Lym5iDr1dIntuaLxba1TYT2P3-yZJE\” (and 2 more) found at”, while the current records (unchanged since yesterday) are other ones:

{\n “identifier”: {\n “type”: “dns”,\n “value”: “”\n },\n “status”: “invalid”,\n “expires”: “2020-03-31T16:32:04Z”,\n “challenges”: [\n {\n “type”: “dns-01”,\n “status”: “invalid”,\n “error”: {\n “type”: “urn:ietf:params:acme:error:unauthorized”,\n “detail”: “Incorrect TXT record \“jh84NoW5kYUY5Lym5iDr1dIntuaLxba1TYT2P3-yZJE\” (and 2 more) found at”,\n “status”: 403\n },\n “url”: “”,\n “token”: “(removed)”\n }\n ]\n}

Here is the latest TXT record being created

[Tue Mar 24 17:32:06.310382 2020] [md:info] [pid 7:tid 140205830121216] cmd(/usr/local/apache2/conf.local/ stderr: Operation: setup D3R2mrzPK5fPKSk0hhZCYVg3nbl8QY0aN2PkjG0Tlvc\n

Latest hourly verification messages

[Wed Mar 25 13:00:55.863399 2020] [md:trace1] [pid 7:tid 140205830121216] md_curl.c(239): request --> GET
[Wed Mar 25 13:00:56.615524 2020] [md:trace2] [pid 7:tid 140205830121216] md_acme.c(706): response: {\n “(removed)”: “Adding random entries to the directory”,\n “keyChange”: “”,\n “meta”: {\n “caaIdentities”: [\n “”\n ],\n “termsOfService”: “”,\n “website”: “”\n },\n “newAccount”: “”,\n “newNonce”: “”,\n “newOrder”: “”,\n “revokeCert”: “”\n}
[Wed Mar 25 13:00:57.864462 2020] [md:trace2] [pid 7:tid 140205830121216] md_acme.c(310): response: {\n “key”: {\n “kty”: “RSA”,\n “n”: “(removed)”,\n “e”: “AQAB”\n },\n “contact”: [\n “”\n ],\n “initialIp”: “”,\n “createdAt”: “2020-03-24T16:32:03Z”,\n “status”: “valid”\n}

[Wed Mar 25 13:00:57.865010 2020] [md:debug] [pid 7:tid 140205830121216] md_acme.c(363): sending req: GET
[Wed Mar 25 13:00:58.479189 2020] [md:trace2] [pid 7:tid 140205830121216] md_acme.c(310): response: {\n “status”: “invalid”,\n “expires”: “2020-03-31T16:32:04Z”,\n “identifiers”: [\n {\n “type”: “dns”,\n “value”: “”\n }\n ],\n “authorizations”: [\n “”\n ],\n “finalize”: “”\n}

[Wed Mar 25 13:00:58.482853 2020] [md:debug] [pid 7:tid 140205830121216] md_acme.c(363): sending req: GET
[Wed Mar 25 13:00:59.090442 2020] [md:trace2] [pid 7:tid 140205830121216] md_acme.c(310): response: {\n “identifier”: {\n “type”: “dns”,\n “value”: “”\n },\n “status”: “invalid”,\n “expires”: “2020-03-31T16:32:04Z”,\n “challenges”: [\n {\n “type”: “dns-01”,\n “status”: “invalid”,\n “error”: {\n “type”: “urn:ietf:params:acme:error:unauthorized”,\n “detail”: “Incorrect TXT record \“jh84NoW5kYUY5Lym5iDr1dIntuaLxba1TYT2P3-yZJE\” (and 2 more) found at”,\n “status”: 403\n },\n “url”: “”,\n “token”: “phShZscbPna0AgQFHoZHPG0i8zZasnvNZbdFulhx8Ec”\n }\n ]\n}


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: /

I ran this command:

I use Apache httpd with mod_md, and have set up using the staging server.

It produced this output:

My web server is (include version): Apache httpd/2.4.41

The operating system my web server runs on is (include version):

Running in docker, with a super simple Dockerfile:
FROM httpd:2.4.41
RUN set -x && apt update && apt-get install -y ca-certificates libapache2-mod-auth-openidc libapache2-mod-md jq curl

root@22fa4035d583:/usr/local/apache2# cat /etc/os-release
PRETTY_NAME=“Debian GNU/Linux 10 (buster)”

root@22fa4035d583:/usr/local/apache2# apt list libapache2-mod-md
Listing… Done
libapache2-mod-md/stable,stable,now 2.4.38-3+deb10u3 amd64 [installed]

My hosting provider, if applicable, is: -

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
mod-md 2.4.38

1 Like

Ensure all your DNS servers are up-to-date (synchronized).
[and delete any records you no longer need]

It can be, if they are out-of-sync, new renewals may hit that “bad” DNS and fail.

[I doubt this is the case with your CloudFlare DNS, but it is just general advice]

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.