I ran this command:
letsencrypt certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflareapi.cfg --server https://acme-v02.api.letsencrypt.org/directory -d pokupo.si
It produced this output:
Failed authorization procedure. pokupo.si (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record "ePAryjats_ew7VgaYmh4dl2pRy6P_Xttd8ktC_HnMpw" found at _acme-challenge.pokupo.si
Detail: Incorrect TXT record
"ePAryjats_ew7VgaYmh4dl2pRy6P_Xttd8ktC_HnMpw" found at
_acme-challenge.pokupo.si
My web server is (include version):
Not matters, DNS plugin
The operating system my web server runs on is (include version):
Debian 9, Debian 11
My hosting provider, if applicable, is:
Cloudflare (dns hosting), other not important
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
1.12.0, 0.28.0
Tested with two versions of OS/certbot to be sure
Checked DNS record (_acme-challenge.pokupo.si) at cloudflare authority, 8.8.8.8, 1.1.1.1 and few other resolvers:
_acme-challenge.pokupo.si has no TXT record
Please remove the older one and also update/upgrade both to the newest one.
Yes, snap version is helped - but it is not option for prod.
But why 1.12.0 has problems with exactly one domain? I used it for issuing it around 40 certs without problems - and pokupo.si (thread about it) was issued 3 month ago without problems (and wildcard for this one issued yesterday without problems).
1.12.0 is repo version in debian 11, no newer debs afair available for 11 - i need some official information from LE to ask Debian Community to upgrade certbot packages for working version, i think
If multiple domains, do they all use Cloudflare DNS?
I tried to issue yesterday "-d pokupo.io,*.pokupo.io,pokupo.si,*.pokupo.si" - only pokupo.si failed (even *.pokupo.si issued correctly).
It is same cloudflare account.
And yes, i use cloudflare-dns widely for few projects, it is only domain with such type of problem