Stalled DNS cache at certbot resolvers?

inkvizitor68sl · August 8, 2022, 1:52pm

My domain is:
pokupo.si

I ran this command:
letsencrypt certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflareapi.cfg --server https://acme-v02.api.letsencrypt.org/directory -d pokupo.si

It produced this output:
Failed authorization procedure. pokupo.si (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record "ePAryjats_ew7VgaYmh4dl2pRy6P_Xttd8ktC_HnMpw" found at _acme-challenge.pokupo.si

Detail: Incorrect TXT record
"ePAryjats_ew7VgaYmh4dl2pRy6P_Xttd8ktC_HnMpw" found at
_acme-challenge.pokupo.si

My web server is (include version):
Not matters, DNS plugin

The operating system my web server runs on is (include version):
Debian 9, Debian 11

My hosting provider, if applicable, is:
Cloudflare (dns hosting), other not important

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
1.12.0, 0.28.0

Tested with two versions of OS/certbot to be sure
Checked DNS record (_acme-challenge.pokupo.si) at cloudflare authority, 8.8.8.8, 1.1.1.1 and few other resolvers:
_acme-challenge.pokupo.si has no TXT record

Also, cerbot worked fine for *.pokupo.si

rg305 · August 8, 2022, 2:00pm

Hi @inkvizitor68sl, and welcome to the LE community forum

Please remove the older one and also update/upgrade both to the newest one.

rg305 · August 8, 2022, 2:01pm

As for the cache issue...
I'd say that Cloudflare should be to blame, LE doesn't cache any DNS related.

Osiris · August 8, 2022, 2:17pm

I've read in some other threads that LE caches DNS responses for a few seconds or perhaps a few minutes, tops.

inkvizitor68sl · August 8, 2022, 2:27pm

Hi @inkvizitor68sl, and welcome to the LE community forum

Hi, thanks )

Please remove the older one and also update/upgrade both to the newest one.

Yes, snap version is helped - but it is not option for prod.
But why 1.12.0 has problems with exactly one domain? I used it for issuing it around 40 certs without problems - and pokupo.si (thread about it) was issued 3 month ago without problems (and wildcard for this one issued yesterday without problems).

1.12.0 is repo version in debian 11, no newer debs afair available for 11 - i need some official information from LE to ask Debian Community to upgrade certbot packages for working version, i think

rg305 · August 8, 2022, 2:32pm

I already blamed Cloudflare for that:

Do all those certs come form that same domain?
If multiple domains, do they all use Cloudflare DNS?

inkvizitor68sl · August 8, 2022, 2:39pm

If multiple domains, do they all use Cloudflare DNS?

I tried to issue yesterday "-d pokupo.io,*.pokupo.io,pokupo.si,*.pokupo.si" - only pokupo.si failed (even *.pokupo.si issued correctly).
It is same cloudflare account.

And yes, i use cloudflare-dns widely for few projects, it is only domain with such type of problem

inkvizitor68sl · August 8, 2022, 2:51pm

Oh, it is looks like random.
3 hosts with 1.12.0 now

works fine with all 4 hosts (2 hosts + 2 wildcards)
failed pokupo.si
failed pokupo.si,pokupo.io

rg305 · August 8, 2022, 2:56pm

I see them both being issued very recently on the same certs.
pokupo.IO:

pokupo.SI has one extra cert:

inkvizitor68sl · August 8, 2022, 3:13pm

pokupo.SI has one extra cert:

I get this via http challenge to let site work, until dns challenge fix.

I see them both being issued very recently on the same certs.

Yes, because i have now at least one host which able to issue this cert with both certbot 1.12.0/1.29.0 and tested here few times

system · September 7, 2022, 3:14pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.