The client lacks sufficient authorization :: No TXT record found at

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
domain name:
I ran this command:
./ -v xenial-22 -s -l -x -e
It produced this output:
See error below
My web server is (include version):

The operating system my web server runs on is (include version):
using Ubuntu 16.04.7 LTS (GNU/Linux 4.15.0-1083-gcp x86_64)
DNS record is managed by yahoo small biz.

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Waiting for verification…
Cleaning up challenges
Failed authorization procedure. (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: No TXT record found at


  • The following errors were reported by the server:

    Type: unauthorized
    Detail: No TXT record found at

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

Hi @cliep

your setup can’t work, see your check

You have a wildcard CNAME:

Host Type IP-Address is auth. ∑ Queries ∑ Timeout A Council Bluffs/Iowa/United States (US) - Google LLC Hostname: yes 1 0
AAAA yes CNAME yes 1 0
A New York/United States (US) - Oath Holdings Inc. Hostname: yes
* A yes
AAAA yes
* A yes
AAAA yes

So the required is an alias of

But I don’t think that script ./ is able to create there the required TXT entry.

Do you really need a wildcard with dns validation? Or is it possible to use http-validation?

1 Like

Thank you for your response. In order to have the Bigbluebutton video conference server to be seen, it must have an SSL certificate. I ran it on a digital ocean VM instance last year. The same installation as above and it worked out fine. here is that URL: and it worked out fine. It is also hosted on

I am at a loss. Can’t figure it out.

here is the information on that certificate;

This certificate has been verified for the following usages:

SSL Server Certificate

Issued To

Common Name (CN)

Organization (O)

Organizational Unit (OU)

Issued By

Common Name (CN)

Let’s Encrypt Authority X3

Organization (O)

Let’s Encrypt

Organizational Unit (OU)

Validity Period

I have no idea what that script is doing.

And why that script tries to use dns validation instead of http validation.


then check, if you can use http validation.


looks that this script doesn’t really work.

1 Like

OK. will read it and hopefully find a solution.

Thank you for your time.

If you don’t really need the DNS entry for the wildcard (as CNAME), you might get this to work after deleting that entry.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.