The key for obtaining the certificate expires

Hello. I use the command certbot certonly --manual --preferred-challenges dns --domains and get temporary key. Thеn i put it in txt recort on my domain registrator. This dns record became available only after 24 hours. Then i call certbot again, and it issues a different key already. There was no such thing before, he issued the same key a day later. but now I can't confirm dns due to the fact that the key is not cached for a long time, and I need at least 24 hours for dns to take effect.

First, I moved your post to the Help topic. Had you posted here first you would have been asked to complete the form below. Please answer as much as you can.

But, as to this ...

Let's Encrypt servers look directly at the authoritative DNS servers. They are not affected by TTL propagation. It is highly unlikely your authoritative DNS takes that long to sync between themselves. That is usually within minutes.

You can check what Let's Encrypt sees with or any of the various other ways to query the authoritative DNS.

If you provide your domain name we can provide more detailed advice


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):


I used nslookup -type=TXT
for check my dns, but it doesn't always work. there was a case when the team showed that the dns was updated, but certbot himself wrote that the desired record was not found and then had to put a new key and wait a day. my system: ubuntu 18.04.6 LTS. certbot 0.27.0, and domain registrator I installed a new dns about 5 minutes ago

thanks, i saw my key in, and make continue incertbot. Congratulations! Your certificate and chain have been saved at:


You could also use (note your authoritative name server in the command):

nslookup -type=TXT        text = "grXR2b9_wQTfAMxvv2DVXEBAEx9QTAcn1rJn0o0rBS0"

Or this

dig TXT

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.