Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: mousetech.com
I ran this command: certbot -v certonly --dns-rfc2136 --dns-rfc2136-credentials /root/certbot-credentials.ini -d '*.mousetech.com'
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-rfc2136, Installer None
Requesting a certificate for *.mousetech.com
Performing the following challenges:
dns-01 challenge for mousetech.com
Cleaning up challenges
Encountered exception during recovery: certbot.errors.PluginError: Encountered error deleting TXT record: The peer didn't like the signature we sent
Encountered error adding TXT record: The peer didn't like the signature we sent
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version): nginx 1.20.1
The operating system my web server runs on is (include version): AlmaLinux 9.4
My hosting provider, if applicable, is: self
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no (command-line, ansible, puppet)
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot): certbot 2.11.0
Additional context:
The DNS servers have been in continuous operation since the previous millenium (bind 8 or earlier), so there's likely some cruft in them, Current release is bind 9.16.23.
Renewals fail with the same error on host-specific entries (e.g.,: gourmetj.mousetech.com", not just the domain wildcard.
The server containing nginx and primary dns was just migrated from CentOS 7 to AlmaLinux 9. No problems with renewals before that.
An nsupdate test to add a new TXT record reports no errors..
As I understand it, the failing operation uses a library python module not unique to letsencrypt, but nobody has explained what the error means or how to fix it.