TXT _acme-challenge not propogating

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: tme.co.uk

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: IONOS

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

A lot of the above questions aren't really relevant for my situation I don't think. But I can provide any additional information as needed.

I am trying to enable lets encrypt on a site which is hosted by me (IONOS) but the DNS is controlled by someone else via GoDaddy.

I was advised to ask my customer to add a TXT to the DNS with _acme-challenge as the host along with a record number.

The problem is nothing happens with the record once added to GoDaddy and it does not propogate anywhere. I replaced the HOST name with the @ as a test and it propogates immediately but the @ sign is incorrect and consequently the validation fails.

The upshot seems to be the host name of _acme-challenge is preventing propogation even though this is what I have been provided by IONOS.

What do I do?

Thanks

I see a TXT record. Why do you think it failed? Each new cert request will require a different TXT value. You must delete old ones so they don't build up and eventually cause failures due to having too many values.

https://unboundtest.com/m/TXT/_acme-challenge.tme.co.uk/IRJYS2Q3

Note also that Let's Encrypt only looks at the authoritive servers for this value. It does not need to wait for any kind of TTL propagation. The unboundtest website uses a method similar to LE.

3 Likes

I'm using this web service to check and it only returns one TXT record.

When I changed the host name to an @ it did propogate and I could see the additional TXT record. When I use the correct host name it does not propogate and is not listed.

I have issued a new certificate and the up to date credentials have been entered by the client, however, it's not propogating.

I don't want to click the reload button to check it has worked unless I can see it listed, as if it fails again I have to issue a new certificate each time and get my customer to modify the DNS TXT record again.

It's also not showing here: DNS Checker - DNS Check Propagation Tool

That's not the hostname for the acme challenge TXT record. It is:

_acme-challenge.tme.co.uk

You could also use your own dig or nslookup making sure to use your authoritative DNS server

The unboundtest site will walk the DNS tree like Let's Encrypt. Use it for a TXT record of the format I showed above. You absolutely have an acme challenge TXT record in place.
https://unboundtest.com/

3 Likes

See: DNS Checker - DNS Check Propagation Tool

2 Likes

Note that you can usually automated GoDaddy dns updates for this. If you are using certbot then this is probably useful: GitHub - miigotu/certbot-dns-godaddy: A godaddy dns plugin using lexicon for cerbot to authenticate and retrieve letsencrypt certificates - automation saves you getting it wrong and spending hours why it's not working and it also makes it entirely automated so you don't have to update it very 90 days.

If you're making your DNS updates manually to get a cert, that OK for testing and not ok for long-term production.

2 Likes

I see a new wildcard cert issued today so I guess you got this sorted out.

I want to say again you will need to repeat this process every 60 days or so to renew the cert. The TXT value changes each time.

There are options when multiple parties need to cooperate for a wildcard cert. If you explain more what role you and your customer play we could probably suggest more streamlined solution.

Also, this:

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.