TXT Verification Failing for the Domain Even When My Domain's TXT Records Exists

My domain is: websitesify.com & *.websitesify.com

I ran this command: certbot certonly --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory -d websitesify.com -d *.websitesify.com

It produced this output:

Requesting a certificate for websitesify.com and *.websitesify.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:

_acme-challenge.websitesify.com.

with the following value:

VV-AVssgXyvPZDLCAWvvptXZkDcAkp2bM9aQRNGJH4k

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:

_acme-challenge.websitesify.com.

with the following value:

rT8bJFrkIQrJf41EgE2S0PNe6gMe-8FawKPaRdZLM9U

(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.websitesify.com.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
  Domain: websitesify.com
  Type:   dns
  Detail: DNS problem: query timed out looking up TXT for _acme-challenge.websitesify.com

  Domain: websitesify.com
  Type:   dns
  Detail: DNS problem: query timed out looking up TXT for _acme-challenge.websitesify.com

Hint: The Certificate Authority failed to verify the manually created DNS TXT records. Ensure that you created these in the correct location, or try waiting longer for DNS propagation on the next attempt.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

I can login to a root shell on my machine: yes

I'm using a control panel to manage my site: Cpanel

The version of my client is: certbot 1.21.0

My domain TXT records are working fine but i don't know how letsencrypt fails the verification

Dig-Command Result: dig -t txt _acme-challenge.websitesify.com

; <<>> DiG 9.18.1-1ubuntu1-Ubuntu <<>> -t txt _acme-challenge.websitesify.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1006
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_acme-challenge.websitesify.com. IN    TXT

;; ANSWER SECTION:
_acme-challenge.websitesify.com. 14400 IN TXT   "rT8bJFrkIQrJf41EgE2S0PNe6gMe-8FawKPaRdZLM9U"
_acme-challenge.websitesify.com. 14400 IN TXT   "dXFn1LVQ24U1t8hsvt46ntVgOWLHkkq6aCVWBy59vic"
_acme-challenge.websitesify.com. 14400 IN TXT   "VV-AVssgXyvPZDLCAWvvptXZkDcAkp2bM9aQRNGJH4k"
_acme-challenge.websitesify.com. 14400 IN TXT   "KMQ6IL-mq1fYVuJmNBjPmMvqSQtAW7g0vuAx4wfR_ec"

;; Query time: 2103 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Tue Nov 14 05:26:07 CST 2023
;; MSG SIZE  rcvd: 284

Hi @peter_whitin, and welcome to the LE community forum :slight_smile:

I'd say your authoritative DNS server(s) are not very available.
They need to be as close to :100:% available to the entire Internet as possible.

Who's your DSP?:

websitesify.com nameserver = ns1.cdn-glhost.com
websitesify.com nameserver = ns2.cdn-glhost.com
websitesify.com nameserver = ns4.cdn-glhost.com
websitesify.com nameserver = ns3.cdn-glhost.com
2 Likes

Actually We are Using Self-Hosted WHM(Cpanel) for our project, In cpanel Domain Zone Records are Maintaining via PDNS(PowerDNS Server).

You should switch to LE staging and do some rigorous testing on that DNS system.

Start by adding "--dry-run":
certbot certonly --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory -d websitesify.com -d *.websitesify.com --dry-run

3 Likes

I have executed the above command but again got the same TXT Lookup error, But TXT entries updated properly i have cross-verified it using Dig command and Dig (DNS lookup).

Command: dig -t txt _acme-challenge.websitesify.com.

; <<>> DiG 9.18.1-1ubuntu1-Ubuntu <<>> -t txt _acme-challenge.websitesify.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40385
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_acme-challenge.websitesify.com. IN    TXT

;; ANSWER SECTION:
_acme-challenge.websitesify.com. 14400 IN TXT   "dXFn1LVQ24U1t8hsvt46ntVgOWLHkkq6aCVWBy59vic"
_acme-challenge.websitesify.com. 14400 IN TXT   "rT8bJFrkIQrJf41EgE2S0PNe6gMe-8FawKPaRdZLM9U"
_acme-challenge.websitesify.com. 14400 IN TXT   "VV-AVssgXyvPZDLCAWvvptXZkDcAkp2bM9aQRNGJH4k"
_acme-challenge.websitesify.com. 14400 IN TXT   "KMQ6IL-mq1fYVuJmNBjPmMvqSQtAW7g0vuAx4wfR_ec"
_acme-challenge.websitesify.com. 14400 IN TXT   "poCrnLXMRwyVywrjd2iPYmbX-6PrW1uo8apkFBT446k"
_acme-challenge.websitesify.com. 14400 IN TXT   "bTh0aATUyNG9OOlmhw-9-SvUTU0SFOWNUGshEs8a4Q0"

;; Query time: 2203 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Tue Nov 14 07:13:46 CST 2023
;; MSG SIZE  rcvd: 396

You can delete the ones no longer needed - each run will ask for new unique entries.

3 Likes

Have a look at this:
DNS Spy report for websitesify.com

2 Likes

Ok, I have deleted the old entries

1 Like

Have a look at this:
unboundtest.com/m/TXT/_acme-challenge.websitesify.com./PVCR7H5Z

Put one entry back [with anything in it] and retest using Unbound.

2 Likes

I have deleted old TXT Records Entries and added few new TXT records
Still Facing Same Issue

unboundtest output :

Query results for TXT _acme-challenge.websitesify.com.
----- Unbound logs -----
Nov 14 13:24:16 unbound[508679:0] notice: init module 0: validator
Nov 14 13:24:16 unbound[508679:0] notice: init module 1: iterator
Nov 14 13:24:16 unbound[508679:0] info: start of service (unbound 1.16.3).
Nov 14 13:24:17 unbound[508679:0] query: 127.0.0.1 _acme-challenge.websitesify.com. TXT IN
Nov 14 13:24:17 unbound[508679:0] info: resolving _acme-challenge.websitesify.com. TXT IN
Nov 14 13:24:17 unbound[508679:0] info: priming . IN NS
Nov 14 13:24:17 unbound[508679:0] info: response for . NS IN
Nov 14 13:24:17 unbound[508679:0] info: reply from <.> 202.12.27.33#53
Nov 14 13:24:17 unbound[508679:0] info: query response was ANSWER
Nov 14 13:24:17 unbound[508679:0] info: priming successful for . NS IN
Nov 14 13:24:17 unbound[508679:0] info: response for _acme-challenge.websitesify.com. TXT IN
Nov 14 13:24:17 unbound[508679:0] info: reply from <.> 2001:503:c27::2:30#53
Nov 14 13:24:17 unbound[508679:0] info: query response was REFERRAL
Nov 14 13:24:17 unbound[508679:0] info: response for _acme-challenge.websitesify.com. TXT IN
Nov 14 13:24:17 unbound[508679:0] info: reply from <com.> 2001:500:856e::30#53
Nov 14 13:24:17 unbound[508679:0] info: query response was REFERRAL
Nov 14 13:24:21 unbound[508679:0] info: Capsforid: timeouts, starting fallback


Error running query: read udp 127.0.0.1:51274->127.0.0.1:1053: i/o timeout

This is what I see with nslookup

$ nslookup -q=txt _acme-challenge.websitesify.com. ns1.cdn-glhost.com.
Server:         ns1.cdn-glhost.com.
Address:        169.44.187.153#53

_acme-challenge.websitesify.com text = "QwLopyPGnzIe60Uc8jDqjzNU54VNt1Z5f3zP7XD_eIY"
_acme-challenge.websitesify.com text = "NYF1OOnyG14CaXepKCocEaCWn2VEDn2cuqZ74O6jX8I"

How can I fix this issue?

That's something your DSP needs to "fix" [not you].

2 Likes