Type: unauthorized Detail: No TXT record found at _acme-challenge.<domain>

My cert has expired (forgot to renew), but now trying to either create a new one and upload it or renew, nothing works. I’ve tried manually creating the TXT record, that also doesn’t work. the --dns-route53 option says NO TXT record found, but it does successfully create it and subsequently deletes it as well.
But for some reason, I’m getting an error.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: skywalker.

I ran this command:
certbot certonly --dns-route53 --preferred-challenges dns --cert-name skywalker --domains skywalker. --dry-run

It produced this output:
Domain: skywalker.
Type: unauthorized
Detail: No TXT record found at
_acme-challenge.skywalker.

My web server is (include version): does not apply (cert only)

My hosting provider, if applicable, is: aws

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 1.3.0

1 Like

You probably need to revisit your notes from when you last obtained a cert (back in December).
DNS authentication requires modifications to the matching _acme-challenge TXT record.
That can be done manually or via API.
From the looks of your command line, you are trying to use the Route53 DNS API; But may need to verify the information on HOW CERTBOT can make the DNS change (see: https://certbot-dns-route53.readthedocs.io/en/stable/) or you need to WAIT a bit longer for DNS to sync (see parameter: --dns-route53-propagation-seconds).

Hi, thanks for your reply. I’ve read those documents, and I’ve bumped up the DNS wait period to 360 - and it still doesn’t work. I’ve already used this before successfully months ago (back in December). However, now it is not working. And unfortunately my certs are expired. I can literally see using the aws cli list-resource-record-sets for that zone that the TXT record HAS been created. Yet, for some reason, the attempt to create the certificate fails saying that no TXT record has been found.

Also, i’ve tried to manually create the TXT record as well, and it shows immediately afterwards. So I have this sneaking suspicion that it has something to do with maybe something that has changed maybe in aws, or something else. For example, i have to use a " in “value” field in the json payload to create TXT record manually. And previously the route53 certbot plugin handled it all, but obviously something’s changed? What else can i look for?

Is it definitely going to the skywalker.vault.sapns2.us. zone?

I see that sapns2.us., vault.sapns2.us. and skywalker.vault.sapns2.us. each have their own separate delegation in Route53.

If the _acme-challenge RR is being created in the wrong zone (due to some faulty selection logic in Certbot), that would definitely cause some problems.

Yes, the zoneId matches. where should the DNS record be created? in the root zone? or the skywalker zone?

The skywalker one. I’ll try replicate the same scenario in a second. Are you running Certbot in Docker (given 1.3.0 is a very new version)?

Hrm. I tried the exact same thing, 3 delegated zones and Certbot 1.3.0, seemed to work okay.

Even with dig, I can see that the record went to the right zone - it was visible within a few seconds.

I don’t really have other ideas. Are all the zones on the same AWS account/accessible from the same IAM key? Can you double check that every NS record for each sub-delegation is completely correct?

Certbot output:

$ sudo docker run --rm -e AWS_PROFILE=personal \
-v /home/alex/.aws/credentials:/root/.aws/credentials \
-v $(pwd)/etc_letsencrypt:/etc/letsencrypt certbot/dns-route53 \
certonly --dns-route53 --cert-name skywalker \
--domains skywalker.vault.certbot-route53-test.ga --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Found credentials in shared credentials file: ~/.aws/credentials
Plugins selected: Authenticator dns-route53, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for skywalker.vault.certbot-route53-test.ga
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- The dry run was successful.

Dig output (a few seconds after I started Certbot):

$ dig +trace _acme-challenge.skywalker.vault.certbot-route53-test.ga txt

; <<>> DiG 9.11.5-P4-5.1ubuntu2.1-Ubuntu <<>> +trace _acme-challenge.skywalker.vault.certbot-route53-test.ga txt
;; global options: +cmd
.                       5628    IN      NS      c.root-servers.net.
.                       5628    IN      NS      d.root-servers.net.
.                       5628    IN      NS      e.root-servers.net.
.                       5628    IN      NS      f.root-servers.net.
.                       5628    IN      NS      g.root-servers.net.
.                       5628    IN      NS      h.root-servers.net.
.                       5628    IN      NS      i.root-servers.net.
.                       5628    IN      NS      j.root-servers.net.
.                       5628    IN      NS      k.root-servers.net.
.                       5628    IN      NS      l.root-servers.net.
.                       5628    IN      NS      m.root-servers.net.
.                       5628    IN      NS      a.root-servers.net.
.                       5628    IN      NS      b.root-servers.net.
.                       5628    IN      RRSIG   NS 8 0 518400 20200406200000 20200324190000 33853 . tg7NjfyAN7TNdARqp5cggnQ9Pr3d4vHp+c8/Pr1AnRBAO24ey0aQSqQg B1HBumh5axiil9zx02+yDyYnNPHZNCJ3bspY29rsop0MEUDrIQu0Vqxb mgbJ6i/Ms1RDvOzqyJvT78in2k0ybltRvhuFDf3mNu3+nGelblaUUxhb hOySK7NNjJivEtT0mHGAQDwb6rTlybjDhIKf0o6Nm5c+tArt9cUrAU7P k9xcl2K2TXaxy7ChflGWXhM84Fldc1vZUww4QnyfrWgphNu0uO/pCaxT t7ZsRd4AZcNZN2by+sSEqFhbYe8LPYQjoMrcTygOqr+GalF8qKu0AFTa PN8beQ==
;; Received 576 bytes from 127.0.2.1#53(127.0.2.1) in 0 ms

ga.                     172800  IN      NS      a.ns.ga.
ga.                     172800  IN      NS      b.ns.ga.
ga.                     172800  IN      NS      c.ns.ga.
ga.                     172800  IN      NS      d.ns.ga.
ga.                     86400   IN      NSEC    gal. NS RRSIG NSEC
ga.                     86400   IN      RRSIG   NSEC 8 1 86400 20200407050000 20200325040000 33853 . S/S78+RDSjQaQrTRQX5n67Dtp49cE4cZFgu3p2eGNykROGUqFdw0Sa90 dbZrACpy1cPU9HEaI1J/AHf7G6D5aD2eI3bMGofrGYGbVzSLAQKpXxHW HBe249hLQqy1bZveENtEvHSz1V8CHwl5Hi6FDPWQYU2KKD8703S7dBvK xi+A3RjtQ7UWk2G0oDhBUAOmBd5zkZF1oZ5lj6scilfQ6RClTwU33pGb J6Bv5mhmiaJvv/BiQkLSUS8/zbecp1POUD+C6iBPfN3vcuaIC/h4SAs0 /Eg/KctzNqwaFaF4jx2WTnLT9Z80OB2AoLrSlmmQenxNt29p3Vrzq+Y3 i6H4ow==
;; Received 639 bytes from 2001:500:a8::e#53(e.root-servers.net) in 101 ms

certbot-route53-test.ga. 300    IN      NS      ns-1845.awsdns-38.co.uk.
certbot-route53-test.ga. 300    IN      NS      ns-1229.awsdns-25.org.
;; Received 156 bytes from 2a04:1b00:e::1#53(c.ns.ga) in 411 ms

vault.certbot-route53-test.ga. 300 IN   NS      ns-116.awsdns-14.com.
vault.certbot-route53-test.ga. 300 IN   NS      ns-1182.awsdns-19.org.
vault.certbot-route53-test.ga. 300 IN   NS      ns-1604.awsdns-08.co.uk.
vault.certbot-route53-test.ga. 300 IN   NS      ns-861.awsdns-43.net.
;; Received 224 bytes from 205.251.199.53#53(ns-1845.awsdns-38.co.uk) in 13 ms

skywalker.vault.certbot-route53-test.ga. 300 IN NS ns-1332.awsdns-38.org.
skywalker.vault.certbot-route53-test.ga. 300 IN NS ns-1593.awsdns-07.co.uk.
skywalker.vault.certbot-route53-test.ga. 300 IN NS ns-388.awsdns-48.com.
skywalker.vault.certbot-route53-test.ga. 300 IN NS ns-936.awsdns-53.net.
;; Received 224 bytes from 2600:9000:5300:7400::1#53(ns-116.awsdns-14.com) in 67 ms

_acme-challenge.skywalker.vault.certbot-route53-test.ga. 10 IN TXT "8hvv02jAlE6iE8aoCR5egfGuiVDhoHw8eIG1OEXXJbM"
skywalker.vault.certbot-route53-test.ga. 172800 IN NS ns-1332.awsdns-38.org.
skywalker.vault.certbot-route53-test.ga. 172800 IN NS ns-1593.awsdns-07.co.uk.
skywalker.vault.certbot-route53-test.ga. 172800 IN NS ns-388.awsdns-48.com.
skywalker.vault.certbot-route53-test.ga. 172800 IN NS ns-936.awsdns-53.net.
;

i found out that the ns records were wrong, not sure how that happened, but the root domain did not have the correct ns servers for the subdomain. I was able to successfully create a cert - thanks for your help!

2 Likes