Unable to Auth through DNS TXT record

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: 1.livedance.stream -- http://1.livedance.stream:8080/stream/test.html to see the site kinda works (I have something else on port 80)

I ran this command:

certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns-01 --debug-challenges -d 1.livedance.stream --dry-run --staging

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Simulating a certificate request for 1.livedance.stream

Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about

Press Enter to Continue

Then I check the logs and am guessing it is requesting this TXT record added:

"type": "dns-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/10763565834/S5lhRA",
"token": "lfwLwg7wEhjwj6NwkJtXzFEmZnF7bl9eTUDJ36PGF-U"

dig -t txt _acme-challenge.1.livedance.stream shows me the correct TXT record

_acme-challenge.1.livedance.stream. 300 IN TXT "lfwLwg7wEhjwj6NwkJtXzFEmZnF7bl9 eTUDJ36PGF-U"

I get this after Enter:

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: 1.livedance.stream
Type: unauthorized
Detail: Incorrect TXT record "lfwLwg7wEhjwj6NwkJtXzFEmZnF7bl9eTUDJ36PGF-U" found at _acme-challenge.1.livedance.stream

Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.

Some challenges have failed.


"type": "dns-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Incorrect TXT record "lfwLwg7wEhjwj6NwkJtXzFEmZnF7bl9eTUDJ36PGF-U" found at _acme-challenge.1.livedance.stream",
"status": 403

My web server is (include version): Nginx 1.17.10

The operating system my web server runs on is (include version): Centos 8

My hosting provider, if applicable, is: I run my own servers at home

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): ?? I guess I do most on the back end

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.22.0

Any ideas on why I could be failing the DNS TXT record check? or am I putting in the wrong record because I can't find what it is actually looking for IE could it be the Replay-Nonce instead?

(I had Certbot show me the desired TXT record the first time I tested it, but I did do my DNS record incorrectly the first time, and now it wont show me in SSH the record so I am hunting for it in the logs)

Why are you using this? This hook is for people who are using the acme-dns service (which really should be done with your own self-hosted server), which you clearly aren't doing. So where did you get the idea that you should include this as part of the command to obtain a cert?


Hello danb35,

Thank you for looking into this and the quick reply.

The server is hosted by me here in my garage, but the reason I am trying some work around is I can't get port 80 open to this box due to a different project. So I was hoping to authorize the domain just using DNS records instead.

Read on some form that was the way to do it over on stackover flow.

I just reinitiated a request cutting that out and it looks like this might work!
(this looks a lot more familiar, I defiantly dived into the wrong rabbit hole)

I will let you know in a little

1 Like

danb35, you sir are a wizard and scholar! Thank you so much!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.