I am unable to generate a certificate for my OVH domain using DNS validation (I could a couple of months ago but not anymore). I have transferred the DNS servers to cloudfare. The TXT records are created fine (I can see them in the cloudfare dashboard) but it seems the certificate authority cannot access them.
My domain is: rosalyn.ovh
I ran this command: docker run -it --rm --name certbot -v "/root/certbot/certs:/etc/letsencrypt" -v "/root/certbot/cloudflare.ini:/cloudflare.ini" certbot/dns-cloudflare certonly --dns-cloudflare --dns-cloudflare-credentials /cloudflare.ini -m firstname.lastname@example.org --agree-tos --no-eff-email --dns-cloudflare-propagation-seconds 20 --cert-name rosalyn.ovh -d "*.rosalyn.ovh"
It produced this output:
Plugins selected: Authenticator dns-cloudflare, Installer None
Requesting a certificate for *.rosalyn.ovh
Performing the following challenges:
dns-01 challenge for rosalyn.ovh
Unsafe permissions on credentials configuration file: /cloudflare.ini
Waiting 20 seconds for DNS changes to propagate
Waiting for verification...
Challenge failed for domain rosalyn.ovh
dns-01 challenge for rosalyn.ovh
Certbot failed to authenticate some domains (authenticator: dns-cloudflare). The Certificate Authority reported these problems:
Detail: No TXT record found at _acme-challenge.rosalyn.ovh
Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-cloudflare. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-cloudflare-propagation-seconds (currently 20 seconds).
Cleaning up challenges
Some challenges have failed.
My hosting provider: I am using OVH transferred to cloudfare
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.27.0
@Osiris many thanks for your help! Do you know how can I remove the TXT records on the domain? I cannot see them in the cloudfare dashboard and I don't know how to remove them.
EDIT: After some digging the only way it occurs to me to delete these phantom TXT records is to reset all the DNS zone in the OVH manager, hope that it reset all records and then re-attach the DNS to cloudfare. I am unwilling to do it as I don't know if I will loose all my cloudfare config doing that.
And then I adopted the domain in cloudfare. It seemed to work fine as I can change the IP in the A name from cloudfare dashboard and works. Also, I can create new CNAMEs in cloudfare, and they also seem to work.
The thing is that in the cloudfare dashboard I cannot see any TXT record (different that these).
TXT _dmarc v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; DNS only
TXT *._domainkey v=DKIM1; p= DNS only
TXT rosalyn.ovh v=spf1 -all DNS only
In the middle of the credential negotiation, I can see them created though so certbot is able to add the TXT records.
I have created the ticket but I guess I am a free user and no one from cloudflare support has reply to it. I am really out of ideas and considering deleting the cloudflare domain, go back to OVH and then re-create all steps again. However, I am afraid the records will still be there. The other option is just to discard this domain and buy another one. :?
This seems like hard work and perhaps a bit drastic. If you have access to a Windows machine you could try my app (at the risk of self promotion) https://certifytheweb.com - if you install it and setup the same certificate with Cloudflare selected (under Authorization > (DNS) > Cloudflare, then add the credentials as required. Running this request successfully (or even if it fails) should clean up the _acme-challenge TXT record. Might be worth a try anyway.
Many thanks for your help. I did try to use your suggestion (certifytheweb). It successfully created the TXT records but failed to generate the certificates (as all my other attempts with other software). The stale _acme-challenge.rosalyn.ovh records are still there.