Unable to generate certificate: Certificate Authority failed to verify the DNS TXT record

Hello,

I am unable to generate a certificate for my OVH domain using DNS validation (I could a couple of months ago but not anymore). I have transferred the DNS servers to cloudfare. The TXT records are created fine (I can see them in the cloudfare dashboard) but it seems the certificate authority cannot access them.

My domain is: rosalyn.ovh

I ran this command: docker run -it --rm --name certbot -v "/root/certbot/certs:/etc/letsencrypt" -v "/root/certbot/cloudflare.ini:/cloudflare.ini" certbot/dns-cloudflare certonly --dns-cloudflare --dns-cloudflare-credentials /cloudflare.ini -m mail@gmail.com --agree-tos --no-eff-email --dns-cloudflare-propagation-seconds 20 --cert-name rosalyn.ovh -d "*.rosalyn.ovh"

It produced this output:

Plugins selected: Authenticator dns-cloudflare, Installer None
Requesting a certificate for *.rosalyn.ovh
Performing the following challenges:
dns-01 challenge for rosalyn.ovh
Unsafe permissions on credentials configuration file: /cloudflare.ini
Waiting 20 seconds for DNS changes to propagate
Waiting for verification...
Challenge failed for domain rosalyn.ovh
dns-01 challenge for rosalyn.ovh

Certbot failed to authenticate some domains (authenticator: dns-cloudflare). The Certificate Authority reported these problems:
Domain: rosalyn.ovh
Type: unauthorized
Detail: No TXT record found at _acme-challenge.rosalyn.ovh

Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-cloudflare. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-cloudflare-propagation-seconds (currently 20 seconds).

Cleaning up challenges
Some challenges have failed.

My hosting provider: I am using OVH transferred to cloudfare

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.27.0

I am out of ideas, anyone can help? Thanks

There are a humongous amount of TXT records for that hostname when I dig it. Unbound is complaining about truncated messages: https://unboundtest.com/m/TXT/_acme-challenge.rosalyn.ovh/3VKS454P

Try to clean up the old TXT records and try again. And if that works, you should probably try to find out why the old TXT RRs aren't removed properly.

3 Likes

@Osiris many thanks for your help! Do you know how can I remove the TXT records on the domain? I cannot see them in the cloudfare dashboard and I don't know how to remove them.

EDIT: After some digging the only way it occurs to me to delete these phantom TXT records is to reset all the DNS zone in the OVH manager, hope that it reset all records and then re-attach the DNS to cloudfare. I am unwilling to do it as I don't know if I will loose all my cloudfare config doing that.

1 Like

If I do a dig +trace _acme-challenge.rosalyn.ovh TXT, I can see that the TXT RRs are coming from a Cloudflare DNS server. How is the DNS zone in your OVH manager connected to that?

2 Likes

I followed the instructions, basically changed the DNS servers in OVH to point to the cloudfare ones. This is how it looks on the OVH manager:

And then I adopted the domain in cloudfare. It seemed to work fine as I can change the IP in the A name from cloudfare dashboard and works. Also, I can create new CNAMEs in cloudfare, and they also seem to work.

The thing is that in the cloudfare dashboard I cannot see any TXT record (different that these).

TXT   _dmarc       v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; DNS only
TXT   *._domainkey v=DKIM1; p=                                     DNS only
TXT   rosalyn.ovh  v=spf1 -all                                     DNS only

In the middle of the credential negotiation, I can see them created though so certbot is able to add the TXT records.

Login to Cloudflare and delete the _acme-challenge record for your domain using the DNS section of the site. You can forget the OVH dns page because that doesn't matter anymore.

If you definitely cannot see the TXT record, contact cloudflare support - there could be a limitation in their web dashboard.

4 Likes

Thanks,

I have created the ticket but I guess I am a free user and no one from cloudflare support has reply to it. I am really out of ideas and considering deleting the cloudflare domain, go back to OVH and then re-create all steps again. However, I am afraid the records will still be there. The other option is just to discard this domain and buy another one. :?

1 Like

This seems like hard work and perhaps a bit drastic. If you have access to a Windows machine you could try my app (at the risk of self promotion) https://certifytheweb.com - if you install it and setup the same certificate with Cloudflare selected (under Authorization > (DNS) > Cloudflare, then add the credentials as required. Running this request successfully (or even if it fails) should clean up the _acme-challenge TXT record. Might be worth a try anyway.

It sounds like there's a chance cloudflare might be creating this record sometimes for their own cert process so maybe add your comment to this forum post : Enormous copies of TXT _acme-challenge records - #3 by ceremeo - 1.1.1.1 - Cloudflare Community

2 Likes

Many thanks for your help. I did try to use your suggestion (certifytheweb). It successfully created the TXT records but failed to generate the certificates (as all my other attempts with other software). The stale _acme-challenge.rosalyn.ovh records are still there.

Thanks anyways!

3 Likes

Ah that's a shame, definitely see if you an escalate this with cloudflare.

3 Likes

Just for the record, cloudflare support responded to my ticket and they could remove the stale TXT records. All working on my domain again. Thanks to all that jump in and helped.

3 Likes