Unable to renew wildcard certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: glorytoyah.org

I ran this command:
sudo certbot certonly --manual -d *.glorytoyah.org -d glorytoyah.org --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for glorytoyah.org
dns-01 challenge for glorytoyah.org

Please deploy a DNS TXT record under the name
_acme-challenge.glorytoyah.org with the following value:


Before continuing, verify the record is deployed.

Press Enter to Continue

Please deploy a DNS TXT record under the name
_acme-challenge.glorytoyah.org with the following value:


Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

Press Enter to Continue
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. glorytoyah.org (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record “BtB1XE0kfNmogdGEvkoUZ9F_YqIvVZ8oFE6iuNIYRhs” (and 1 more) found at _acme-challenge.glorytoyah.org


  • The following errors were reported by the server:

    Domain: glorytoyah.org
    Type: unauthorized
    Detail: Incorrect TXT record
    “BtB1XE0kfNmogdGEvkoUZ9F_YqIvVZ8oFE6iuNIYRhs” (and 1 more) found at

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version): TOMCAT3

The operating system my web server runs on is (include version): UBUNTU 18.04

My hosting provider, if applicable, is: Network Solutions

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

I follow the steps, I wait for the txt records to be created but I only getting the error listed above, how do I get around this?

1 Like

It looks like you added one of the records (BtB1XE0kfNmogdGEvkoUZ9F_YqIvVZ8oFE6iuNIYRhs), but not the other one (grN_6TMc1y1QZrxkCHFNq_lSpowsA_CM3ykAlBDzrGw).

Or at least, if you did add the second one, it still hasn’t been applied on the worldnic nameservers.

1 Like

Both records were showing in my DNS with Network Solutions. see the comment " (and 1 more) found at _acme-challenge.glorytoyah.org" ? The second record is there, somehow it continues to return type unauthorized.

Hi @HMiles

there are two records. But one is wrong - see https://check-your-website.server-daten.de/?q=glorytoyah.org#txt


is there, but

doesn’t exist. Instead, there is a wrong / old entry.


Ok thanks, I don’t know how that old record is there. I actually deleted all old records and reupdated (for the fifth time). But I will start over as I don’t think there is a way to make cerbot use an existing record for verification.

1 Like

They aren’t deleted:

D:\temp>nslookup -type=TXT _acme-challenge.glorytoyah.org.

_acme-challenge.glorytoyah.org text =


_acme-challenge.glorytoyah.org text =


Looks like you use the wrong dns server. ns39.worldnic.com is one.


Thanks for the help, I got it to work by using a network solutions DNS server.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.