Please deploy a DNS TXT record under the name
_acme-challenge.turbine2.co.uk with the following value:
p-K-AEs7cujrFx_LuVth1T7SkhNO7ZlV8rJLwmUNi-0
Before continuing, verify the record is deployed.
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. turbine2.co.uk (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record "i53uC_2HsqxmlQnW_VDJgPKa5kIe7k8Y6o46y1MgSp8" found at _acme-challenge.turbine2.co.uk
My web server is (include version): Apache 2.4 Debian
The operating system my web server runs on is (include version): Raspbian 5.4.51-v7+ #1327 SMP Thu Jul 23 10:58:46 BST 2020 armv7l
My hosting provider, if applicable, is: 123-reg (for DNS, home hosted for web)
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Yes (reg-123 control panel)
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0
I initially ran the same command to create the wildcard domain and this has worked successfully. It's come to renewal time and I've tried the command again but it's not accepting that I have updated the DNS _acme-challenge TXT record (judging by the output of the error).
How long do I need to give it between updating the DNS record and it propagating to where LetsEncrypt recognises the change? I've tried up to 45 minutes so far but of course each time I try it I have to update with a new random string.
Many thanks for the guidance,
David
The required TXT record entry will change every time you run certbot.
You need to pause the process while DNS is being updated and wait long enough for that change to synchronize through all your authoritative DNS servers before continuing to the next step.
Done this way, it is inherently a very manual process.
I would advise that you seek an automated solution to this process or you will be having to do this every couple of months.
The simplest would be if your DNS service provider allows for DNS updates via API.
You then need to use an ACME client that supports that API.
But even if that is not the case, you might be able to integrate such a solution with something like:
READERS: Get involved and participate: If you read something you like, then click to like it
Thanks for that comprehensive answer, that website like you have provided has a lot of good information.
Originally I did use the named certificates but I moved to wildcard ones as I can use them for other internal devices as well (my NAS and printer for example).
The problem appears to he between the control panel updating the DNS and the update propagating out as the txt record in the control panel is different to that reported.
I guess I am just going to have to be a lot more patient with moving to the next stage after the update.
Thanks for that. I will look into automating it once I have the update done. I just need to work out how long to delay the step between updating the DNS entry and letting it check.
Great, so I've updated the txt record, looking at the TTL it's a 24 hour propagation as I understand it, but the "Press enter to continue" prompt times out.
Guess I'm going to have to look deeper into the automation route.
That TTL is the time for DNS servers to cache that entry after they have resolved it.
The time it takes for all the authoritative servers of your zone to synchronize is what needs to be found.
Ans also knowing how long certbot will wait for enter would be good to know too.
Looking into this and it appears that the problem is with 123-Reg not updating their nameservers from the control panel (just got to get them to admit / recognise this now).
Thanks for all the help everyone.
