Verify error:During secondary validation: No TXT record found at _acme-challenge

Hi,

After installing successfully with acme.sh, a wildcard certificate on 3 servers, i got an strange error :

• I got a success for domain :

[..., 15:01:25 (UTC+0200)] Verifying: example.com
[..., 15:01:28 (UTC+0200)] Success

• Then, just after within the same command, a failure for wilcard !?

[..., 15:01:28 (UTC+0200)] Verifying: *.example.com
[..., 15:01:31 (UTC+0200)] *.example.com:Verify error:During secondary validation: No TXT record found at _acme-challenge.example.com

The same command (with same domain and wildcard) didn't failed on other servers !?

Have you an idea ?

Here is the complete log :

# ~/.acme.sh/acme.sh --issue --dns dns_nsupdate --renew-hook "pm2 restart all" -d example.com -d '*.example.com'

[..., 14:59:07 (UTC+0200)] Creating domain key
[..., 14:59:07 (UTC+0200)] The domain key is here: /root/.acme.sh/example.com/example.com.key
[..., 14:59:07 (UTC+0200)] Multi domain='DNS:example.com,DNS:*.example.com'
[..., 14:59:07 (UTC+0200)] Getting domain auth token for each domain
[..., 14:59:10 (UTC+0200)] Getting webroot for domain='example.com'
[..., 14:59:10 (UTC+0200)] Getting webroot for domain='*.example.com'
[..., 14:59:10 (UTC+0200)] Adding txt value: RgERUAJ1T4BbqbcOw8940s8pc-jUmNx6VykxXcDJt5U for domain:  _acme-challenge.example.com
[..., 14:59:10 (UTC+0200)] adding _acme-challenge.example.com. 60 in txt "RgERUAJ1T4BbqbcOw8940s8pc-jUmNx6VykxXcDJt5U"
[..., 14:59:10 (UTC+0200)] The txt record is added: Success.
[..., 14:59:10 (UTC+0200)] Adding txt value: 6jJYVrxMHpE26UQEROcwoZFWnLDKMBF3dBbkvfiaAEM for domain:  _acme-challenge.example.com
[..., 14:59:10 (UTC+0200)] adding _acme-challenge.example.com. 60 in txt "6jJYVrxMHpE26UQEROcwoZFWnLDKMBF3dBbkvfiaAEM"
[..., 14:59:10 (UTC+0200)] The txt record is added: Success.
[..., 14:59:10 (UTC+0200)] Let's check each dns records now. Sleep 20 seconds first.
[..., 14:59:31 (UTC+0200)] Checking example.com for _acme-challenge.example.com
[..., 14:59:31 (UTC+0200)] Domain example.com '_acme-challenge.example.com' success.
[..., 14:59:31 (UTC+0200)] Checking example.com for _acme-challenge.example.com
[..., 14:59:31 (UTC+0200)] Not valid yet, let's wait 10 seconds and check next one.
[..., 14:59:43 (UTC+0200)] Let's wait 10 seconds and check again.
[..., 14:59:54 (UTC+0200)] Checking example.com for _acme-challenge.example.com
[..., 14:59:54 (UTC+0200)] Already success, continue next one.
[..., 14:59:54 (UTC+0200)] Checking example.com for _acme-challenge.example.com
[..., 14:59:54 (UTC+0200)] Not valid yet, let's wait 10 seconds and check next one.
[..., 15:00:06 (UTC+0200)] Let's wait 10 seconds and check again.
[..., 15:00:17 (UTC+0200)] Checking example.com for _acme-challenge.example.com
[..., 15:00:17 (UTC+0200)] Already success, continue next one.
[..., 15:00:17 (UTC+0200)] Checking example.com for _acme-challenge.example.com
[..., 15:00:17 (UTC+0200)] Not valid yet, let's wait 10 seconds and check next one.
[..., 15:00:28 (UTC+0200)] Let's wait 10 seconds and check again.
[..., 15:00:39 (UTC+0200)] Checking example.com for _acme-challenge.example.com
[..., 15:00:39 (UTC+0200)] Already success, continue next one.
[..., 15:00:39 (UTC+0200)] Checking example.com for _acme-challenge.example.com
[..., 15:00:39 (UTC+0200)] Not valid yet, let's wait 10 seconds and check next one.
[..., 15:00:50 (UTC+0200)] Let's wait 10 seconds and check again.
[..., 15:01:01 (UTC+0200)] Checking example.com for _acme-challenge.example.com
[..., 15:01:01 (UTC+0200)] Already success, continue next one.
[..., 15:01:01 (UTC+0200)] Checking example.com for _acme-challenge.example.com
[..., 15:01:02 (UTC+0200)] Not valid yet, let's wait 10 seconds and check next one.
[..., 15:01:13 (UTC+0200)] Let's wait 10 seconds and check again.
[..., 15:01:24 (UTC+0200)] Checking example.com for _acme-challenge.example.com
[..., 15:01:24 (UTC+0200)] Already success, continue next one.
[..., 15:01:24 (UTC+0200)] Checking example.com for _acme-challenge.example.com
[..., 15:01:25 (UTC+0200)] Domain example.com '_acme-challenge.example.com' success.
[..., 15:01:25 (UTC+0200)] All success, let's return
[..., 15:01:25 (UTC+0200)] Verifying: example.com
[..., 15:01:28 (UTC+0200)] Success
[..., 15:01:28 (UTC+0200)] Verifying: *.example.com
[..., 15:01:31 (UTC+0200)] *.example.com:Verify error:During secondary validation: No TXT record found at _acme-challenge.example.com
[..., 15:01:31 (UTC+0200)] Removing DNS records.
[..., 15:01:31 (UTC+0200)] Removing txt: RgERUAJ1T4BbqbcOw8940s8pc-jUmNx6VykxXcDJt5U for domain: _acme-challenge.example.com
[..., 15:01:31 (UTC+0200)] removing _acme-challenge.example.com. txt
[..., 15:01:31 (UTC+0200)] Removed: Success
[..., 15:01:31 (UTC+0200)] Removing txt: 6jJYVrxMHpE26UQEROcwoZFWnLDKMBF3dBbkvfiaAEM for domain: _acme-challenge.example.com
[..., 15:01:31 (UTC+0200)] removing _acme-challenge.example.com. txt
[..., 15:01:31 (UTC+0200)] Removed: Success
[..., 15:01:31 (UTC+0200)] Please add '--debug' or '--log' to check more details.
[..., 15:01:31 (UTC+0200)] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

On the DNS server, i got an error too, but i don't know if it's related

Apr 14 15:50:41 ns named[21884]: zone example.com/IN: journal rollforward failed: journal out of sync with zone
Apr 14 15:50:41 ns named[21884]: zone example.com/IN: not loaded due to errors.

OK, now i have an earlier error ... My DNS server seems to not respond to DNS UPDATE queries

~/.acme.sh/acme.sh --issue --dns dns_nsupdate --renew-hook "service apache2 restart" -d example.com -d '*.example.com'

[mardi 14 avril 2020, 16:02:14 (UTC+0200)] Creating domain key
[mardi 14 avril 2020, 16:02:14 (UTC+0200)] The domain key is here: /root/.acme.sh/example.com/example.com.key
[mardi 14 avril 2020, 16:02:14 (UTC+0200)] Multi domain='DNS:example.com,DNS:*.example.com'
[mardi 14 avril 2020, 16:02:14 (UTC+0200)] Getting domain auth token for each domain
[mardi 14 avril 2020, 16:02:17 (UTC+0200)] Getting webroot for domain='example.com'
[mardi 14 avril 2020, 16:02:17 (UTC+0200)] Getting webroot for domain='*.example.com'
[mardi 14 avril 2020, 16:02:17 (UTC+0200)] Adding txt value: FZpsQplfrd36dok3Hg1vDXAYctXT05JY8JMA7dJ1DxQ for domain:  _acme-challenge.example.com
[mardi 14 avril 2020, 16:02:17 (UTC+0200)] adding _acme-challenge.example.com. 60 in txt "FZpsQplfrd36dok3Hg1vDXAYctXT05JY8JMA7dJ1DxQ"
response to SOA query was unsuccessful
[mardi 14 avril 2020, 16:02:17 (UTC+0200)] error updating domain
[mardi 14 avril 2020, 16:02:17 (UTC+0200)] Error add txt for domain:_acme-challenge.example.com
[mardi 14 avril 2020, 16:02:17 (UTC+0200)] Please add '--debug' or '--log' to check more details.
[mardi 14 avril 2020, 16:02:17 (UTC+0200)] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

For a wildcard certificate and the base domain there are two TXT records needed. So if your DNS service provider has issues, well, that’s a problem. Unfortunately nothing we can do about that.

Thank Osiris for your response but i finally found the problem's origin :

When bind9 is updated with DNS update, i mustn't edit manually domain's zone. Otherwise next DNS update bug and i get a message in systlog :

journal rollforward failed: journal out of sync with zone

When it occurs, to correct the problem, i need to :

# service bind9 stop
# rm /etc/bind/pri/example.com.jnl
# service bind9 start

To avoid the problem, before each edit :

# rndc freeze example.com
# vi /etc/bind/pri/example.com
# rndc reload example.com
# rndc thaw example.com

Does anyone know a good Web interface to manage DNS server (bind9) and stop editing zones manually ?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.