When checking the error message, DNS TXT cannot be verified

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: hydra-key.com

I ran this command:
certbot certonly --manual --preferred-challenges=dns --server https://acme-v02.api.letsencrypt.org/directory --email lastsmk@securitynet.co.kr -d *.hydra-key.com

It produced this output:


Please deploy a DNS TXT record under the name:

_acme-challenge.hydra-key.com.

with the following value:


Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: Dig (DNS lookup).
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.


Press Enter to Continue

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: hydra-key.com
Type: dns
Detail: DNS problem: query timed out looking up TXT for _acme-challenge.hydra-key.com

Hint: The Certificate Authority failed to verify the manually created DNS TXT records. Ensure that you created these in the correct location, or try waiting longer for DNS propagation on the next attempt.


The operating system my web server runs on is (include version): Mac monteray

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.19.0


This inquiry is translated from Korean to English.

Hello
We are inquiring about a problem while issuing a certificate through certbot.

When checking the error message, DNS TXT cannot be verified.

DNS TXT records can be checked when _acme-challenge.hydra-key.com is viewed from Dig (DNS lookup).

You can check it at Dig (DNS lookup), but I want to know why it is printed out that it cannot be checked in the certbot.

Thank you.

Your nameservers give malformed responses to some queries.

It's possible that Let's Encrypt's resolvers don't like this.

Example of bad response:

$ dig @13.124.79.118 ns566820.hydraonservice.com
;; Warning: Message parser reports malformed message packet.

; <<>> DiG 9.16.1-Ubuntu <<>> @13.124.79.118 ns566820.hydraonservice.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30430
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;ns566820.hydraonservice.com.   IN      A

;; ANSWER SECTION:
.                       0       CLASS4096 OPT   10 8 o0tUrY1VX0g=

;; Query time: 180 msec
;; SERVER: 13.124.79.118#53(13.124.79.118)
;; WHEN: Mon Nov 15 19:47:31 AEDT 2021
;; MSG SIZE  rcvd: 68

Disabling all EDNS options in the query makes it succeed:

$ dig +noedns @13.124.79.118 ns566820.hydraonservice.com

; <<>> DiG 9.16.1-Ubuntu <<>> +noedns @13.124.79.118 ns566820.hydraonservice.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13115
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;ns566820.hydraonservice.com.   IN      A

;; ANSWER SECTION:
ns566820.hydraonservice.com. 3600 IN    A       13.124.202.139

;; Query time: 180 msec
;; SERVER: 13.124.79.118#53(13.124.79.118)
;; WHEN: Mon Nov 15 19:49:23 AEDT 2021
;; MSG SIZE  rcvd: 61

This isn't normal behavior for a nameserver. EDNS compliance is required.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.