Wildcard certificate renew fails

Hi guys, I know how many times in our line of work we’ve heard “it worked some time ago and now it doesn’t” - but here I am :). 3-4 months ago the certificate renewed without any issues - now I can’t renew it any longer. No modifications were done on the server from what I can currently tell, certbot wasn’t updated.

My domain is: *.camlinrail.com

I ran this command: certbot renew

It produced this output:
Cert is due for renewal, auto-renewing…
Found credentials in shared credentials file: ~/.aws/credentials
Plugins selected: Authenticator dns-route53, Installer None
Renewing an existing certificate
/opt/letsencrypt/local/lib/python2.7/site-packages/josepy-1.0.1-py2.7.egg/josepy/jwa.py:107: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.

  • signer = key.signer(self.padding, self.hash)*
    Performing the following challenges:
    dns-01 challenge for camlinrail.com
    Starting new HTTPS connection (1): route53.amazonaws.com
    Waiting 10 seconds for DNS changes to propagate
    Waiting for verification…
    Cleaning up challenges
    Resetting dropped connection: route53.amazonaws.com
    Attempting to renew cert (camlinrail.com) from /etc/letsencrypt/renewal/camlinrail.com.conf produced an unexpected error: Failed authorization procedure. camlinrail.com (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record “bwcJPk9MVJaIrp58aJuvLibsBRMx8-AggSSyOYQfDmw” found at _acme-challenge.camlinrail.com. Skipping.
    All renewal attempts failed. The following certs could not be renewed:
  • /etc/letsencrypt/live/camlinrail.com/fullchain.pem (failure)*


The following certs are not due for renewal yet:

  • /etc/letsencrypt/live/dev.totuspro.com/fullchain.pem expires on 2019-11-16 (skipped)*
  • /etc/letsencrypt/live/server01.totuspro.com/fullchain.pem expires on 2019-10-18 (skipped)*
    All renewal attempts failed. The following certs could not be renewed:
  • /etc/letsencrypt/live/camlinrail.com/fullchain.pem (failure)*
    1 renew failure(s), 0 parse failure(s)


    • The following errors were reported by the server:*
  • Domain: camlinrail.com*

  • Type: unauthorized*

  • Detail: Incorrect TXT record*

  • “bwcJPk9MVJaIrp58aJuvLibsBRMx8-AggSSyOYQfDmw” found at*

  • _acme-challenge.camlinrail.com*

  • To fix these errors, please make sure that your domain name was*

  • entered correctly and the DNS A/AAAA record(s) for that domain*

  • contain(s) the right IP address.*

My web server is: Apache 2.4.7-1ubuntu4.9

The operating system my web server runs on is:Ubuntu 14.04

I can login to a root shell on my machine: Yes

I’m using a control panel to manage my site: No

The version of my client is certbot --version 0.23.0

You have Certbot renewing your domain via AWS Route53, but your domain has its nameservers hosted with Cloudflare.

It looks like you migrated your domain from Route53 to Cloudflare one month ago, so you will need to reconfigure the renewal to use certbot-dns-cloudflare.

For example, after installing the Cloudflare DNS plugin:

certbot renew --cert-name camlinrail.com --dns-cloudflare \

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.