Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: letsencrypt.cogentco.com
I ran this command: /bin/certbot certonly -d letsencrypt.cogentco.com,.letsencrypt.cogentco.com,.sys.letsencrypt.cogentco.com --manual --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory --manual-auth-hook /usr/local/bin/letsencrypt-authenticator
It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for letsencrypt.cogentco.com
dns-01 challenge for letsencrypt.cogentco.com
dns-01 challenge for sys.letsencrypt.cogentco.com
Waiting for verification…
Resetting dropped connection: acme-v02.api.letsencrypt.org
Cleaning up challenges
Failed authorization procedure. letsencrypt.cogentco.com (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record “wMTPgKkb4UVaAvpkbaYCQmxZtGDcVTXbJJmADJ8qb6Q” found at _acme-challenge.letsencrypt.cogentco.com
IMPORTANT NOTES:
-
The following errors were reported by the server:
Domain: letsencrypt.cogentco.com
Type: unauthorized
Detail: Incorrect TXT record
“wMTPgKkb4UVaAvpkbaYCQmxZtGDcVTXbJJmADJ8qb6Q” found at
_acme-challenge.letsencrypt.cogentco.comTo fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version): N/A
The operating system my web server runs on is (include version): N/A
My hosting provider, if applicable, is: N/A
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
The issue is that I am trying to obtain a wildcard certificate that includes the origin (*.letsencrypt.cogentco.com and letsencrypt.cogentco.com). For both _acme-challenge.letsencrypt.cogentco.com is being check but with different strings. I used “–manual-auth-hook” to automatically set the TXT string as I get them from certbot. It appears the check is only done at the end so one of the challenges fails.
I don’t know how to get around it.