Wildcard renewal problem

#1

I updated the _acme-challenge.boxrec.com txt record as instructed. Did a dig to check DNS had been updated OK, it had, then hit enter to finish but certbot fetched the old DNS txt field. Now I am stuck in a loop, each time I try to update it generates a new TXT which I have to update DNS so I am always out of sync. How do I sync cerbot with the current DNS record ?

dig -t txt _acme-challenge.boxrec.com

; <<>> DiG 9.11.4-3ubuntu5.1-Ubuntu <<>> -t txt _acme-challenge.boxrec.com
_acme-challenge.boxrec.com. 7199 IN TXT “gbbnVKTxt6jO836LWS6oP1wuaxGY21lqdTihZA6RbF8”

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: boxrec.com

I ran this command:
certbot certonly --manual -d *.boxrec.com --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for boxrec.com


NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.

Are you OK with your IP being logged?


(Y)es/(N)o: Y


Please deploy a DNS TXT record under the name
_acme-challenge.boxrec.com with the following value:

gbbnVKTxt6jO836LWS6oP1wuaxGY21lqdTihZA6RbF8

Before continuing, verify the record is deployed.


Press Enter to Continue
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. boxrec.com (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record “mtySdhCDKAywfmW6vqxbfrGiJU3WPKaIoORAv-GLY3Y” found at _acme-challenge.boxrec.com

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: boxrec.com
    Type: unauthorized
    Detail: Incorrect TXT record
    “mtySdhCDKAywfmW6vqxbfrGiJU3WPKaIoORAv-GLY3Y” found at
    _acme-challenge.boxrec.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

2.8

#2

Hi @johnshep

your dns txt entry is visible ( https://check-your-website.server-daten.de/?q=boxrec.com ):

_acme-challenge.boxrec.com
	gbbnVKTxt6jO836LWS6oP1wuaxGY21lqdTihZA6RbF8
	looks good

You have a standard TTL of one hour:

Domain: boxrec.com
Primary: NS1.WORLDNIC.com
Mail: namehost.WORLDNIC.com
Serial: 118112817
Refresh: 10800
Retry: 3600
Expire: 604800
TTL: 3600
num Entries: 2

So perhaps you should wait 4-5 minutes before doing the next step.

#3

While the records don’t match it will continue to fail.
You may need to insure that ALL your authoritative DNS servers are up-to-date before continuing.

#4

Thanks Juergen,
yes I can update the DNS txt fine but it takes time to propagate and when I run certbot again it generates a different txt entry. Is there a way to keep certbot in stasis until DNS has propagated to the required txt ?

John

#5

Yes:

Don’t press Enter.

#6

Not pressing enter means keeping the terminal link up for a prolonged period which is something my internet provider has great difficulty managing :frowning: I’m lucky to get 15 minutes without a drop out.

#7

You could run certbot in a screen instance.

#8

thanks Osiris, tried with Screen, now I get …

Failed authorization procedure. boxrec.com (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: query timed out looking up TXT for _acme-challenge.boxrec.com

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: boxrec.com
    Type: None
    Detail: DNS problem: query timed out looking up TXT for
    _acme-challenge.boxrec.com

#9

Rechecked your domain: Your SOA records are inconsistent.

Domain: boxrec.com
Primary: NS1.WORLDNIC.com
Mail: namehost.WORLDNIC.com
Serial: 119022810
Refresh: 10800
Retry: 3600
Expire: 604800
TTL: 3600
num Entries: 1
Domain: boxrec.com
Primary: NS1.WORLDNIC.com
Mail: namehost.WORLDNIC.com
Serial: 119022617
Refresh: 10800
Retry: 3600
Expire: 604800
TTL: 3600
num Entries: 1

There are two nameservers:

But different Serial numbers -> slow system.

#10

But unboundtest.com can find the TXT record just fine:

https://unboundtest.com/m/TXT/_acme-challenge.boxrec.com/6GJPNWT7

So I’m not sure why Let’s Encrypts systems would time out.

#11

thanks guys, this is just so painful :frowning:

closed #12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.