Hello,
Trying to renew a wildcard certificate as I have done repeatedly in the past by updating a DNS TXT Record. Looking at the logs it shows the requested string as well as the results of the attempt. But the failure message shows the correct txt string:
(Update DNS Manually) :: Please login to your DNS control panel for the domain ‘*.isemanhomes.com’ and create a new TXT record named:
_acme-challenge.isemanhomes.com
with the value: pONQOJ3DzxMttDTlo5b5_hcnZ4FWsNbpGRxPNGJUGfA
2020-12-12 11:20:21.027 -08:00 [INF]
2020-12-12 11:32:32.373 -08:00 [INF] ---- Beginning Request [*.isemanhomes.com] ----
2020-12-12 11:32:32.381 -08:00 [INF] BeginCertificateOrder: creating/retrieving order. Retries remaining:2
2020-12-12 11:32:32.381 -08:00 [INF] Created ACME Order: REDACTED://acme-v02.api.letsencrypt.org/acme/order/48994129/6705864671
2020-12-12 11:32:32.647 -08:00 [INF] Fetching Authorizations.
2020-12-12 11:32:33.128 -08:00 [INF] Got http-01 challenge REDACTED://acme-v02.api.letsencrypt.org/acme/chall-v3/9257938435/6oScWQ
2020-12-12 11:32:33.306 -08:00 [INF] Got dns-01 challenge REDACTED://acme-v02.api.letsencrypt.org/acme/chall-v3/9257938435/LKCIBA
2020-12-12 11:32:33.757 -08:00 [INF] Got dns-01 challenge REDACTED://acme-v02.api.letsencrypt.org/acme/chall-v3/9258091835/M8C2xQ
2020-12-12 11:32:33.757 -08:00 [INF] Attempting Challenge Response Validation for Domain: *.isemanhomes.com
2020-12-12 11:32:33.758 -08:00 [INF] Registering and Validating *.isemanhomes.com
2020-12-12 11:32:33.758 -08:00 [INF] Checking automated challenge response for Domain: *.isemanhomes.com
2020-12-12 11:32:33.903 -08:00 [WRN] Challenge response validation still pending. Re-checking [10]…
2020-12-12 11:32:35.611 -08:00 [INF] Domain validation completed: *.isemanhomes.com
2020-12-12 11:32:35.611 -08:00 [INF] Attempting Challenge Response Validation for Domain: isemanhomes.com
2020-12-12 11:32:35.611 -08:00 [INF] Registering and Validating isemanhomes.com
2020-12-12 11:32:35.612 -08:00 [INF] Checking automated challenge response for Domain: isemanhomes.com
2020-12-12 11:32:35.766 -08:00 [WRN] Challenge response validation still pending. Re-checking [10]…
2020-12-12 11:32:37.355 -08:00 [INF] Incorrect TXT record “pONQOJ3DzxMttDTlo5b5_hcnZ4FWsNbpGRxPNGJUGfA” found at _acme-challenge.isemanhomes.com
2020-12-12 11:32:38.480 -08:00 [INF] Validation of the required challenges did not complete successfully. Incorrect TXT record “pONQOJ3DzxMttDTlo5b5_hcnZ4FWsNbpGRxPNGJUGfA” found at _acme-challenge.isemanhomes.com
Now I am seeing I only have two more attempts allowed but if the record matches what recourse do I have?
Also, I no longer see any new strings that may have changed to confirm the current txt record values. I did update to the latest version today. Does anyone have a similar issue?
Hi, sorry for the delayed reply. Your validation is most likely failing because you are trying to validate both *.isemanhomes.com and isemanhomes.com, due to the way Let’s Encrypt validation works this requires updating the same TXT record with 2 different values. Some DNS control panels allow this, others don’t. One option is to let one validation pass then get the other one to pass over multiple attempts, then because LE cache validation successes you will eventually be able to proceed.
I don’t recommend using the Manual DNS option at all as it requires you to not only remember to renewing your cert but also to remember how to do it and endure the possible failures you can encounter, I’d advise you to try our Rackspace DNS provider and provide feedback if it doesn’t work for you. Alternatively, check out the acme-dns option (https://docs.certifytheweb.com/docs/dns/providers/acme-dns)
I have a mail server with about 8 domains. I have one primary domain which is set as the primary server.
I have setup CloudDNS as my provider and it creates two entries in the DNS while certifytheweb executes.
However, it fails after that.
This is my first post, therefore I am not sure if we can upload the log file. But if you say so, I can post a dropbox link so you can check the logs.
Interestingly, it worked for the first time, but after that it has failed every single time. It has failed even when I try and press the ‘Request Certificate’ button manually.
2021-05-30 19:57:43.524 +05:30 [INF] Attempting Challenge Response Validation for Domain: mailservices.business
2021-05-30 19:57:43.524 +05:30 [INF] Registering and Validating mailservices.business
2021-05-30 19:57:43.525 +05:30 [INF] Checking automated challenge response for Domain: mailservices.business
2021-05-30 19:57:43.852 +05:30 [WRN] Challenge response validation still pending. Re-checking [10]…
2021-05-30 19:57:45.438 +05:30 [INF] No TXT record found at _acme-challenge.mailservices.business
2021-05-30 19:57:46.121 +05:30 [INF] DNS: Deleting TXT Record ‘_acme-challenge.mailservices.business’, in Zone Id ‘’ using API provider ‘Powershell/PoshACME DNS’
2021-05-30 19:57:48.092 +05:30 [INF] Validation of the required challenges did not complete successfully. No TXT record found at _acme-challenge.mailservices.business
2021-05-30 19:57:48.092 +05:30 [INF] Validation of the required challenges did not complete successfully. No TXT record found at _acme-challenge.mailservices.business
2021-05-30 19:57:48.093 +05:30 [INF] Validation of the required challenges did not complete successfully. No TXT record found at _acme-challenge.mailservices.business
So it looks like most of your domains have already validated (successful validation caches at Let’s Encrypt for 30 days).
When performing DNS validation you need to allow enough propagation time for all of your DNS name servers to know about the updated TXT record. If your name servers are load balanced behind one name they stil lhave to all respond with the same result. The default for CloudDNS is 90 seconds but perhaps that needs to be higher.
During validation you can check your nameservers response using dig -t TXT _acme-challenge.mailservices.business from a linux command line or using online tools. You can also test your DNS response using https://unboundtest.com/
I dont understand why it fails if all the domains are validated! But it fails. Do let me know if a dropbox link works for you then I can upload the full log.
CloudDNS has the entries in each domains and what is more strange is, the entries do not get deleted because the process fails in between.
I have dual domains configured for e.g. mydomain.com and also *.mydomain.com so the ACME tool creates two TXT entries. Even after that it fails !
I tried to increase the wait time all the way to 600 seconds also, but it still fails!
Let me know what other information can help you help me and I will upload on dropbox and paste the links here.
You can email your full log to support {at} certifytheweb.com. Can you also create a known test record in your domain such as ‘_validation-test’ set to any value like ‘hello world’ and I can check whether I can see it.
I notice you have many domains on one cert, I would recommend avoiding this if you can and have separate certificates, that way you can isolate the failing domain.
I have sent you and email with the reference of this topic with the log files.
I have also created a DNS entry in the domain mailservices.business exactly as you have asked for,
_validation-test.mailservices.business = hello world
Also, just so that you know, it already contains an old record generated by certifytheweb/letsencrypt.
The record is
I am writing this so that you could maybe compare it with the logs.
As for the many domains on the server, we have a mail server and all our group organizations use the same server. For that, we need one outgoing SSL certificate which the mail server SMTP service uses. The other SSL is for the web interfaces like mail.mydomain.com and then admin interface mailadmin.mydomain.com and the mobile web interface like mobile.mydomain.com. These three exist for all the domains. Now if I have separate SSL for each of these domains, it would be difficult for the mailserver to map them automatically because the mail server uses the same website contents but maps different domains as they hit the server. That is why we had to go with SNI for all of them.
Thanks Manish, I’ll reply to your support ticket. Currently those DNS records are not visible, which suggests this domain is not pointing to the DNS zone you think it is. e.g. dig -t TXT _validation-test.mailservices.business returns nothing (the nameserver is currently dns1.cloudns.net)
So that it would benefit others, in case they are noobs, like I was, I wanted to update this thread.
There was an issue with the DNS. The certifytheweb application was updating the DNS automatically, all right, but the DNS servers were not configured right and they did not respond to the _acme-challenge.mydomain.com request and that is the reason it was failing.
In case anyone is stuck with this issue, please create a manual entry in your DNS like the following, as suggested by webprofusion :
TXT Record
_validation-test.mydomain.com → ‘hello world’
