AutoSSL ERROR “Let’s Encrypt™” Incorrect TXT record found at _acme-challenge.<DOMAIN>
Answered
AutoSSL is failing to renew a Let's Encrypt cert. Of Let's Encrypt's Challenge Types I have to use DNS-01 because my CMS conflicts with HTTP-01. What I can't parse out is how to get the correct value for the TXT record. I copied another TXT record but that was just to make sure _acme-challenge.<DOMAIN> is accessible. Thoughts?
-
Hey there! You shouldn't have to manually *get* the text record - cPanel temporarily adds it to the DNS while Let's Encrypt runs the validation for the domain, and then it gets removed afterward. Can you post the error you're seeing from AutoSSL?
0 -
Note that the DNS records are with Cloudflare.0 -
If all the DNS records are at Cloudflare and http verification isn't an option, I don't see how you'll be able to use AutoSSL.
Just to be sure, have you worked through the guide here to see if that changes anything?
0 -
I was looking in all the wrong places. Disabling Cloudflare temporarily, as suggested in other posts, allowed AutoSSL to do its job. Thanks for stopping my obsession with the DNS record.
0 -
I'm glad you were able to find a solution!
0 -
I have some domains/accounts that server the DNSing and email, but the website is off-server. I've not had any autoSSL renewal issues until this month when I'm getting:
"MASTER DCV: 403 urn:ietf:params:acme:error:unauthorized (The client lacks sufficient authorization) (No TXT record found at _acme-challenge.DOMAIN.TLD)"
This makes sense since how could it write to a remote server?
In looking at the cert on the website, it's clear (by the validity date) that is not the one expiring on my server, but is from the server that hosts the website, so thy are covered on that end. Based on that I assume I can just let it renew with "a reduction in coverage." Right now it has deferred renewal with reduced coverage until 3 days prior to expiration to allow time to rectify the issue, and is nagging me every 3 hours (lol).
1- Am I correct to just let it renew with reduced coverage (meaning the site URL is not covered)?
2- What changed? I haven't seen this before and have had accounts like these for years. Is this file write a new thing?
0 -
1 - Sure, I'd just let it run with the reduced coverage.
2 - I'm not aware of any direct changes that would cause this, but my awareness certainly isn't the end-all be-all of information :D Is it possible the system recently updated and it is now using Let's Encrypt where it would have been using Sectigo before?
0 -
2 - No, it has been on LE for quite some time; long enough for some of these to renew w/o this issue. I'd be interested to know the change/cause, and also what can be dont so we don't have to endure weeks of warnings every 3 hours. :)
0 -
Hi,
If I understood your previous reply correctly, the warnings you're receiving are from websites that are hosted on a remote server. If that's the case, you can exclude those domains from AutoSSL to no longer receive warnings about them. For reference:
If the domains are hosted on your server, they should be able to pass HTTP validation. If they are not receiving a renewed certificate, there will likely be an error in the AutoSSL logs to explain why the HTTP validation is failing.
0
Please sign in to leave a comment.
Comments
9 comments