Failing to get the certificates generated by letsencrypt according to the documentation

dynDNS at dedyn.io
1

doing some dry-run tests after upgrading certbot from 4.2.0 to 5.0.0, getting following desec.io error:

root@pihole[~] # /usr/local/bin/certbot renew --dry-run --authenticator dns-desec --dns-desec-credentials /etc/letsencrypt/.secrets/mydomain.dedyn.io.ini
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/mydomain.dedyn.io.conf

Simulating renewal of an existing certificate for mydomain.dedyn.io and *.mydomain.dedyn.ioWaiting 80 seconds for DNS changes to propagate

Certbot failed to authenticate some domains (authenticator: dns-desec). The Certificate Authority reported these problems:Domain: mydomain.dedyn.ioType: unauthorizedDetail: Incorrect TXT record “” found at _acme-challenge.mydomain.dedyn.io

Domain: mydomain.dedyn.io Type: unauthorizedDetail: Incorrect TXT record “” found at _acme-challenge.mydomain.dedyn.io

Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-desec. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-desec-propagation-seconds (currently 80 seconds).

Failed to renew certificate mydomain.dedyn.io with error: Some challenges have failed.

All simulated renewals failed. The following certificates could not be renewed:/etc/letsencrypt/live/mydomain.dedyn.io/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Certbot failed to authenticate some domains (authenticator: dns-desec). The Certificate Authority reported these problems:Domain: mydomain.dedyn.ioType: unauthorizedDetail: Incorrect TXT record “” found at _acme-challenge.mydomain.dedyn.io

Domain: mydomain.dedyn.ioType: unauthorizedDetail: Incorrect TXT record “” found at _acme-challenge.mydomain.dedyn.io

Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-desec. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-desec-propagation-seconds (currently 80 seconds).

grafik
grafik2771×129 10.3 KB

2

with -v option:

root@pihole[~] # /usr/local/bin/certbot renew --dry-run -v --authenticator dns-desec --dns-desec-credentials /etc/letsencrypt/.secrets/mydomain.io.ini
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/mydomain.io.conf

Certificate not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator dns-desec, Installer None
Simulating renewal of an existing certificate for mydomain.io and *.mydomain.io
Reusing existing private key from /etc/letsencrypt/live/mydomain.io/privkey.pem.
Performing the following challenges:
dns-01 challenge for mydomain.io
dns-01 challenge for mydomain.io
Waiting 80 seconds for DNS changes to propagate
Waiting for verification…
Challenge failed for domain mydomain.io
Challenge failed for domain mydomain.io
dns-01 challenge for mydomain.io
dns-01 challenge for mydomain.io

Certbot failed to authenticate some domains (authenticator: dns-desec). The Certificate Authority reported these problems:
Domain: mydomain.io
Type: unauthorized
Detail: Incorrect TXT record “” found at _acme-challenge.mydomain.io

Domain: mydomain.io
Type: unauthorized
Detail: Incorrect TXT record “” found at _acme-challenge.mydomain.io

Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-desec. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-desec-propagation-seconds (currently 80 seconds).

Cleaning up challenges
Failed to renew certificate mydomain.io with error: Some challenges have failed.

Previous runs of certbot went fine (with 4.2.0) (“certificate not yet due for renewal”)

3

crazy:

after I did MANUALLY save the EMPTY (““) txt _acme-challenge record in desec.io

Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/mydomain.io/fullchain.pem (success)

Any explanation on the behaviour?

4

The error hints at the solution: Increase the propagation delay. It is 80s by default, but that can be too short for the changes to become publicly available. As indicated by the ““ TXT record value, Letsencrypt doesn’t see the TXT record that you’re supposed to set. Unlike other ACME clients, Certbot doesn’t check that the changes have propagated before it tells Letsencrypt to look for the TXT record, and neither tries again if the validation fails. Long story short: Tell it to wait a little longer and it will probably work:

1 Like
5

thanks for your answer. That does not explain why it was working after the “dummy save” of the empty TXT record …. Also previously it was working fine with default propagation time …

/usr/local/bin/certbot renew --dry-run --dns-desec-propagation-seconds 120

does not help ….

6

2025-09-04 09:15:15,995:DEBUG:certbot_dns_desec.dns_desec:Authenticator._perform: ``mydomain.io``, _acme-challenge.mydomain.io, Exy4dasfsdf-Q4OCTTn6asVasdfsdfdasfdasfasdfKs
2025-09-04 09:15:15,996:DEBUG:certbot_dns_desec.dns_desec:creating _DesecConfigClient
2025-09-04 09:15:16,000:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ``desec.io:443
2025-09-04 09:15:16,334:DEBUG:urllib3.connectionpool:``https://desec.io:443`` “GET /api/v1/domains/?owns_qname=_acme-challenge.mydomain.io HTTP/1.1” 200 160
2025-09-04 09:15:16,398:DEBUG:urllib3.connectionpool:``https://desec.io:443`` “GET /api/v1/domains/mydomain.io/rrsets/_acme-challenge/TXT/ HTTP/1.1” 200 269
2025-09-04 09:15:16,399:DEBUG:certbot_dns_desec.dns_desec:Current TXT records: {‘“”’, ‘“oNIsdfsfBVPZCU0WBJkbsgeasdfsdfasdf9UwasdfsdfsdafdasfLIgbjO0I”’}
2025-09-04 09:15:16,400:DEBUG:certbot_dns_desec.dns_desec:Setting TXT records: {‘“”’, ‘“Exy4dasfsdf-Q4OCTTn6asVasdfsdfdasfdasfasdfKs”’, ‘“oNIsdfsfBVPZCU0WBJkbsgeasdfsdfasdf9UwasdfsdfsdafdasfLIgbjO0I”’}
2025-09-04 09:15:16,533:DEBUG:urllib3.connectionpool:``https://desec.io:443`` “PUT /api/v1/domains/mydomain.io/rrsets/ HTTP/1.1” 200 321
2025-09-04 09:15:16,544:DEBUG:certbot._internal.display.obj:Notifying user: Waiting 80 seconds for DNS changes to propagate

again, it just works, if I “dummy save” the empty TXT record

7

That seems like a coincidence. DNS is a distributed system with heavy caching and various delays. Give it enough time. Try 300 seconds. Getting certificates from Letsencrypt should be an automated background task, so you’re not in a hurry.

3 Likes
8

Tried dry-run 2x with 300s, both runs finished successfully, I adapted my certbot.service and will check and feedback after the next automated run - many thanks so far :slight_smile: