Hidden TXT records interfere with LetsEncrypt DNS-01 validation
I have a very weird issue with "stale" or "hidden" TXT Records for one of the domains I have (running on free plan).
When I query _acme-challenge.example.com via 1.1.1.1 (Cloudflare’s resolver) I see records that are no longer present in my zone file: I can't see them via web.
Example query:
dig TXT _acme-challenge.example.com @1.1.1.1 +short
Returns:
"stale-record-1"
"stale-record-2"
In my zone _acme-challenge.example.com is configured as a CNAME to _acme-challenge.delegated.example.org and there are no other TXT records.
These unexpected TXT responses break validation, as Let’s Encrypt sees incorrect values and never follows the CNAME as expected.
I have tried to use: https://one.one.one.one/purge-cache/ but these TXT records still exist after using that tool.
I tried deleting them via API, but I can't see them on the listings, so I have no record_id to delete.
If I try to add the same record from the web I get this red popup at the bottom stating "An identical record already exists."
Any ideas?
14 Replies
I have tried to use: https://one.one.one.one/purge-cache/ but these TXT records still exist after using that tool.This tool has nothing to do with your authoritative DNS records (in Cloudflare). As long as the DNS records still exist on the authoritative DNS, they will re-appear again on the next DNS query through
1.1.1.1 (or any other recursive DNS / DNS resolver).1.1.1.1 — One of the Internet’s Fastest, Privacy-First DNS Reso...
✌️✌️ Browse a faster, more private internet.
If you're still having issues, -
1. What domain?
2. What do you see under "
Edge Certificates"?
-> https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificatesHi there, thanks for answering:
1. The domain is epneumann.edu.pe (_acme-challenge.epneumann.edu.pe is the one with the problem)
2. I didn't know that existed... There were 2 certificates built, the main one and a backup. I have disabled it at the bottom and now I don't have any certificates there. I am only using CF for DNS
This is all I have on the panel for DNS records (the filter is _acme-challenge)
1. Yep, the "
_acme-challenge" can be a bit strange to play around with at times.
2. Universal SSL (which is enabled by default) will generate a wildcard certificate (example.com and *.example.com) for you.
In order to generate the wildcard part of the certificate (*.example.com), various certificate authorities, such as e.g. Let's Encrypt will require the domain validation is being done via DNS, with the _acme-challenge DNS record.
Universal SSL will be adding the required TXT records, on _acme-challenge automatically, once in a while, when it requires them in order to obtain a new certificate for your domain name, such as e.g. because the old one is about to expire.
There is no problems regarding that though...
When you're trying to delegate your _acme-challenge DNS record to somewhere else, with record types such as CNAME or NS records, then the problem may start.
You can do that kind of CNAME or NS delegation perfectly fine, - but:
If you're doing it at the same time, as when you're using Universal SSL, or having other hosting providers (e.g. two or more different organisations), where they all are trying to be depending on the _acme-challenge DNS record, then you have a conflict.
The conflict will be that you CANNOT delegate via CNAME or NS towards multiple providers, at the same time.
You can however add multiple TXT records, at the same time, if necessary.
So if the destination at "_acme-challenge.delegated.unir.net" (as well as any other hosting providers you may have) were just giving you a new TXT every now and then, to replace the previous one with, then it would be able to work just fine.
Just like you see on your own screenshot here, as well as e.g. on this link:
-> https://www.digwebinterface.com/?hostnames=_acme-challenge.epneumann.edu.pe&type=TXT&useresolver=9.9.9.10&ns=all&nameservers=
You're (unfortunately) getting quite a bit of mixed and unpredictable results, when you have such kind of conflicts.
Hi, thanks for the answer (nice web to test things out btw, already bookmarked)
I tried creating the CNAME to see if it would take precedence, but it seems it doesn't.
I have just deleted the CNAME, and the TXT records are still in place (even thou I can't see them on CF's panel):
and using the tool you used, I now only see the 'ghost' records:
Can you share a full page screenshot of https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates?
Sure thing! and thanks!
And you're still not having any DNS records, named "
_acme-challenge"?that's right, I deleted the CNAME, I can see no other records with that name, but when I query 1.1.1.1 or 1.0.0.1 I can see them