Letsencrypt: Incorrect TXT record at acme challenge

Help
1

1. The problem I’m having:

Since today, caddy is no longer able to complete the acme challenge from letsencrypt.
Caddy also tries zerossl, which seems to work, however I’m getting a SSL_ERROR_INTERNAL_ERROR_ALERT on firefox.
I’m frankly unsure what happened. I changed nothing at all and everything worked for months.
I did notice that I had about four acme challenge records on my dns provider so I deleted those, which however unfortunately didn’t change anything.

Right after I just created this topic, I noticed that my website was reachable again, probably via zerossl so apparently I just had to wait a few minutes …? I’d still like to know what’s wrong though.

2. Error messages and/or full log output:

caddy  | 2025/10/18 08:15:50.159	ERROR	validating authorization	{"identifier": "chonkyrabbit.eu", "problem": {"type": "urn:ietf:params:acme:error:unauthorized", "title": "", "detail": "Incorrect TXT record \"C78T4aATfgJ-gUUZVLoFCOvU_JArzsYQQlZpxFRVjqw\" found at _acme-challenge.chonkyrabbit.eu", "instance": "", "subproblems": null}, "order": "https://acme-staging-v02.api.letsencrypt.org/acme/order/235898213/27973450303", "attempt": 1, "max_attempts": 3}
caddy  | github.com/mholt/acmez/v3.(*Client).ObtainCertificate
caddy  | 	github.com/mholt/acmez/v3@v3.1.2/client.go:152
caddy  | github.com/caddyserver/certmagic.(*ACMEIssuer).doIssue
caddy  | 	github.com/caddyserver/certmagic@v0.24.0/acmeissuer.go:489
caddy  | github.com/caddyserver/certmagic.(*ACMEIssuer).Issue
caddy  | 	github.com/caddyserver/certmagic@v0.24.0/acmeissuer.go:382
caddy  | github.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue
caddy  | 	github.com/caddyserver/caddy/v2@v2.10.2/modules/caddytls/acmeissuer.go:288
caddy  | github.com/caddyserver/certmagic.(*Config).obtainCert.func2
caddy  | 	github.com/caddyserver/certmagic@v0.24.0/config.go:626
caddy  | github.com/caddyserver/certmagic.doWithRetry
caddy  | 	github.com/caddyserver/certmagic@v0.24.0/async.go:104
caddy  | github.com/caddyserver/certmagic.(*Config).obtainCert
caddy  | 	github.com/caddyserver/certmagic@v0.24.0/config.go:700
caddy  | github.com/caddyserver/certmagic.(*Config).ObtainCertAsync
caddy  | 	github.com/caddyserver/certmagic@v0.24.0/config.go:505
caddy  | github.com/caddyserver/certmagic.(*Config).manageOne.func1
caddy  | 	github.com/caddyserver/certmagic@v0.24.0/config.go:415
caddy  | github.com/caddyserver/certmagic.(*jobManager).worker
caddy  | 	github.com/caddyserver/certmagic@v0.24.0/async.go:73
caddy  | 2025/10/18 08:15:50.159	ERROR	tls.obtain	could not get certificate from issuer	{"identifier": "chonkyrabbit.eu", "issuer": "acme-staging-v02.api.letsencrypt.org-directory", "error": "HTTP 403 urn:ietf:params:acme:error:unauthorized - Incorrect TXT record \"C78T4aATfgJ-gUUZVLoFCOvU_JArzsYQQlZpxFRVjqw\" found at _acme-challenge.chonkyrabbit.eu"}

3. Caddy version:

2.10.2

4. How I installed and ran Caddy:

a. System environment:

official docker container

b. Command:

via docker

c. Service/unit/compose file:

    caddy:
        build:
            dockerfile: /podconf/build/caddy.Dockerfile
            args:
                VER: 2.10.2
        container_name: caddy
        restart: unless-stopped
        ports:
            - 80:80
            - 443:443
        volumes:
            - /podconf/caddy/:/etc/caddy

d. My complete Caddy config:

{
	admin off
	log {
		output stdout
		output stderr
		format console
	}
	
	acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
	order rate_limit before basicauth	
	acme_dns hetzner <secret>
}
(global) {
	header {
		# disable FLoC tracking
		Permissions-Policy interest-cohort=()
		# enable HSTS
		Strict-Transport-Security max-age=31536000;
		# keep referrer data off
		Referrer-Policy no-referrer
	}
	encode zstd gzip
	
	import "botblock/bots.list"
	redir @isBot "/fuck off" permanent  	
}
*.chonkyrabbit.eu {
	@test host test.chonkyrabbit.eu
	handle @test {
		import global
		rate_limit {
			distributed
			zone nobrute {
				key {remote_host}
				events 3
				window 5s
			}
		}
		respond "rate limit test"
	}
}

5. Links to relevant resources:

2

Hello @UltraBlackLinux,

Here is a list of issued certificates https://crt.sh/?q=chonkyrabbit.eu.

The certificate presently being served is crt.sh | 21798859664

openssl s_client -showcerts -servername chonkyrabbit.eu -connect chonkyrabbit.eu:443 < /dev/null

$ openssl s_client -showcerts -servername chonkyrabbit.eu -connect chonkyrabbit.eu:443 < /dev/null
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust ECC Certification Authority
verify return:1
depth=1 C = AT, O = ZeroSSL, CN = ZeroSSL ECC Domain Secure Site CA
verify return:1
depth=0 CN = chonkyrabbit.eu
verify return:1

Certificate chain
0 s:CN = chonkyrabbit.eu
i:C = AT, O = ZeroSSL, CN = ZeroSSL ECC Domain Secure Site CA
a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
v:NotBefore: Oct 18 00:00:00 2025 GMT; NotAfter: Jan 16 23:59:59 2026 GMT
-----BEGIN CERTIFICATE-----
MIID+TCCA36gAwIBAgIQGupAe51H3Lpn6IcSyinsiDAKBggqhkjOPQQDAzBLMQsw
CQYDVQQGEwJBVDEQMA4GA1UEChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NTTCBF
Q0MgRG9tYWluIFNlY3VyZSBTaXRlIENBMB4XDTI1MTAxODAwMDAwMFoXDTI2MDEx
NjIzNTk1OVowGjEYMBYGA1UEAxMPY2hvbmt5cmFiYml0LmV1MFkwEwYHKoZIzj0C
AQYIKoZIzj0DAQcDQgAEJeforfWlGrIGTqNccqLhpva/IHuDs02LcmJ0Rv0/zbwL
ZMd3BUJECHPu2g5tr3JgZrnVnFwAKIgTMpogF7+zy6OCAnMwggJvMB8GA1UdIwQY
MBaAFA9r5kvOOUeu9n6QHnnwMJGSyF+jMB0GA1UdDgQWBBQiGRswRon6DFmg3ZgM
k4KL8q0uBjAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAK
BggrBgEFBQcDATBJBgNVHSAEQjBAMDQGCysGAQQBsjEBAgJOMCUwIwYIKwYBBQUH
AgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAECATCBiAYIKwYBBQUH
AQEEfDB6MEsGCCsGAQUFBzAChj9odHRwOi8vemVyb3NzbC5jcnQuc2VjdGlnby5j
b20vWmVyb1NTTEVDQ0RvbWFpblNlY3VyZVNpdGVDQS5jcnQwKwYIKwYBBQUHMAGG
H2h0dHA6Ly96ZXJvc3NsLm9jc3Auc2VjdGlnby5jb20wggEGBgorBgEEAdZ5AgQC
BIH3BIH0APIAdwCWl2S/VViXrfdDh2g3CEJ36fA61fak8zZuRqQ/D8qpxgAAAZn2
cZpDAAAEAwBIMEYCIQCpZtsrfW9pY4Yj+HPQXhuySw5koAXemwWXToGHYJGs8gIh
AOg3r2dXeCE4sbIte5aR8h1PJPoObkglA8R85kIbr2ZvAHcA0W6ppWgHfmY1oD83
pd28A6U8QRIU1IgY9ekxsyPLlQQAAAGZ9nGaAwAABAMASDBGAiEAiJfdrmMheXn4
SA1LZCa8zGE9D1WXBbZSr1ItwUSE7SgCIQCeNSl/c4gVKqL7nnTXJwvWOnxjs3ut
F+tNA0AhlVSmYDAaBgNVHREEEzARgg9jaG9ua3lyYWJiaXQuZXUwCgYIKoZIzj0E
AwMDaQAwZgIxAJ0w0gZKbULsxUdPXjRxTcoDkRCUIOXMZZMoiq/7RKUcx4XV0eQS
AU64kU8J7klEYAIxAPl9/s867oZ1Fk/Bbr3UkDQMKx/2rgRnURBiABHRGHZMGkZd
K46N2B7an1tOJL3C+w==
-----END CERTIFICATE-----
1 s:C = AT, O = ZeroSSL, CN = ZeroSSL ECC Domain Secure Site CA
i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust ECC Certification Authority
a:PKEY: id-ecPublicKey, 384 (bit); sigalg: ecdsa-with-SHA384
v:NotBefore: Jan 30 00:00:00 2020 GMT; NotAfter: Jan 29 23:59:59 2030 GMT
-----BEGIN CERTIFICATE-----
MIIDhTCCAwygAwIBAgIQI7dt48G7KxpRlh4I6rdk6DAKBggqhkjOPQQDAzCBiDEL
MAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNl
eSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMT
JVVTRVJUcnVzdCBFQ0MgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMjAwMTMw
MDAwMDAwWhcNMzAwMTI5MjM1OTU5WjBLMQswCQYDVQQGEwJBVDEQMA4GA1UEChMH
WmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NTTCBFQ0MgRG9tYWluIFNlY3VyZSBTaXRl
IENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAENkFhFytTJe2qypTk1tpIV+9QuoRk
gte7BRvWHwYk9qUznYzn8QtVaGOCMBBfjWXsqqivl8q1hs4wAYl03uNOXgFu7iZ7
zFP6I6T3RB0+TR5fZqathfby47yOCZiAJI4go4IBdTCCAXEwHwYDVR0jBBgwFoAU
OuEJhtTPGcKWdnRJdtzgNcZjY5owHQYDVR0OBBYEFA9r5kvOOUeu9n6QHnnwMJGS
yF+jMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAiBgNVHSAEGzAZMA0GCysGAQQBsjEBAgJO
MAgGBmeBDAECATBQBgNVHR8ESTBHMEWgQ6BBhj9odHRwOi8vY3JsLnVzZXJ0cnVz
dC5jb20vVVNFUlRydXN0RUNDQ2VydGlmaWNhdGlvbkF1dGhvcml0eS5jcmwwdgYI
KwYBBQUHAQEEajBoMD8GCCsGAQUFBzAChjNodHRwOi8vY3J0LnVzZXJ0cnVzdC5j
b20vVVNFUlRydXN0RUNDQWRkVHJ1c3RDQS5jcnQwJQYIKwYBBQUHMAGGGWh0dHA6
Ly9vY3NwLnVzZXJ0cnVzdC5jb20wCgYIKoZIzj0EAwMDZwAwZAIwJHBUDwHJQN3I
VNltVMrICMqYQ3TYP/TXqV9t8mG5cAomG2MwqIsxnL937Gewf6WIAjAlrauksO6N
UuDdDXyd330druJcZJx0+H5j5cFOYBaGsKdeGW7sCMaR2PsDFKGllas=
-----END CERTIFICATE-----
2 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust ECC Certification Authority
i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA384
v:NotBefore: Mar 12 00:00:00 2019 GMT; NotAfter: Dec 31 23:59:59 2028 GMT
-----BEGIN CERTIFICATE-----
MIID0zCCArugAwIBAgIQVmcdBOpPmUxvEIFHWdJ1lDANBgkqhkiG9w0BAQwFADB7
MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE
AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4
MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5
MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO
ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgRUNDIENlcnRpZmljYXRpb24gQXV0
aG9yaXR5MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEGqxUWqn5aCPnetUkb1PGWthL
q8bVttHmc3Gu3ZzWDGH926CJA7gFFOxXzu5dP+Ihs8731Ip54KODfi2X0GHE8Znc
JZFjq38wo7Rw4sehM5zzvy5cU7Ffs30yf4o043l5o4HyMIHvMB8GA1UdIwQYMBaA
FKARCiM+lvEH7OKvKe+CpX/QMKS0MB0GA1UdDgQWBBQ64QmG1M8ZwpZ2dEl23OA1
xmNjmjAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zARBgNVHSAECjAI
MAYGBFUdIAAwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5j
b20vQUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNAYIKwYBBQUHAQEEKDAmMCQG
CCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wDQYJKoZIhvcNAQEM
BQADggEBABns652JLCALBIAdGN5CmXKZFjK9Dpx1WywV4ilAbe7/ctvbq5AfjJXy
ij0IckKJUAfiORVsAYfZFhr1wHUrxeZWEQff2Ji8fJ8ZOd+LygBkc7xGEJuTI42+
FsMuCIKchjN0djsoTI0DQoWz4rIjQtUfenVqGtF8qmchxDM6OW1TyaLtYiKou+JV
bJlsQ2uRl9EMC5MCHdK8aXdJ5htN978UeAOwproLtOGFfy/cQjutdAFI3tZs4RmY
CV4Ks2dH/hzg1cEo70qLRDEmBDeNiXQ2Lu+lIg+DdEmSx/cQwgwp+7e9un/jX9Wf
8qn0dNW44bOwgeThpWOjzOoEeJBuv/c=
-----END CERTIFICATE-----

Server certificate
subject=CN = chonkyrabbit.eu
issuer=C = AT, O = ZeroSSL, CN = ZeroSSL ECC Domain Secure Site CA

No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits

SSL handshake has read 3279 bytes and written 381 bytes
Verification: OK

New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_128_GCM_SHA256
Session-ID: E6392774D925C0CEC442BD6A46C90117DF30DEE1F89D1A506592FD274EC026F5
Session-ID-ctx:
Resumption PSK: 7FAFDED8C07C8702A65C3FE91B6B0AF9612C5FC9DC1CF89F077879AAE0632120
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 604800 (seconds)
TLS session ticket:
0000 - f6 90 70 36 20 04 83 9a-f4 d4 c0 c1 ca d2 58 68 ..p6 …Xh
0010 - 2c f9 5a 7c 3d e3 09 d3-c7 de a7 7b 14 71 70 5a ,.Z|=…{.qpZ
0020 - 65 62 ef c9 cf d4 81 29-54 f1 45 92 ff 08 fb 7c eb…)T.E…|
0030 - 6c 52 91 d0 b8 6a 77 7e-e1 64 9b f0 0d 64 ae 81 lR…jw~.d…d..
0040 - 64 e4 92 48 49 ca bc 84-1a 94 76 3b 16 f2 05 41 d..HI…v;…A
0050 - a4 55 cf 5f 17 c9 ba 66-e0 49 99 29 f7 b4 95 84 .U._…f.I.)…
0060 - c6 e5 f4 f1 77 b6 41 6a-a7 …w.Aj.

Start Time: 1760798859
Timeout   : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0

read R BLOCK
DONE

https://unboundtest.com/m/TXT/_acme-challenge.chonkyrabbit.eu/TE47CIS5 shows
2 TXT _acme-challenge.chonkyrabbit.eu records, typically ACME Clients clean up after themselves by removing the TXT records after the certificate(s) have been issued.
Doesn’t seem to have this time.

Query results for TXT _acme-challenge.chonkyrabbit.eu

Response:
;; opcode: QUERY, status: NOERROR, id: 290
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 1232

;; QUESTION SECTION:
;_acme-challenge.chonkyrabbit.eu.	IN	 TXT

;; ANSWER SECTION:
_acme-challenge.chonkyrabbit.eu.	0	IN	TXT	"ujbTprFVCbGqptPfexTWrwqovwa8uW2Zg1iyyHR6aeY"
_acme-challenge.chonkyrabbit.eu.	0	IN	TXT	"F4dqZ7dDdeqr_Um5Ob_N_z1pvFzcZxf0CiV5MIRv3J8"

----- Unbound logs ----
3 Likes
3

And from the PrivateBin file you posted at line 159

caddy  | 2025/10/18 08:28:53.016	ERROR	cleaning up solver	{"identifier": "chonkyrabbit.eu", "challenge_type": "dns-01", "error": "deleting temporary record for name \"chonkyrabbit.eu.\" in zone {\"_acme-challenge\" \"0s\" \"TXT\" \"zkpJo4ktyyfwA3tdeKLjiOycMA-YH3yxgvBkcIgAorI\"}: Not Found (404)"}

Shows an ERROR cleaning up solver.

3 Likes
4

Hi @UltraBlackLinux,

Sorry, I do not know what went wrong or if the issue still persist.

I am just doing Observer and Describe in hopes to assist you and other Community members to debug your issue(s).

And Firefox 144.0 (64-bit) on Windows 10 I do not see such an error.
I see

image
image1149×962 178 KB

image
image595×531 23.3 KB

image
image1268×952 38.3 KB

And no issues using Chrome Version 141.0.7390.77 (Official Build) (64-bit)

3 Likes
5

Yeah earlier yesterday I removed a total of three acme records manually. Frankly confused why they keep reappearing. Unfortunately even after removing the dead ones, the Letsencrypt challenge continued failing so I assumed that this was an unrelated issue.

Regarding the SSL_ERROR_INTERNAL_ERROR_ALERT error: I only got that initially, that’s what I meant above. It apparently just took a few minutes to go away. No idea what that’s about.

Sorry for the late reply. I am on a 24 HOUR reply rate-limit…

6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.