Generated _acme-challenge TXT record for domain ownership validation is sometimes not valid

[BearGFR]

I'm using the package with the GoDaddy plugin.
I currently have 26 different domains registered with them I have successfully used get-pacertificate to obtain let's encrypt certificates for several of my domains, however I have found at least one domain for which the plugin does not generate a valid key that will pass muster for let's encrypt.
I ran 'get-pacertificate' with both -verbose and -debug enabled and I was able to see that the TXT record was created successfully and matched what the debug trace showed it was going to create, yet when lets encrypt tried to use it to validate domain ownership, it was deemed invalid.

This is the .txt record that was added:

VERBOSE: Adding a new TXT record for _acme-challenge with value cmIDXjaUl7IeybnO3YeCeXeMeGfEukuWV4WXm8IK8SY
DEBUG: PUT https://api.godaddy.com/v1/domains/zresource.net/records/TXT/_acme-challenge
[{"data":"cmIDXjaUl7IeybnO3YeCeXeMeGfEukuWV4WXm8IK8SY","ttl":600}]

(I logged in to my account on godaddy and confirmed that the record was there and the contents matched the above)

And the response from lets encrypt:

DEBUG: ACME Response:
{
  "identifier": {
    "type": "dns",
    "value": "zresource.net"
  },
  "status": "invalid",
  "expires": "2025-02-10T19:16:17Z",
  "challenges": [
    {
      "type": "dns-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall/2198783545/470547544175/FD_JMA",
      "status": "invalid",
      "validated": "2025-02-03T19:26:23Z",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Incorrect TXT record \"\" found at _acme-challenge.zresource.net",
        "status": 403
      },
      "token": "snlG5B1uR-eG8H37aKRW-cIuG4wxzXFKPPRfYA9cKTo"
    }
  ]
}

[rmbolger]

Hi @BearGFR, thanks for reaching out. The error message from LE indicates that no TXT record was found at all (as opposed to a wrong value which it would have shown if it was there). Have you tried increasing the DnsSleep time to see if this is just GoDaddy being slow to push the updates to the authoritative nameservers?

If not, try upping it to like 5 min using -DnsSleep 300 in your New-PACertificate command. You can also modify any existing order with Set-PAOrder -DnsSleep 300 and then try renewing it.

Another thing you can do is manually try verifying the record is queryable in another window while the sleep timer is still going. The NS records for your domain appear to be ns03.domaincontrol.com and ns04.domaincontrol.com. So you can run the following nslookup commands to check both.

nslookup -q=txt _acme-challenge.zresource.net. ns03.domaincontrol.com
nslookup -q=txt _acme-challenge.zresource.net. ns04.domaincontrol.com

It looks like the value from this log actually is there at the moment which implies the module didn't clean it up after the failure. Are you using the New-PACertificate command or some of the lower level commands in a custom script?