If you're using letsencrypt with a third party public dns provider who don't support a mature api you'll have to ensure that the nameservers have propagated the newly created txt record before exiting your manual-auth scripts, returning control back to LE. LE will issue a challenge expecting the record to exist. Depending on the method used by the provider this challenge can fail, actually it likely will if it takes minutes or even 20 to 30 seconds.
This is part of a larger script which will ensure that your dns record is propagated before returning control to LE. The way that I construct text records in this script (not shown here) is done in such a way that something.something.something...example.com
can be chained for as long a domain name is as allowed but here I'm manually setting the _acme-challenge.
prefix which always comes at the start regardless of the length.
Also note that I'm using 8.8.8.8 to gather a list of public provider NS servers for doamin example.com. This is an api problem solved in basic bash in just a few lines but it guarantees that the challenge record is available. I'm using simple console logging here but the output can be redirected to /var/log/letsencrypt. Or whatever.
DOMAIN=example.com
TXT_RECORD_NAME=_acme-challenge.${SUBDOMAIN}
CERTBOT_VALIDATION=${NONCE}
if /usr/bin/nc -zv 8.8.8.8 53 -w 1 &> /dev/null
then
for nameserver in $(/usr/bin/dig @8.8.8.8 ns ${DOMAIN} | grep NS|grep -v \^\; | awk '{print $5}'); do
echo $(date) Starting lookup of challange ${CERTBOT_VALIDATION} @${nameserver}
while :
do
echo trying dig @${nameserver} txt ${TXT_RECORD_NAME}.${DOMAIN}
sleep 3
if /usr/bin/dig @${nameserver} txt ${TXT_RECORD_NAME}.${DOMAIN} | grep TXT | grep -- "${CERTBOT_VALIDATION}"
then
echo $(dig @${nameserver} txt ${TXT_RECORD_NAME}.${DOMAIN} | grep TXT | grep ${CERTBOT_VALIDATION})
echo $(date) Resolved for @${nameserver}
break
fi
done
done
else
echo $(date "+%Y-%m-%d %T") ERROR from /data/scripts/<provider>/create_txt_record.sh: 8.8.8.8:53 out is not open for this server, put in a ticket. >> /var/log/letsencrypt/letsencrypt.log
echo $(date "+%Y-%m-%d %T") ERROR from /data/scripts/<provider>/create_txt_record.sh: If 8.8.8.8 is blocked you may also have to unblock the <provider> ns $(dig @8.8.8.8 ns ${DOMAIN} | grep NS|grep -v \^\; | awk '{print $5}') >> /var/log/letsencrypt/letsencrypt.log
fi