Cant generate the certificate

I try to generate a cert for my zabbix server. I Have Apache. When i try to generate the certificate with cerbot i have an error. I have the host recording on the DNS server.

My domain is:

I ran this command:

-sudo cerbot --apache ;

both error

Challenge failed for domain
http-01 challenge for
Cleaning up challenges
Some challenges have failed.

Type: dns
Detail: DNS problem: NXDOMAIN looking up A for - check that a DNS record exists for this
domain; DNS problem: NXDOMAIN looking up AAAA for - check that a DNS record exists for this

Not on the zabbix subdomain

$ dig +short

It tell me the @IP of the server

Try using a public DNS server, like:
dig +short @
dig +short @
dig +short @


Same error

You can use tools like unboundtest to check:

Note the absence of ;; ANSWER SECTION:, compared to

I don't understand your answer.


I did the cmd you wrote and i tried again.
Can't i generate a certificate because we have a website with a CA to our public @IP ?

Yes you can get a certificate for a publicly resolvable domain name. Currently the domain name does not have any records associated with it, at least from the point of view of the internet.


You have an A record for the root domain and I see a website with an nginx server. That looks fine.

But, as noted, you do not have an A record for your zabbix subdomain. You need an A and/or AAAA (for IPv6) for people to reach that domain from the public internet. You are also using an HTTP Challenge with the --apache plug-in so need an A and/or AAAA record for that.

You could instead use the DNS Challenge but this is often more difficult to setup. And, people on the public internet still will not be able to reach that zabbix subdomain without the A/AAAA records.

dig +noall +answer     189     IN      A

dig +noall +answer

I wanted to see the outputs of those commands.
[they don't fix anything]


Thank you for your answer.
Maybe i didn't understand anything..

One question, i thought the encryption DNS on OVH was for the internet acess.
I dont want to my zabbix server is open on internet with the adress

I just want not have anymore the security message from the brower why dont reconize an auto signed certificat by generate a certificat with lets encrypt.
Am i wrong ?!

1 Like

Then you cannot use the HTTP Challenge method to get a cert. The --apache method you chose uses this method.

Instead, you need to use a DNS Challenge. Certbot has support for OVH DNS

Please also read about the DNS Challenge that I linked to previously


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.