Certbot Error DNS problem: NXDOMAIN

Hi community

We are having some problems with certbot process, above i put all the details, as we read some similar problems looks like the problem is in our DNS Zone file, so i put the out fo this.

DNS ZOne file
@ 10800 IN A
blog 10800 IN CNAME blogs.vip.gandi.net.
imap 10800 IN CNAME access.mail.gandi.net.
pop 10800 IN CNAME access.mail.gandi.net.
smtp 10800 IN CNAME relay.mail.gandi.net.
webmail 10800 IN CNAME webmail.gandi.net.
www 10800 IN CNAME webredir.vip.gandi.net.
@ 10800 IN MX 50 fb.mail.gandi.net.
@ 10800 IN MX 10 spool.mail.gandi.net.

Full Domain name: facceso.org
OS Ubuntu 16.04 + nginx
Hosting provider Gandi.net
command line: certbort --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?

1: www.faccesso.org

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel):1
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for www.faccesso.org
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.faccesso.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for www.faccesso.org


  • The following errors were reported by the server:

    Domain: www.faccesso.org
    Type: connection
    Detail: DNS problem: NXDOMAIN looking up A for www.faccesso.org

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

We will appreciate any help.


Looks like it’s just a typo. You say your domain is facceso.org which exists, but told certbot to issue a certificate for faccesso.org (note the extra s) which does not exist.

1 Like

Beyond the typo, you’re probably going to have a different problem: you probably can’t get a certificate using TLS-SNI-01 validation when the website is pointing to a Gandi operated domain parking server, like it is now. You would probably have to change the A/AAAA/CNAME record(s) to point directly to your actual server.

Redirect services may or may not work with HTTP-01 validation, depending on how it’s set up.

You could always use DNS-01 validation, but i don’t know if Gandi has an API for automating that, or how many clients support it.

1 Like

Indeed it was a typo, but also problems with DNS Zone file, so i edit it and now waiting.

Thanks, I will let you know

Indeed there were both erros. Thanks it is working just fine

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.