Certbot with BIND9 & dns-rfc2136

My domain is: internal dns, wcl.net

I ran this command: certbot certonly --dns-rfc2136 --dns-rfc2136-credentials ~/certbot.ini -d wcl.net

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-rfc2136, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for wcl.net
Waiting 60 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. wcl.net (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.wcl.net - check that a DNS record exists for this domain

 - The following errors were reported by the server:

   Domain: wcl.net
   Type:   None
   Detail: DNS problem: NXDOMAIN looking up TXT for
   _acme-challenge.wcl.net - check that a DNS record exists for this

My web server is (include version): certonly

The operating system my web server runs on is (include version): Debian

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is 0.31.0

In the logs and “dig” I can see that acme_challenge txt is added successfully, however, certbot is still failing. Is it a bug or I am doing something wrong?

Full bind & dig logs and bind9 conf files: http://paste.openstack.org/show/796668/

1 Like

Have you delegated the _acme-challenge.wcl.net zone from the ns{1,2,3}.livedns.co.uk nameservers to your ns{1,2}.wcl.net nameservers somehow? I can’t see it.

1 Like


Thank you very much for quick response. Since I am not very experienced with dns and stuff… can you please clarify how can I delegate my internal dns ns to livedns? Thank you

1 Like

Well, what I mean is, according to your domain registrar, your domain’s nameservers are:

wcl.net.                172800  IN      NS      ns1.livedns.co.uk.
wcl.net.                172800  IN      NS      ns2.livedns.co.uk.
wcl.net.                172800  IN      NS      ns3.livedns.co.uk.

When Let’s Encrypt looks up the _acme-challenge.wcl.net domain, it’s going to ask those nameservers for the record.

Of course, those nameservers weren’t told about the record you just created, so predictably, they say the record doesn’t exist.

Question is, what do you want to do? You obviously had some plan going into this, could you elaborate upon what it was?

It’s sort of hard to read what your intention was because there’s a lot of private hosts and IPs involved.

I guess the immediate issue is: the record is not found because the DNS lookup is done from the public internet (via livedns), not from your internal network (via ns1,ns2.wcl.net).


My intention was very simple - I implemented bind9 dns server on my bare metal machine and wanted to generate proper ssl certs using certbot with rfc plugin & dns challenge… To use for my internal domains lol which I will be able to access via vpn … but as I understood, that’s not what you can actually do that simple

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.