Challenge fail DNS-01 with sub domain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
the domain point to another IP
i do setup route53 with my domain a text record follow the key that the command generate

I ran this command: certbot-auto certonly --manual --preferred-challenges dns -d *

It produced this output: challenge fail for domain

My hosting provider, if applicable, is: aws

I can login to a root shell on my machine (yes or no, or I don’t know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 1.4.0

1 Like

Hi @truongdqse03303

there is an older check of your domain, three days old -

The #txt part looks ok. Rechecked your domain, there is a new TXT entry, no wrong created entry.

Your name servers are ok. Same with Unboundtest -

What’s the exact error?

Perhaps the update of your name servers is too slow. If there is a parameter to wait, increase that parameter.


hi sir @JuergenAuer

here is the exact error in the log file:
2020-05-22 18:09:13,078:DEBUG:acme.client:Storing nonce: 0102r021rbeESg4xD-f7QNUysfX7wMcqBNzfolSgWZx8_14
2020-05-22 18:09:13,079:INFO:certbot._internal.auth_handler:Performing the following challenges:
2020-05-22 18:09:13,079:CRITICAL:certbot._internal.auth_handler:Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
2020-05-22 18:09:13,079:DEBUG:certbot._internal.log:Exiting abnormally:

when i ran the command i got a new value of txt entry so i apply it to my route53, at the first time i thought it was not updated yet but i tried the second time while waiting for 10mins more and check in the website, but still fail
did i miss something here?
ty sir for reply

1 Like

If you use that command

it’s impossible to have that error. --manual should always work.

But you can’t combine certbot-auto with a dns plugin, then this error

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. 

is expected.

So use --manual and wait longer with the next step.


Your domain isn’t using Route 53.            900     IN      NS            900     IN      NS            900     IN      NS

You need to set up the validation DNS records at the DNS service that queries from the Internet go to.

Changing the subject, it’s recommended to use Let’s Encrypt with automated renewal, which you can’t do when you’re using manual validation.

Do you really need a wildcard? If you don’t, it might be easier to use HTTP validation.

If you really do need to a wildcard, it would be best if you can set up automated DNS validation. (Route 53 supports it, but the Route 53 plugin for Certbot is not available on all OSes.)

What OS (including version) are you using?

hi sir @mnordhoff
the domain point to diffirent IP with the domain i’m trying to encrypt now is and use route53 for this, but im plan to do the domain later.
And yes, i really need to a wildcard, im using Centos 6 now.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.