CNAME DNS pointing to PRIVATE domain name

CNAME algo-app.joinwaterlily.comn points to private domain How can I install the SSL cert in this instance? It looks like the tools are trying to validate the domain, which is not going to happen in this setup...

My domain is:

I ran this command:

sudo certbot --nginx

It produced this output:

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up A for - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for - check that a DNS record exists for this domain

My web server is (include version): nginx version:


The operating system my web server runs on is (include version):

Amazon Linux 2023
Linux 6.1.61-85.141.amzn2023.x86_64

My hosting provider, if applicable, is:


I can login to a root shell on my machine (yes or no, or I don't know):


I'm using a control panel to manage my site (no, or provide the name and version of the control panel):


The version of my client is:

certbot 2.7.4

Yes, an HTTP Challenge requires something to respond to that coming from the Let's Encrypt servers over the public internet.

But, there are lots of ways to deal with private servers. One of which is to use the DNS Challenge. These are often harder to automate and depends on your DNS provider to support an API. And, for the ACME Client (like Certbot) to support it.

It looks like you use GoDaddy (yes?) and I think certbot supports that now but not sure exactly. Someone else may know. You could use (see their github) which does support it.


Well, yes. Do you strike this as odd? :slight_smile: A publicly trusted CA needs to verify a public accessible hostname. Whether that's through connecting to a public IP address using the http-01 or tls-alpn-01 challenge or resolving a specific TXT resource record on the public DNS using the dns-01 challenge, that's up to the user :slight_smile: (When talking about the ACME protocol; non-automated CAs might have other verification processes.)


Not odd so much as "not matching my hopes". :wink:

I appreciate the explanations and will look into using DNS verification.

Back to my hopes... since the purpose of a cert is to validate the domain to the certificate, I don't see a technical reason why the address the CNAME resolves to needs to be publicly accessible. As long as the CNAME exists I would think that's enough (assuming they've validated that we own the domain already). Before I knew about the other options I was thinking of adding a public IP, validating the SSL cert and installing it, then changing the CNAME to point to a private IP again. The SSL cert would still be valid in that case (right?). Assuming so, then the initial validation doesn't seem necessary.

But that's just hypothetical. The validation works the way it does so I'll have to look into the other options. Glad they are available.

Thanks all!


The validity of a certificate is independent of DNS.
DNS only helps us to know where the site that would be using that cert can be found.

The existence of a CNAME record is not enough proof of ownership/control.
That CNAME record would exist there no matter who made the request for that cert.
By that I mean, should LE also grant my request of a cert for your domain name?
[because I can also claim that a CNAME exists]


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.