CNAME or TXT record required for DNS validation?

My domain is:

I ran this command:
sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/ --preferred-challenges dns --debug-challenges --cert-name -d * -d

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for * and
Hook '--manual-auth-hook' for ran with output:
Please add the following CNAME record to your main DNS zone: CNAME

Challenges loaded. Press continue to submit to CA.
Pass "-v" for more info about challenges.

Press Enter to Continue

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for - check that a DNS record exists for this domain

Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.

Some challenges have failed.
Ask for help or search for solutions at See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Nginx

The operating system my web server runs on is (include version): Ubuntu 18.04

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.6.0

I was asked to create a CNAME record which I did. After hitting , the request failed saying that it couldn't find a TXT record. What is it that it needs? A CNAME record, or a TXT record?

The DNS-01 challenge works with TXT records. The Certificate Authority generates a random token (the challenge), which must be placed in DNS to proof ownership of the domain. This is an ephemeral process that must be repeated for each challenge (i.e. on each renewal) as they all use unique tokens.

CNAME's are the "redirects" of the DNS protocol. They can be used to tell a resolver "look elsewhere for this data". So if you do not want or cannot place a TXT record in your main DNS (at, you can redirect that (via CNAME) to a different DNS zone which answers with the TXT record.

This is what johoii's acme-dns does. It asks you to redirect the challenge FQDN (_acme-challenge...) to a different zone with a different nameserver (which is the acme-dns server) which then responds with the TXT record.

Looking at your dns (dig we can see the CNAME to the hosted acme-dns service, which is good. The NXDOMAIN error means that Let's Encrypt was unable to find a TXT record after following the CNAME, so possibly there was a problem with adding the challenge to the hosted acme-dns service.


Thanks. Though it was something I was missing. I cleared the domain from acmedns.json and retried and it worked.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.