CNAME Unknown for certbot renew

I successfully registered using DNS-01 challenge. When I created the cert using certbot, it returned values for a CNAME record. There was already a cert created for which used http method. When I try to renew, it does not find a CNAME record for which I know that I did not add as it was originally created by http challenge. Is there a way to retrieve the value for a cname record for or create a new challenge so it tells me what the CNAMR record is? Not sure how to fix my issue. We prefer the DNS challenge as this server cannot be publically accessible for http challenge.

My domain is:

I ran this command:
certbot renew --dry-run --debug-challenges -v

It produced this output:

Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for - check that a DNS record exists for
this domain

My web server is (include version): Nginx

The operating system my web server runs on is (include version): AWS Linux 2

I can login to a root shell on my machine (yes or no, or I don't know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.11.0

1 Like

Welcome to the Let's Encrypt Community, Kim :slightly_smiling_face:

A dns-01 challenge requires creation of a TXT record. It is possible to use a CNAME record to delegate the challenge elsewhere (usually to a subdomain of an entirely different domain name). This is how acme-dns works, which is what you currently have setup. You can see this with dig.

Based on the certificate history for, there have been five duplicate certificates created today alone that cover only This hits the rate limit of 5 duplicate certificates within a rolling week.

The TXT is created by certbot/letsencrypt. When I ran the original certbot certonly --manual --manual-auth-hook /etc/letsencrypt/ --preferred-challenges dns --debug-challenges -d it outputs a CNAME record for which I need to add to my DNS. Letsencrypt controls that TXT record as it is their domain. They just provide me with a CNAME. Common trick by apps such as DKIM. My problem is now I want to renew my other cert which points to a domain that was not used with DNS challenge. If there was a method to force re-authorization, I could probably make it work. I do not know how to force Letsencrypt to generate a TXT record for It is also strange that there are 2 TXT records for my dev2 domain.

1 Like

Yep. :slightly_smiling_face:

Correct. It certainly exists in my screenshot above (for dev2). :slightly_smiling_face:

Nope. That domain ( is controlled by @joohoi, one of the certbot developers.

You could just create another CNAME record with for the host (left side) and the same value (right side) you used for This should allow you to just keep using the same credentials and the same certbot command structure:

certbot certonly --manual --manual-auth-hook /etc/letsencrypt/ --preferred-challenges dns --debug-challenges -d

Probably just didn't get cleaned up properly at some point. Likely the last couple of attempts failed due to hitting the rate limits. Might be related.

If you really want to start over for a certificate in certbot, you can identify the certificate's name using:

certbot certificates

I'm assuming that the certificate in question here is probably named

Then you can delete the certificate with:

certbot delete --cert-name name

After that, when you try to acquire a certificate for again, it will be as it was the very first time.

Thanks for helping. I had already tried deleting the cert and duplicating the CNAME but using dev. A new cert is always created with no errors using the dns challenge but when I run a certbot renew --dry-run, dev fails on challenges but dev2 is successful.
... error
Type: unauthorized
Detail: Incorrect TXT record
"4GclrWyJdvpgKgv764UvVZX7H43rwVIBuqnSp56txOA" (and 1 more) found at

1 Like

I suspect that the certbot renewal configuration file for dev is incorrect. Try comparing it with the file for dev2.

Does certbot specify a different CNAME for dev when you run it?

You might want to run certbot certificates to see if you have other certificates (that can overlap domain names) that might be interfering. They can most likely just be deleted using certbot delete per the instructions I already mentioned.

Keep in mind that certbot renew will try to renew every certificate, including those that are no longer needed.

That is my main problem. I never got a CNAME value for as it was originally created using http challenge. The renewal conf files are identical for both other than domain. Certbot certificates only shows my 2 certificates. I will try to create a certificate on a new server with in the hopes it gives me a cname record.

1 Like

Ok I figured it out. I was able to pull out the CNAME from /etc/letsencrypt/acmedns.json. It is stored in the fulldomain field in that file. I added the CNAME and now it works.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.