DNS challenge isn't working as expected

My domain is: tierraclimate.dev

I ran this command: certbot -d tierraclimate.dev --manual --preferred-challenges dns certonly

It produced this output:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:


with the following value:


Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.tierraclimate.dev.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
  Domain: tierraclimate.dev
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.tierraclimate.dev - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the manually created DNS TXT records. Ensure that you created these in the correct location, or try waiting longer for DNS propagation on the next attempt.

Some challenges have failed.

My web server is (include version): nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version): 18.04.6 LTS (Bionic Beaver)

My hosting provider, if applicable, is: I'm using google as my domain registrar, and digital ocean as my server provider/nameservers

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.31.0

To summarize my issue: I'm puzzled by the results of certbot (_acme-challenge.tierraclimate.dev). I created a txt record with the specified value and using the google admin tool box dig I see what appears to be the expected result. I'm fairly new to this kind of web development so I may be missing something obvious, but I'm definitely a bit stuck.

Thanks in advance for any help!

Have you considered using Welcome to certbot-dns-digitalocean’s documentation! — certbot-dns-digitalocean 0 documentation instead of doing this manually?

The manual approach will require you to repeat these steps every 60-90 days, whereas the DigitalOcean Certbot plugin will do this automatically for you.

It seems likely that you did not wait long enough for the record to propagate to each of the DigitalOcean nameservers. Sometimes one or more nameservers can lag behind. The online tools can sometimes give a misleading result.

But please, please, try the automatic plugin.

If you installed Certbot with snap, you can do:

snap install certbot-dns-digitalocean

and then follow the instructions on the link I posted above.


Will do! thanks for the heads up about that tool/guide, I missed that I think.

1 Like

Also, for anyone who stumbles upon this issue: What fixed my specific problem was

  1. Create the new TXT record with a relatively short TTL (I did 5 minutes)
  2. Wait more than the required time (ie 10 minutes to be safe)
  3. confirm that on google dig only the right code gets returned
  4. try again
1 Like

For future reference, the record's TTL is not related to how long it takes for the DNS provider to propagate the records. That value is only used by normal caching resolvers to determine how long to cache a previous result. But the Let's Encrypt validation servers are only configured to cache for the lesser of either the TTL value or 60 seconds.

As long as the record contains the correct code for the challenge being validated, it can also contain other codes too. In some cases (like certs with both a wildcard and apex domain name), it will actually need to have two different values in the same record.

Also, querying Google's public resolver is not ideal because it can provide stale results. The only thing that matters is that all of your authoritative nameservers are responding correctly. In your case, that would be ns1(2)(3).digitalocean.com. So:

dig _acme-challenge.tierraclimate.dev txt @ns1.digitalocean.com
dig _acme-challenge.tierraclimate.dev txt @ns2.digitalocean.com
dig _acme-challenge.tierraclimate.dev txt @ns3.digitalocean.com

But even this is not foolproof if your authoritative nameservers are using anycast against multiple geographically dispersed back end nameservers.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.