I have the next issue with certbot with an internal website :
Challenge failed for domain ntop.mgmt.ad.mydomain.fr
http-01 challenge for ntop.mgmt.ad.mydomain.fr
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for
ntop.mgmt.ad.mydomain.fr - check that a DNS record exists for this
domain
But this domain exist :
dig a ntop.mgmt.ad.mydomain.fr
;; ANSWER SECTION:
ntop.mgmt.ad.mydomain.fr. 3600 IN A 10.1.40.112
How certbox make the DNS request ? In fact there two DNS zone a public (mydomain.fr) on public DNS servers and a private (ad.mydomain.fr) on my private DNS servers. The second is used as active directory domain. Is this the problem and how to resolve ?
The DNS request that matters here is made by the Let's Encrypt CA, from its own data centers, not by Certbot.
Certbot is connecting to an API provided by the CA, and asking the CA to check that you really control the domain. The CA responds by trying to do this (from outside of your network); if it succeeds, it will give a certificate over the API, which Certbot can then save into a file.
You can learn more about this validation process at
or more about the difference between the Let's Encrypt client (like Certbot) and server (the certificate authority) at
This means you will indeed have to figure out how to make the public DNS entries refer to a reachable version of your server (or use the DNS challenge method, in which the public DNS entries must be updated with TXT records provided by the CA).
You can't get a certificate (from LE) that certifies an IP.
You can get a cert that certifies an FQDN [which can resolve to any IP - public or private].
If the server can't be reached via the Internet IP, then certbot won't be able to use HTTP authentication to obtain a cert.
That leaves you with DNS authentication...
If you can add TXT records to the DNS zone of the requested FQDN, then you can use DNS authentication to validate the cert request.
[DNS authentication can be more complicated to automate than HTTP authentication - but worth it]
Ok is this case what is the format of the TXT records ? Can I add this RR on the parent domain (mydomain.fr) or do I need to create a temporary child domain (in our case mgmt.ad.).