DNS issue with split domain

Hi there,

I have the next issue with certbot with an internal website :

Challenge failed for domain ntop.mgmt.ad.mydomain.fr
http-01 challenge for ntop.mgmt.ad.mydomain.fr

Type:   dns
Detail: DNS problem: NXDOMAIN looking up A for
ntop.mgmt.ad.mydomain.fr - check that a DNS record exists for this

But this domain exist :

dig a ntop.mgmt.ad.mydomain.fr
ntop.mgmt.ad.mydomain.fr.	3600	IN	A

How certbox make the DNS request ? In fact there two DNS zone a public (mydomain.fr) on public DNS servers and a private (ad.mydomain.fr) on my private DNS servers. The second is used as active directory domain. Is this the problem and how to resolve ?



Hi @jquintard,

The DNS request that matters here is made by the Let's Encrypt CA, from its own data centers, not by Certbot.

Certbot is connecting to an API provided by the CA, and asking the CA to check that you really control the domain. The CA responds by trying to do this (from outside of your network); if it succeeds, it will give a certificate over the API, which Certbot can then save into a file.


Hi @jquintard

your domain name is required if you want help.


a private ip address.

Your domain must have a public ip address if you want to use http validation.

1 Like

You can learn more about this validation process at

or more about the difference between the Let's Encrypt client (like Certbot) and server (the certificate authority) at

This means you will indeed have to figure out how to make the public DNS entries refer to a reachable version of your server (or use the DNS challenge method, in which the public DNS entries must be updated with TXT records provided by the CA).


I see:

Name:    ntop.mgmt.ad.mydomain.fr

There is a TCP port 80 response heard from that IP:

curl -Iki
HTTP/1.1 200 OK
Date: Wed, 24 Feb 2021 20:56:41 GMT
Server: Apache
Content-Type: text/html; charset=ISO-8859-1

Ok and if I want a certificate with a private IP, is this possible with certbot ? Do you have another challenge for that ?

1 Like

You can't get a certificate (from LE) that certifies an IP.
You can get a cert that certifies an FQDN [which can resolve to any IP - public or private].
If the server can't be reached via the Internet IP, then certbot won't be able to use HTTP authentication to obtain a cert.
That leaves you with DNS authentication...
If you can add TXT records to the DNS zone of the requested FQDN, then you can use DNS authentication to validate the cert request.
[DNS authentication can be more complicated to automate than HTTP authentication - but worth it]


Please read the documents @schoen has shared.


Ok is this case what is the format of the TXT records ? Can I add this RR on the parent domain (mydomain.fr) or do I need to create a temporary child domain (in our case mgmt.ad.).

1 Like

Please take the time to read what has already been provided.


I'am sorry I'm in a hurry. I read your document. Thanks a lot for the explaination.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.