DNS issue with split domain

jquintard · February 24, 2021, 8:21pm

Hi there,

I have the next issue with certbot with an internal website :

Challenge failed for domain ntop.mgmt.ad.mydomain.fr
http-01 challenge for ntop.mgmt.ad.mydomain.fr

Type:   dns
Detail: DNS problem: NXDOMAIN looking up A for
ntop.mgmt.ad.mydomain.fr - check that a DNS record exists for this
domain

But this domain exist :

dig a ntop.mgmt.ad.mydomain.fr
;; ANSWER SECTION:
ntop.mgmt.ad.mydomain.fr.	3600	IN	A	10.1.40.112

How certbox make the DNS request ? In fact there two DNS zone a public (mydomain.fr) on public DNS servers and a private (ad.mydomain.fr) on my private DNS servers. The second is used as active directory domain. Is this the problem and how to resolve ?

Jerome

schoen · February 24, 2021, 8:25pm

Hi @jquintard,

The DNS request that matters here is made by the Let's Encrypt CA, from its own data centers, not by Certbot.

Certbot is connecting to an API provided by the CA, and asking the CA to check that you really control the domain. The CA responds by trying to do this (from outside of your network); if it succeeds, it will give a certificate over the API, which Certbot can then save into a file.

JuergenAuer · February 24, 2021, 8:26pm

Hi @jquintard

your domain name is required if you want help.

That's

10.1.40.112

a private ip address.

Your domain must have a public ip address if you want to use http validation.

schoen · February 24, 2021, 8:26pm

You can learn more about this validation process at

or more about the difference between the Let's Encrypt client (like Certbot) and server (the certificate authority) at

This means you will indeed have to figure out how to make the public DNS entries refer to a reachable version of your server (or use the DNS challenge method, in which the public DNS entries must be updated with TXT records provided by the CA).

rg305 · February 24, 2021, 8:45pm

I see:

Name:    ntop.mgmt.ad.mydomain.fr
Address: 194.206.126.204

There is a TCP port 80 response heard from that IP:

curl -Iki 194.206.126.204
HTTP/1.1 200 OK
Date: Wed, 24 Feb 2021 20:56:41 GMT
Server: Apache
Content-Type: text/html; charset=ISO-8859-1

jquintard · February 24, 2021, 9:31pm

Ok and if I want a certificate with a private IP, is this possible with certbot ? Do you have another challenge for that ?

rg305 · February 24, 2021, 9:53pm

You can't get a certificate (from LE) that certifies an IP.
You can get a cert that certifies an FQDN [which can resolve to any IP - public or private].
If the server can't be reached via the Internet IP, then certbot won't be able to use HTTP authentication to obtain a cert.
That leaves you with DNS authentication...
If you can add TXT records to the DNS zone of the requested FQDN, then you can use DNS authentication to validate the cert request.
[DNS authentication can be more complicated to automate than HTTP authentication - but worth it]

JuergenAuer · February 24, 2021, 10:11pm

Please read the documents @schoen has shared.

jquintard · February 24, 2021, 10:11pm

Ok is this case what is the format of the TXT records ? Can I add this RR on the parent domain (mydomain.fr) or do I need to create a temporary child domain (in our case mgmt.ad.).

rg305 · February 24, 2021, 10:18pm

Please take the time to read what has already been provided.

jquintard · February 24, 2021, 10:22pm

I'am sorry I'm in a hurry. I read your document. Thanks a lot for the explaination.

system · March 26, 2021, 10:23pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.