DNS PROBLEM: NXDOMAIN looking up A for <mydomain.com>

Hello, I'm trying to run this command : ./letsencrypt-auto certonly --rsa-key-size 4096 -d <mydomain.com> --email admin@mydomain.com --agree-tos
It's to make a certificate for my mail server (Dovecot&Postfix).
I've a problem when running this command :

     - The following errors were reported by the server : 
     Domain: <mydomain.com>
     Type: urn:acme:error:connection
     Detail: DNS problem: NXDOMAIN looking up A for <mydomain.com>

But when I did dig +short MX <mydomain.com> to try my DNS config I've the good answer : 10 mail.mydomain.com.
So I really need help if someone already Having this problem...

Hi @Adrien, that is an MX record, not an A record. How about dig +short A mydomain.com?

(It’s quite possible for mail.mydomain.com to have an A record where mydomain.com itself doesn’t.)


Hello, thank you the the quick reply !
I try dig +short A domain.com and I've the IP Address of my DNS server with no error..
But I also have a new error :

Failed authorization procedure. domain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for domain.com

Any Help ?

It may help to share the real domain name so that we can check against it.

I’m in NAT Network on virtualbox, the domain is not available on internet…

Seems someone already have a quite similar problem : Failed authorization procedure. DNS A Record but didn’t solve it…

Certificate issuance for internal DNS names is something CAs aren’t allowed to do. Additionally, in order to obtain a SSL certificate from Let’s Encrypt, your domain needs to either:

  • Be available from the public internet on port 80 (http-01) or 443 (tls-sni-01)
  • Have a TXT record with a specific token in place (dns-01; not yet available with the official client)

This is necessary in order to show proof of domain ownership.


Okay, so I can’t use LE if my domain is not available from the Internet ?

I couldn’t say it better. You beat me to the punch. :slight_smile:

You can’t use any publicly trusted CA if your domain is internal-only. More specifically, if it is a domain name you “made up” and not a public/ICANN domain. This practice was forbidden a couple of years ago by the CA/B forum.

If you own, say, example.com, and want to get a certificate for internal.example.com, that might still be possible via split-horizon DNS. You would internally resolve the domain to a different IP than from the public internet. The public DNS record would point to a server only used to solve the domain ownership challenge (this is where you would run the client, and then move the resulting certificate to your internal server).

Setups like that can be quite tricky; personally I would just establish an internal CA and deploy it to all clients (for example via Active Directory, or just manually if you don’t have many clients).

Ok, thank you I didin’t know it was forbidden.
I will do my internal CA and deploy it to my clients manually !