DNS PROBLEM: NXDOMAIN looking up A for <mydomain.com>

Adrien · January 27, 2016, 11:10pm

Hello, I'm trying to run this command : ./letsencrypt-auto certonly --rsa-key-size 4096 -d <mydomain.com> --email admin@mydomain.com --agree-tos
It's to make a certificate for my mail server (Dovecot&Postfix).
I've a problem when running this command :

  IMPORTANT NOTES:
     - The following errors were reported by the server : 
     Domain: <mydomain.com>
     Type: urn:acme:error:connection
     Detail: DNS problem: NXDOMAIN looking up A for <mydomain.com>

But when I did dig +short MX <mydomain.com> to try my DNS config I've the good answer : 10 mail.mydomain.com.
So I really need help if someone already Having this problem...

schoen · January 28, 2016, 12:28am

Hi @Adrien, that is an MX record, not an A record. How about dig +short A mydomain.com?

(It’s quite possible for mail.mydomain.com to have an A record where mydomain.com itself doesn’t.)

Adrien · January 28, 2016, 8:40am

Hello, thank you the the quick reply !
I try dig +short A domain.com and I've the IP Address of my DNS server with no error..
But I also have a new error :

Failed authorization procedure. domain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for domain.com

Any Help ?

weppos · January 28, 2016, 8:52am

It may help to share the real domain name so that we can check against it.

Adrien · January 28, 2016, 8:54am

I’m in NAT Network on virtualbox, the domain is not available on internet…

Seems someone already have a quite similar problem : Failed authorization procedure. DNS A Record but didn’t solve it…

pfg · January 28, 2016, 9:00am

Certificate issuance for internal DNS names is something CAs aren’t allowed to do. Additionally, in order to obtain a SSL certificate from Let’s Encrypt, your domain needs to either:

Be available from the public internet on port 80 (http-01) or 443 (tls-sni-01)
Have a TXT record with a specific token in place (dns-01; not yet available with the official client)

This is necessary in order to show proof of domain ownership.

Adrien · January 28, 2016, 9:03am

Okay, so I can’t use LE if my domain is not available from the Internet ?

weppos · January 28, 2016, 9:04am

I couldn’t say it better. You beat me to the punch.

pfg · January 28, 2016, 9:13am

You can’t use any publicly trusted CA if your domain is internal-only. More specifically, if it is a domain name you “made up” and not a public/ICANN domain. This practice was forbidden a couple of years ago by the CA/B forum.

If you own, say, example.com, and want to get a certificate for internal.example.com, that might still be possible via split-horizon DNS. You would internally resolve the domain to a different IP than from the public internet. The public DNS record would point to a server only used to solve the domain ownership challenge (this is where you would run the client, and then move the resulting certificate to your internal server).

Setups like that can be quite tricky; personally I would just establish an internal CA and deploy it to all clients (for example via Active Directory, or just manually if you don’t have many clients).

Adrien · January 28, 2016, 9:25am

Ok, thank you I didin’t know it was forbidden.
I will do my internal CA and deploy it to my clients manually !