DNS problem: NXDOMAIN looking up A for server.base.com

hey guys, so i have set up nextcloud on my server and i am trying to use https to connect to it.

when i try to execut the certbot.auto it gives me this error:


if i try to execute this command it gives me this error:
sudo certbot --apache -m my@email.com -d server.base.com -d www.server.base.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

dig server.base.com
<<>> DiG 9.10.3-P4-Debian <<>> server.base.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61947
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096
;server.base.com. IN A

server.base.com. 604800 IN A

base.com. 604800 IN NS server.base.com.

;; Query time: 23 msec
;; WHEN: Sat Oct 27 11:44:41 WEST 2018
;; MSG SIZE rcvd: 74


// Do any local configuration here

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

zone "base.com" IN {
type master;
file "/etc/bind/forward.base.com";

zone "1.168.192.in-addr.arpa" IN {
type master;
file "/etc/bind/reverse.base.com";

forward.base.com :

; BIND data file for local loopback interface
$TTL    604800
@       IN      SOA     server.base.com. root.server.base.com. (
                              2         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
@       IN      NS      server.base.com.
@       IN      A
server  IN      A
www     IN      A
IN      MX      10      mail.base.com.


; BIND data file for local loopback interface
$TTL    604800
@       IN      SOA     server.base.com. root.server.base.com. (
                              2         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
@       IN      NS      server.base.com.
@       IN      PTR     base.com.
server  IN      A
100     IN      PTR     server.base.com.


domain base.com
search base.com

error log:

Hi @stormsz

testing your domain name:

D:\temp>nslookup server.base.com.
*** server.base.com. wurde von fritz.box nicht gefunden: Non-existent domain.

Non-existent domain.

This is an internal / private ip address, not a public address.

If you want to create a certificate with the domain name server.base.com, then you need

  • a public ip address and an A-record domainname -> your server-ip


  • you have to use dns - 01 validation to get a certificate.

But: Are you really owner of base.com?

PS: Moved to "Help"

1 Like

For that issue, see this post:

In short, you can work around it, or you can upgrade Certbot. On some OSes, moving to certbot-auto is the best way to do that; on others, there are other options.

However, fixing this issue won't help you if validation is failing due to a DNS problem.


hello! sorry i’m a bit of a newbie when it comes to dns.
yes the domain is mine in the meaning of the actual server is mine, but if you are asking if i bought it, no.
also my isp wont assign outside static ip’s, they are dinamic and i cant mess with the dns server on the router, because the router came with the contract of the internet, so is close soft and very limited.
so my plan was to make this old pc i have laying around an NAS server, since i dont have a static ip, and correct me if i’m wrong, but couldnt i use the server as a VPN to acess my inner network, that way the domain is know and that would make me able to acess the nextcloud right?(from outside of the network, like school network (thats my end goal rly)).
but wouldnt that leave me with the same problem? i would need to encrypt the vpn connection anyway, wouldnt i get the same error? what am i missing here?

Are you trying to obscure your domain name by writing base.com instead of the actual domain name? People here on the forum were testing the DNS setup for this specific domain. If you want people to analyze your setup for any possible DNS problems, you’ll have to give your real domain name!

One of the authzs in the log earlier really was using base.com.

1 Like

i’m not sure if i follow you question.
i’m simpy a TI student trying to set up a NAS server on my old pc that i have laying arround.
as i said i’m a bit of a noob when it come to networking BUT i assure you that i’m not trying to do anything bad or close to that.
let me recap and i am SORRY if i miss anything.

i have this old pc with next cloud.
i have configured the local domain.
i DID NOT have an bought domain from an DNS provider,
i simply configured the local domain of my NAS server as
so thats the adress i use on the browser to access the netcloud.
what i am trying to do is encrpyt that connection to my local domain.

so when i go to www.server.base.com, my Bind9 config will redirect to my local domain.
(edit: its working fine, but its not on HTTPS)
let me know if its possible what i am trying to do.
i have i clered the confusion, not trying to do anything bad or something like that :slight_smile: just a student trying to have is own private cloud.

Publicly trusted certificates can only be issued for DNS names that you control. So if server.base.com doesn’t belong to you—from the point of view of the rest of the Internet—then Let’s Encrypt can never issue a certificate to you for this name. This doesn’t have to do with how you configure anything or how you use Let’s Encrypt client software; it has to do with how publicly-trusted certificates are meant to be used.

Let’s Encrypt can’t issue any certificates for private or internal names. If you only want to access the service from devices that you control, you could make a self-signed certificate and tell your devices to accept it (but people using other devices would still receive a warning, which is how the system is supposed to work). Alternatively, you could register a domain name or use a free domain name provider to point a subdomain at your NAS, and then you should be able to get a Let’s Encrypt certificate for the NAS using that name.

@stormz, are you following a set of instructions? If so, it would be helpful if you could share them with us.

I think the next thing you need to do is to purchase a domain name from a domain name registrar. For instance, Gandi is a domain name registrar. It looks like the domain name stormz.info is available – you could buy that one!

Once you’ve bought a domain name, you would edit all your commands and configs to replace base.com with, for instance, stormz.info. You should also replace my@email.com with your own email address.

hello sorry for the long wait.
i went deep on about finding a solution and came across no-ip, looks great for what i am trying to do, maybe i will buy a domain down the line when my odroix-xu4 arrives :smiley:

i am following an guide

i have removed bind9, since i dont need it anymore, now i just have one question.
i’m having an error, it says it cant reach the domain, also it says it probly the firewall.

my only problem is that the method of opening doors on my router is…i dont know…i can open doors on ufw fine but this router…

so i do tcp | source: any | destiny:80 or is the other way around? i’m lost right now…

Your source is port 80, you don’t want to open every port.

Your destination may be port 80 or another port, where http (not https) is running.

This may be a little confusing; we’d need to see more of the router UI to be sure. In normal TCP parlance, for a web server the destination port would always be 80, and the source port would be randomly generated by the client connecting to the web server. However, it’s possible this router UI is using the terms differently, in terms of forwarding incoming connections to a given set of ports.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.