DNS problem: NXDOMAIN looking up TXT error for a wildcard cert request

My domain is: hellomehmaan.com

I ran this command: sudo certbot certonly --manual --preferred-challenges=dns --email ahulpasricha@yahoo.co.in --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.hellomehmaan.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator manual, Installer None

Obtaining a new certificate

Performing the following challenges:

dns-01 challenge for hellomehmaan.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

NOTE: The IP of this machine will be publicly logged as having requested this

certificate. If you're running certbot in manual mode on a machine that is not

your server, please ensure you're okay with that.

Are you OK with your IP being logged?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(Y)es/(N)o: Yes

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Please deploy a DNS TXT record under the name

_acme-challenge.hellomehmaan.com with the following value:

3aRdTcxt2mvrcsaJiE3vtiyQJSdvDE1BTQSpgXzaf8E

Before continuing, verify the record is deployed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Press Enter to Continue

Waiting for verification...

Challenge failed for domain hellomehmaan.com

dns-01 challenge for hellomehmaan.com

Cleaning up challenges

Some challenges have failed.

IMPORTANT NOTES:

- The following errors were reported by the server:

Domain: hellomehmaan.com

Type: dns

Detail: DNS problem: NXDOMAIN looking up TXT for

_acme-challenge.hellomehmaan.com - check that a DNS record exists

for this domain

My web server is (include version):
Server version: Apache/2.4.43 ()
Server built: May 8 2020 17:02:41

The operating system my web server runs on is (include version):
4.14.177-139.254.amzn2.x86_64

My hosting provider, if applicable, is:
porkbun.com

I have added a DNS TXT entry on porkbun.com
_acme-challenge.hellomehmaan.com = 3aRdTcxt2mvrcsaJiE3vtiyQJSdvDE1BTQSpgXzaf8E
(Screenshot attached, i tried other entries as well just to see if they work)

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.4.0

1 Like

A few things:

  • The _acme-challenge.www.hellomehmaan.com RR is not used at all: you're not requesting a certificate with the www.hellomehmaan.com subdomain;
  • The _acme-challenge.hellomehmaan.com.hellomehmaan.com RR is sometimes an erroneous byproduct of wrong DNS zone editing and is not used by the ACME server at all and should not be added manually: it serves no purpose at all;
  • You've only requested a certificate for the *.hellomehmaan.com wildcard hostname which does not also include the apex domain hellomehmaan.com which could lead to TLS certificate errors when surfing to the hostname hellomehmaan.com;
  • It's possible you just need to wait a little bit longer for the DNS zone info to propogate to the actual DNS servers. You can test remotely if the TXT record has propogated to the DNS servers with aid of tools such as https://unboundtest.com/ (of course you need to select the TXT record in that tool).
4 Likes

Thanks @Osiris , i ran a test with https://unboundtest.com and see the following results. Looks like its returning the value.
Is there a way to try to do the dns test again with the same value or if i request for the certificate again, i will need to update the TXT value again?

Query results for TXT _acme-challenge.hellomehmaan.com

Response:
;; opcode: QUERY, status: NOERROR, id: 8857
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;_acme-challenge.hellomehmaan.com. IN TXT

;; ANSWER SECTION:
_acme-challenge.hellomehmaan.com. 0 IN TXT "3aRdTcxt2mvrcsaJiE3vtiyQJSdvDE1BTQSpgXzaf8E"

1 Like

If you installed Certbot from EPEL, you may also be able to install the python2-certbot-dns-route53 package and follow the instructions on https://certbot-dns-route53.readthedocs.io/en/latest/.

The benefit to doing this:

  • Certbot can automatically issue and renew certificates, you don't have to do anything in the AWS Console
  • Certbot will automatically sleep an appropriate amount of time to wait for record propagation (adjustable if necessary)
3 Likes

If a challenge has failed, the token value is invalid and you'll get a new one.

3 Likes

Which control panel are you using?

1 Like

I am managing it on aws ec2 instance

1 Like

Thanks @_az, i'll try this out

1 Like

Update:
Since i added the TXT entry ~24hours ago, i tried to validate and generate the wildcard cert with the same steps as i mentioned in the original issue description and i was able to successfully validate. Thanks all for your help.

2 Likes