DNS problem: NXDOMAIN looking up TXT for acme-challenge.sapientia.dev - check that a DNS record exists for this domain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

sapientia.dev

I ran this command:

sudo certbot certonly \
  --dns-google \
  --dns-google-credentials ~/.secrets/certbot/google.json \
  -d sapientia.dev \
  -d api.sapientia.dev \
	-d id.sapientia.dev

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator dns-google, Installer None

Obtaining a new certificate

Performing the following challenges:

dns-01 challenge for api.sapientia.dev

dns-01 challenge for id.sapientia.dev

dns-01 challenge for sapientia.dev

URL being requested: GET https://www.googleapis.com/discovery/v1/apis/dns/v1/rest

URL being requested: GET https://dns.googleapis.com/dns/v1/projects/sapientia-internal/managedZones?dnsName=api.sapientia.dev.&alt=json

Attempting refresh to obtain initial access_token

Refreshing access_token

URL being requested: GET https://dns.googleapis.com/dns/v1/projects/sapientia-internal/managedZones?dnsName=sapientia.dev.&alt=json

URL being requested: GET https://dns.googleapis.com/dns/v1/projects/sapientia-internal/managedZones/7885459531394183804/rrsets?alt=json

URL being requested: POST https://dns.googleapis.com/dns/v1/projects/sapientia-internal/managedZones/7885459531394183804/changes?alt=json

URL being requested: GET https://dns.googleapis.com/dns/v1/projects/sapientia-internal/managedZones/7885459531394183804/changes/47?alt=json

URL being requested: GET https://www.googleapis.com/discovery/v1/apis/dns/v1/rest

URL being requested: GET https://dns.googleapis.com/dns/v1/projects/sapientia-internal/managedZones?dnsName=id.sapientia.dev.&alt=json

Attempting refresh to obtain initial access_token

Refreshing access_token

URL being requested: GET https://dns.googleapis.com/dns/v1/projects/sapientia-internal/managedZones?dnsName=sapientia.dev.&alt=json

URL being requested: GET https://dns.googleapis.com/dns/v1/projects/sapientia-internal/managedZones/7885459531394183804/rrsets?alt=json

URL being requested: POST https://dns.googleapis.com/dns/v1/projects/sapientia-internal/managedZones/7885459531394183804/changes?alt=json

URL being requested: GET https://dns.googleapis.com/dns/v1/projects/sapientia-internal/managedZones/7885459531394183804/changes/48?alt=json

URL being requested: GET https://www.googleapis.com/discovery/v1/apis/dns/v1/rest

URL being requested: GET https://dns.googleapis.com/dns/v1/projects/sapientia-internal/managedZones?dnsName=sapientia.dev.&alt=json

Attempting refresh to obtain initial access_token

Refreshing access_token

URL being requested: GET https://dns.googleapis.com/dns/v1/projects/sapientia-internal/managedZones/7885459531394183804/rrsets?alt=json

URL being requested: POST https://dns.googleapis.com/dns/v1/projects/sapientia-internal/managedZones/7885459531394183804/changes?alt=json

URL being requested: GET https://dns.googleapis.com/dns/v1/projects/sapientia-internal/managedZones/7885459531394183804/changes/49?alt=json

Waiting 300 seconds for DNS changes to propagate

Waiting for verification...

Cleaning up challenges

URL being requested: GET https://www.googleapis.com/discovery/v1/apis/dns/v1/rest

URL being requested: GET https://dns.googleapis.com/dns/v1/projects/sapientia-internal/managedZones?dnsName=api.sapientia.dev.&alt=json

Attempting refresh to obtain initial access_token

Refreshing access_token

URL being requested: GET https://dns.googleapis.com/dns/v1/projects/sapientia-internal/managedZones?dnsName=sapientia.dev.&alt=json

URL being requested: GET https://dns.googleapis.com/dns/v1/projects/sapientia-internal/managedZones/7885459531394183804/rrsets?alt=json

URL being requested: POST https://dns.googleapis.com/dns/v1/projects/sapientia-internal/managedZones/7885459531394183804/changes?alt=json

URL being requested: GET https://www.googleapis.com/discovery/v1/apis/dns/v1/rest

URL being requested: GET https://dns.googleapis.com/dns/v1/projects/sapientia-internal/managedZones?dnsName=id.sapientia.dev.&alt=json

Attempting refresh to obtain initial access_token

Refreshing access_token

URL being requested: GET https://dns.googleapis.com/dns/v1/projects/sapientia-internal/managedZones?dnsName=sapientia.dev.&alt=json

URL being requested: GET https://dns.googleapis.com/dns/v1/projects/sapientia-internal/managedZones/7885459531394183804/rrsets?alt=json

URL being requested: POST https://dns.googleapis.com/dns/v1/projects/sapientia-internal/managedZones/7885459531394183804/changes?alt=json

URL being requested: GET https://www.googleapis.com/discovery/v1/apis/dns/v1/rest

URL being requested: GET https://dns.googleapis.com/dns/v1/projects/sapientia-internal/managedZones?dnsName=sapientia.dev.&alt=json

Attempting refresh to obtain initial access_token

Refreshing access_token

URL being requested: GET https://dns.googleapis.com/dns/v1/projects/sapientia-internal/managedZones/7885459531394183804/rrsets?alt=json

URL being requested: POST https://dns.googleapis.com/dns/v1/projects/sapientia-internal/managedZones/7885459531394183804/changes?alt=json

Failed authorization procedure. id.sapientia.dev (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.id.sapientia.dev - check that a DNS record exists for this domain, api.sapientia.dev (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.api.sapientia.dev - check that a DNS record exists for this domain, sapientia.dev (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.sapientia.dev - check that a DNS record exists for this domain

**IMPORTANT NOTES:**

 - The following errors were reported by the server:

Domain: id.sapientia.dev

Type: None

Detail: DNS problem: NXDOMAIN looking up TXT for

_acme-challenge.id.sapientia.dev - check that a DNS record exists

for this domain

Domain: api.sapientia.dev

Type: None

Detail: DNS problem: NXDOMAIN looking up TXT for

_acme-challenge.api.sapientia.dev - check that a DNS record exists

for this domain

Domain: sapientia.dev

Type: None

Detail: DNS problem: NXDOMAIN looking up TXT for

_acme-challenge.sapientia.dev - check that a DNS record exists for

this domain

My web server is (include version):

nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version):

Ubuntu 18.04

My hosting provider, if applicable, is:

Google Cloud Platform

I can login to a root shell on my machine (yes or no, or I don’t know):

Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 0.31.0

I was not prompted with any _acme-challenge keys and was just served errors.

1 Like

What was Certbot’s complete output?

Are you sure there isn’t a misconfiguration – e.g. multiple sapientia.dev zones in Google Cloud DNS?

Could you try using the --dns-google-propagation-seconds with a larger number, e.g. 120 or 300?

When using a DNS plugin like that, Certbot takes care of adding and removing the DNS records using the API, so it doesn’t need to display them.

1 Like

I tried using --dns-google-propagation-seconds 300. It still doesn’t work unfortunately. I have 3 different A records set up: sapientia.dev, api.sapientia.dev and id.sapientia.dev.

I will amend the opening post to have the complete Certbot output.

1 Like

Are there supposed to be two sapientia.dev zones on Google?

This one is being used in the DNS:

$ dig +dnssec +norecurse @ns-cloud-a4.googledomains.com sapientia.dev soa

; <<>> DiG 9.15.8 <<>> +dnssec +norecurse @ns-cloud-a4.googledomains.com sapientia.dev soa
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5252
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;sapientia.dev.                 IN      SOA

;; ANSWER SECTION:
sapientia.dev.          21600   IN      SOA     ns-cloud-a1.googledomains.com. cloud-dns-hostmaster.google.com. 3 21600 3600 259200 300
sapientia.dev.          21600   IN      RRSIG   SOA 8 2 21600 20200305162144 20200212162144 22314 sapientia.dev. XGvrLY5F1YIM3S380TqmEKF2fDhI+sI/jbeFwstSmqmn7764HxU44Q3N eICmZhRyyKsmt7k06KNPKHJC6mpQuR6r1iLs3xIN3DDk5h0m6cQ4y71q C7CFuE5WcTY7NIDSLKixrtxLqAz3lwoqr4UfRsl5xJvw8AnN9eEfg1hG 6co=

;; AUTHORITY SECTION:
sapientia.dev.          21600   IN      NS      ns-cloud-a1.googledomains.com.
sapientia.dev.          21600   IN      NS      ns-cloud-a2.googledomains.com.
sapientia.dev.          21600   IN      NS      ns-cloud-a3.googledomains.com.
sapientia.dev.          21600   IN      NS      ns-cloud-a4.googledomains.com.
sapientia.dev.          21600   IN      RRSIG   NS 8 2 21600 20200305162144 20200212162144 22314 sapientia.dev. E0MTdcvIceC9kRFWKHyF3wP9X4CKx8nfNDY7njPSPDeoKshWZ9GRPteA /gM8CaloyK9IGOpo8LH0Hte0QOk7fMJ5jshD/dmj//qX9JrbiyL/xCmT kWFSRKYYicCxateTz1T6Sr+KcORGhowiYTD70SDsNE6tCtuBZdnQQkO3 r90=

;; Query time: 16 msec
;; SERVER: 2001:4860:4802:38::6a#53(2001:4860:4802:38::6a)
;; WHEN: Thu Feb 13 23:21:07 UTC 2020
;; MSG SIZE  rcvd: 573

But this one also exists:

$ dig +dnssec +norecurse @ns-cloud-b4.googledomains.com sapientia.dev soa

; <<>> DiG 9.15.8 <<>> +dnssec +norecurse @ns-cloud-b4.googledomains.com sapientia.dev soa
; (2 servers found) 
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57208
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;sapientia.dev.                 IN      SOA

;; ANSWER SECTION:  
sapientia.dev.          21600   IN      SOA     ns-cloud-b1.googledomains.com. cloud-dns-hostmaster.google.com. 1 21600 3600 259200 300

;; AUTHORITY SECTION:
sapientia.dev.          21600   IN      NS      ns-cloud-b1.googledomains.com.
sapientia.dev.          21600   IN      NS      ns-cloud-b2.googledomains.com.
sapientia.dev.          21600   IN      NS      ns-cloud-b3.googledomains.com.
sapientia.dev.          21600   IN      NS      ns-cloud-b4.googledomains.com.

;; Query time: 13 msec
;; SERVER: 2001:4860:4802:38::6b#53(2001:4860:4802:38::6b)
;; WHEN: Thu Feb 13 23:20:52 UTC 2020
;; MSG SIZE  rcvd: 227

Is it possible that Certbot happens to be modifying the second one?

Can you check Google’s control panel or API while Certbot is running to see if the records appear in either zone?

(Or you can use dig, actually.)

You can also make Certbot pause indefinitely after setting up the records by adding the --debug-challenges option.

(Note: You have DNSSEC enabled. If you were thinking about it, don’t just go to your registrar and change the nameserver settings to the second zone. Everything would break. If you want to do that, you have to do all the right steps.)

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.