DNS problem: NXDOMAIN looking up TXT for _acme-challenge.vadim.com.ru - check that a DNS record exists for this domain

@petercooperjr Thanks for the tip - will try that

2 Likes

I have to agree; At this point, you should focus on testing the DNS system [not the certification process].

6 Likes

I get different errors every time I try though - zerossl just times out and letsencrypt gets another one. Is it all about DNS really?

Yes. You need reliable DNS servers in order to get a certificate. (And, in order for users to consistently be able to get to your site.)

5 Likes

It works fine on my other server without a hitch though - same domain same DNS. I've just recently renewed it

I see the most recent renew was on Aug25. And, there was about 2 months where no valid cert existed after your cert from Mar23 expired. See crt.sh history here. That does not look like it was working fine.

More important, I see you are not using a wildcard cert. Have you considered using the webroot or nginx methods instead of DNS? These use the HTTP Challenge method instead which uses your working nginx server. Many times these methods are easier to use. And, maybe will not fail as often as the DNS Challenge.

5 Likes

Well, the HTTP challenge still needs a working DNS in order to find the server address. I'd expect it to be less reliable since it needs both the DNS and web servers to be accessible, not just the DNS server.

5 Likes

Maybe so. Maybe not. The update of TXT records can be more problematic than just the A record lookup. Of course, if the comms to the server is unreliable that is hard to assess with what we see.

EDIT: We've seen some odd problems with yandex in the past. Especially regarding TXT sync.

5 Likes

@MikeMcQ As far as renewal it was my fault - I updated the nextcloud jail via pkg system instead of original ports when installed certbot and ended up with 2 python versions on the system which got me in dependencies hell. So it took me a while to figure it all out and it was finally renewed.
Wildcard might be a better choice or even nginx, but my nextcloud is not up and running yet to my liking

No, the DNS Challenge you are using is required to get a wildcard cert. But, you are not using a wildcard so do not have to use DNS Challenge.

The webroot or nginx methods use HTTP Challenge which might work better given your Yandex DNS. But, you cannot get wildcard cert with these methods.

5 Likes

I've just ran it again with 20 min sleep DNS time and TXT was created immediately - I see it in the panel, but it still fails....

@Volkodav There is nothing we can do about your poor DNS behavior. We have seen odd things before with Yandex. You should try the HTTP Challenge methods or switch DNS providers.

Or, maybe try 1H or even longer DNS sleep. The TXT record must propagate through all the DNS Servers Yandex uses. Just because you see it on a panel doesn't mean that has happened.

7 Likes

@MikeMcQ HTTP Challenge methods vs wildcard - what is the major difference between the two? Am I going to be missing something in terms of security?

"Wildcard" describes the name in the cert. You are not using a wildcard name today so you could use the HTTP method to get your same cert.

Wildcards are used when people have many subdomain name that change regularly. If you just use one or a small number of names that don't change much it is often easier to use HTTP Challenge.

There is no difference in security between a cert with a wildcard name and one that does not have a wildcard name.

5 Likes

@MikeMcQ Thanks for your help !Well then it makes sense to do http instead like so:
acme.sh --issue -d example.com -w /home/wwwroot/example.com or
acme.sh --issue --nginx -d example.com -d www.example.com -d cp.example.com

2 Likes

At the last attempt I set 2Hrs sleep time and it worked. I am really grateful for your help.

1 Like

If I’d had an idea of how long (I mean really long) the sleep time should have been set this would have been resolved nice and quick. Two good advices! Thank you

2 Likes

Glad it's working. I still think you will have more reliable results switching to the HTTP Challenge method. And, you won't have to wait 2H :slight_smile:

5 Likes

True, will do next time

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.