DNS problem: NXDOMAIN looking up TXT for

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://happytoo.app

I ran this command:

"1) Type these 3 lines of codes

  • DOMAIN=happytoo.app
  • WILDCARD=*.$DOMAIN
  • echo $DOMAIN && echo $WILDCARD
  1. Type it
  • sudo certbot -d $DOMAIN -d $WILDCARD --manual --preferred-challenges dns certonly"

It produced this output:
Cert is due for renewal, auto-renewing…

Renewing an existing certificate

Performing the following challenges:

dns-01 challenge for happytoo.app

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

NOTE: The IP of this machine will be publicly logged as having requested this

certificate. If you’re running certbot in manual mode on a machine that is not

your server, please ensure you’re okay with that.

Are you OK with your IP being logged?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Please deploy a DNS TXT record under the name

_acme-challenge.happytoo.app with the following value:

_AiYRHNnL92AyOWeycWDZdkU5TFFY9_O4qChW-fGGUs

Before continuing, verify the record is deployed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Press Enter to Continue

Waiting for verification…

Cleaning up challenges

Failed authorization procedure. happytoo.app (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.happytoo.app - check that a DNS record exists for this domain

IMPORTANT NOTES:

** - The following errors were reported by the server:**

Domain: happytoo.app

Type: None

Detail: DNS problem: NXDOMAIN looking up TXT for

_acme-challenge.happytoo.app - check that a DNS record exists for

this domain

My web server is (include version): AWS (Amazon Web Server), LAMP

The operating system my web server runs on is (include version): Not sure about this…

My hosting provider, if applicable, is: AWS, Lightsails

I can login to a root shell on my machine (yes or no, or I don’t know): YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): happytoo.app

(1) Even if I tried multiple times to create 5-6 TXT records and added on DNS zone, let’s encryption wasn’t successfully renewed with other old TXT records. so I decided to remove the old records.
(2) Therefore, I deleted all TXT records made from last time (10 records).

(3) I added a new TXT record correctly on DNS zone and tried again to renew the certificate.

(4) For this time I tried, it said “DNS problem: NXDOMAIN looking up TXT for”

Could you please help me how to solve this and renew let’s encrpyt successfully?
Q. Should I create a DNS TXT entry?
Q. Should I add them (removed TXT records) back to DNS zone? If so, how can I get them?
Q. Should I register letsencrypt again?

You should and you did correctly:

_acme-challenge.happytoo.app. 60 IN	TXT	"PRbYMIopP0zue2W05T3avjQF39eRzqXfpFsEV5SpCOE"
_acme-challenge.happytoo.app. 60 IN	TXT	"_AiYRHNnL92AyOWeycWDZdkU5TFFY9_O4qChW-fGGUs"
happytoo.app.		172800	IN	NS	ns-1147.awsdns-15.org.
happytoo.app.		172800	IN	NS	ns-137.awsdns-17.com.
happytoo.app.		172800	IN	NS	ns-1765.awsdns-28.co.uk.
happytoo.app.		172800	IN	NS	ns-528.awsdns-02.net.
;; Received 309 bytes from 205.251.196.123#53(ns-1147.awsdns-15.org) in 19 ms

As you can see there, there are 4 authorative DNS servers for your domain name. Perhaps it’s just a question of waiting a little bit longer for the TXT record to be propogated to all the DNS servers. You can check every DNS server manually by running for example dig @ns-137.awsdns-17.com _acme-challenge.happytoo.app TXT and change the nameserver for all the 4 different DNS servers.

If ALL servers return the required TXT records, you can continue with certbot (“Press Enter to Continue”)

You should only add the TXT record values requested by certbot.

I don’t see why or how that would help you.

By the way, something might be wrong with your “script” for the wildcard. When requesting a wildcard certificate including the base domain, you’re adding two hostnames to the certificate and certbot should ask you to add two TXT records, one for each of the hostnames. Certbot here only asks you to add one? Which is strange to me… Perhaps the TXT record for the other hostname was already validated? Can you remember something like that?

1 Like

Hi @jineous27

your command says: You must create two TXT entries with the same name and different values.

Your check says - https://check-your-website.server-daten.de/?q=happytoo.app#txt

Only one row exists. Two green rows with the same domain name are required.

1 Like

My dig a few hours ago reveiled two TXT records. Certbot in the log above only asks for one TXT record. I recon one of the hostnames was validated and the other one failed for some reason.

1 Like

(Problem Solved)

Yes, on the DNS zone (AWS), there are still 5-6 TXT records, which were created before. These TXT records look incorrect. I’ll probably remove them and try to add another TXT record again.

--------Successfully renewed a certificate (Correct Process) -------------
(1) There were 6 more TXT records, which were created before.
(2) All of them were created with an incorrect name - _acme-challenge@…happytoo.app.
(It’s not validated because of the incorrect name. I found this accidentally)
#These incorrect name & value TXT entries are the main reason for this problem.
(3) I changed the name from it to the correct form - _acme-challenge.happytoo.app.
(I can’t remove these entries with the incorrect name)
(4) I removed the incorrect & outdated TXT record entries

That’s why this command gives me only 1 value. (Another value was successfully added on the server)

(5) I re-type “sudo certbot -d $DOMAIN -d $WILDCARD --manual --preferred-challenges dns certonly” & get 2nd value by certbot.
(6) I added 2nd value and successfully got a certificate.

#Thank you so much @JuergenAuer @Osiris. You guys are my hero :smiley:

1 Like