DNS problem: NXDOMAIN looking up TXT for

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:quick-repair.be

I ran this command:

sudo ./certbot-auto certonly --manual --preferred-challenges=dns --email hello@appsdevs.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.quick-repair.be

It produced this output:

Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. quick-repair.be (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.quick-repair.be

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: quick-repair.be
    Type: None
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.quick-repair.be

I get above error for first challenge itself. I never reached 2nd challenge

My web server is (include version): nginx

The operating system my web server runs on is (include version): ubuntu 16.04 LTS

My hosting provider, if applicable, is: digitalocean

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): DirectAdmin Web Control Panel © 2012-2017 JBMC Software

I tried placing TXT record in control panel with following 3 types but all failed

_acme-challenge.quick-repair.be
_acme-challenge.quick-repair.be.
_acme-challenge

What is incorrect on my side? Please help! Thanks for your time and expert guidance

You may want to try using the DigitalOcean DNS plugin mentioned in this post. Let me know if that works out for you. Getting wildcard certificates with Certbot

I am afraid I cannot use that. I have erpnext setup. So will have to stick to
sudo ./certbot-auto certonly --manual --preferred-challenges=dns --email hello@appsdevs.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.quick-repair.be
Please help. Thanks!

Did you manully test if the TXT records were actually resolvable from the internet? I.e., by running for example dig +trace _acme-challenge.quick-repair.be. TXT

Yes, it gets resolved.

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +trace _acme-challenge.quick-repair.be.
;; global options: +cmd
. 384102 IN NS k.root-servers.net.
. 384102 IN NS c.root-servers.net.
. 384102 IN NS h.root-servers.net.
. 384102 IN NS l.root-servers.net.
. 384102 IN NS g.root-servers.net.
. 384102 IN NS b.root-servers.net.
. 384102 IN NS i.root-servers.net.
. 384102 IN NS m.root-servers.net.
. 384102 IN NS j.root-servers.net.
. 384102 IN NS f.root-servers.net.
. 384102 IN NS e.root-servers.net.
. 384102 IN NS d.root-servers.net.
. 384102 IN NS a.root-servers.net.
. 518399 IN RRSIG NS 8 0 518400 20180826170000 20180813160000 41656 . UG2eRBIjvPlwaDAlvgWEPmLpnnSDUimVXj0dzEiq9am4lpqBEq/p1s6T 2h6Cu+lcPWFF1nLIVgnuMO00lPPeJWDtdmk2dkCR24Fv5JXS6RZkR72w 6CpHcTdnEnbkD9WqNCKUSSU4n7s/3aZRbv0UK6qnxdLw+6fJ24e+xi69 63Ff3HmQ2C8CvN5ej+0UW0KuAFGuvpiXByxX7ZKdlctsmDXVFha3Whea JLsU917N8yt4WnK5yJjMcoMB/M+m8SKQSnVTUW7kKkQJHz+jd4xxloId SAGbTv6493Dv/jHcrX6wmYDBM9Es7lMgZg3HZmU6y3eY3bRYDgAX0NLy mfk2CQ==
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 38 ms

be. 172800 IN NS b.ns.dns.be.
be. 172800 IN NS a.ns.dns.be.
be. 172800 IN NS x.ns.dns.be.
be. 172800 IN NS d.ns.dns.be.
be. 172800 IN NS y.ns.dns.be.
be. 172800 IN NS c.ns.dns.be.
be. 86400 IN DS 16684 8 1 8BD0806315E077B56D3D0E235727F31D8CB9BF3C
be. 86400 IN DS 16684 8 2 7EF0A483A7A96FCECF3D9067828BAF7F3DF22C3276671C2E88AA4636 FD259F34
be. 86400 IN DS 12664 8 1 59462E9CB5520A36DD248D9DDC4EAA44672A5ED1
be. 86400 IN DS 12664 8 2 75141E9B1188A95A7A855BF47E278A742A5E3F2DDEED8E995D749D48 F2F0E72D
be. 86400 IN RRSIG DS 8 1 86400 20180826170000 20180813160000 41656 . 9BL+xAYObruF6m0NuFzlVYIx0Cg78VbYqO2QOn9GUdrVXn8UfcFZ6p2h U7foNFgc9OitwDMe4rf09dp/WhIn9BLakWqLR5l1Q6wsHvGz1Uhk+uOm SKHRDsZyc6fg6cFpYbbhb4Qnga/72AZT0giSCjrsZTFwltuDHqZK6Nji L1T2NC+gsrSwDzoNRYl0Ul9sxwcszOUGOMDtYIBRdgxzIq2jRJJC5w97 WsE2BDBswoZu03uD5jH8I6idrcLY0KeHwEDXdBsOyA3hnREOuUAegbP7 IGjwn3lWZDTkUYB+HNLPOm2a2m0J8Yvn0wJmxnL/vyXR+gCiCB59ffWH Rma1QA==
;; Received 882 bytes from 192.112.36.4#53(g.root-servers.net) in 297 ms

quick-repair.be. 86400 IN NS ns1.zxcs.nl.
quick-repair.be. 86400 IN NS ns2.zxcs.nl.
quick-repair.be. 86400 IN NS ns3.zxcs.nl.
ba141snrnoe1rc9mddgrest23g657rir.be. 600 IN NSEC3 1 1 5 1A4E9B6C BA175A6M75ITNTD2DO5RIQLCVM45GSMR NS SOA RRSIG DNSKEY NSEC3PARAM TYPE65534
ba141snrnoe1rc9mddgrest23g657rir.be. 600 IN RRSIG NSEC3 8 2 600 20180821234702 20180811231429 12255 be. wEYRzjoXfkBYSD/PWGKEqikG8/Zhi4IjfF00+eGVp4vCm0yVckBiFquN 3/cybzkW2ond075hR6+oySnww7z2+eDt3Tme9vYbzANnnVsB00DXRcXr prwFgJH4tCX5+WYdFnzyq4imiKMtZ4vy2U2K7xPEIo5eYArzl1FUvEDL 9OQ=
nbgoujpcfrj7suj2ns70vuh3v8djvojs.be. 600 IN NSEC3 1 1 5 1A4E9B6C NBHAHRPQJV0JHERFGCPPD0PTETQHUDT9 NS DS RRSIG
nbgoujpcfrj7suj2ns70vuh3v8djvojs.be. 600 IN RRSIG NSEC3 8 2 600 20180820002348 20180809234643 12255 be. fGV9dvVlkr7jGVROJ4Os9p1jDxLHNJApW8VYEHFPLWowTx+m2Dl7xqtC II9DADIJpg6+mg0OVg/Od4bLVPh3ZOlNcGuF77E28Ih4y+8qCHfeNj4s uqpuqT402FlwujsmGKDsaAcXlYb7VeCgdlaiJysxiKk0p1T/ENG33Od/ 29U=
;; Received 646 bytes from 194.0.37.1#53(b.ns.dns.be) in 149 ms

quick-repair.be. 600 IN SOA ns1.zxcs.nl. hostmaster.quick-repair.be. 2018081304 600 3600 1209600 86400
;; Received 118 bytes from 185.104.28.19#53(ns1.zxcs.nl) in 206 ms

Sometimes it takes a few minutes before all of the authoritative name servers are updated. You don’t need to wait for actual propagation or anything, but all of your authoritative name servers need to be serving the new record before you have Let’s Encrypt validate the challenge.

Ehh, I'm not seeing any TXT records..? Edited my previous post to make it more clearer you're trying to get the actual TXT records.

Edit: I'm seeing the TXT record. Does certbot still says it gets a NXDOMAIN?

Yes, it fails

Failed authorization procedure. quick-repair.be (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.quick-repair.be

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: quick-repair.be
    Type: None
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.quick-repair.be

Well, now it fails for me again too… So I guess Let’s Encrypt is right.

Did you remove the previous TXT record? And added a new one? It probably takes some to propogate the settings from the control panel to the actual DNS servers… You should try waiting longer and continu with the authorization process in certbot once you can verify the existence of the TXT record yourself with dig.

Oh, there is a special txt entry:

_acme-challenge.quick-repair.be.quick-repair.be text =
"88JIafqFF5JzxlV7wmT-hg7eLTnlLMd9RCuwxawkesg"

This is double-defined.

If you use a menu, then create only an entry with _acme-challenge as name. The domain is added by your context.

Now the certificate is created:

https://transparencyreport.google.com/https/certificates/Z%2BagDGkrE6IiXsm81ZUEmXclUDnHcX8Ozn1fJ9OiZtk%3D

But: The certificate has only one name *.quick-repair.be

If you want to use the certificate with websites:

Create a new certificate with two names: *.quick-repair.be and quick-repair.be

Then two dns-entries with the same name

_acme-challenge.quick-repair.be

are required. One with the hash of *.quick-repair.be, the other with the hash of quick-repair.be.

Thanks!! @JuergenAuer
I am able to get through. Please close it

Some of the things that worked

  1. If you use a menu, then create only an entry with _acme-challenge as name. The domain is added by your context

  2. dig -t TXT _acme-challenge.quick-repair.be <-- confirm before accepting challenge

At present i require only base name domain cert so corrected that

Also thanks everyone for helping @Osiris

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.