DNS problem: NXDOMAIN looking up TXT

Debug & Info

  • My domain is: e-vance.net
  • I ran this command: not applicable
  • It produced this output: not applicable
  • My web server is (include version): nginx 1.17.3
  • The operating system my web server runs on is (include version): Ubuntu 18.04.3 LTS
  • My hosting provider, if applicable, is: Hetzner
  • I can login to a root shell on my machine (yes or no, or I don’t know): yes
  • I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
  • The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): not applicable

Ran some tests:

Question / Issue

I am using Trellis which automates the certificate generation and I can set up the certificate for e-vance.net just fine but www.e-vance.net keeps failing me and I cannot wrap my head around it…

Let’s Debug reports the following:

acme: error code 400 "urn:ietf:params:acme:error:dns": DNS problem: NXDOMAIN looking up TXT for _acme-challenge.www.e-vance.net - check that a DNS record exists for this domain

I have verified that the DNS record is active / existent:

dig +short A www.e-vance.net
159.69.115.236

Since I have re-launched my site just recently I am thinking that either I am hitting a limit here (see the CT logs or this is due to the recent certificate bug and somehow interferes with re-issuing…?

Could anybody shed some light here? What am I doing wrong?

Thanks so much for your time, been struggling with this for hours now…

error message is right:

% dig +short _acme-challenge.www.e-vance.net txt
[no output]
# for ns in `dig +short e-vance.net ns`; do dig +short @$ns _acme-challenge.www.e-vance.net txt; done
[no output]

did you add that txt record?

Do you need to use DNS validation?

1 Like

Oh wow, I finally got around to solving this… Possible issues:

  • A (stupid) manual nginx redirect template that triggered all requests to www to be re-written which in turn caused the certificate requests to fail
  • The DNS records needed more time to propagate (although I could ping them fine and used tools like DNSChecker to verifiy)

Thanks @9peppe for chipping in!

1 Like

nope. it’s your own provider that’s slow in updating your own authoritative servers.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.