DNS problem: NXDOMAIN looking up TXT

Debug & Info

  • My domain is: e-vance.net
  • I ran this command: not applicable
  • It produced this output: not applicable
  • My web server is (include version): nginx 1.17.3
  • The operating system my web server runs on is (include version): Ubuntu 18.04.3 LTS
  • My hosting provider, if applicable, is: Hetzner
  • I can login to a root shell on my machine (yes or no, or I don’t know): yes
  • I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
  • The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): not applicable

Ran some tests:

Question / Issue

I am using Trellis which automates the certificate generation and I can set up the certificate for e-vance.net just fine but www.e-vance.net keeps failing me and I cannot wrap my head around it…

Let’s Debug reports the following:

acme: error code 400 "urn:ietf:params:acme:error:dns": DNS problem: NXDOMAIN looking up TXT for _acme-challenge.www.e-vance.net - check that a DNS record exists for this domain

I have verified that the DNS record is active / existent:

dig +short A www.e-vance.net
159.69.115.236

Since I have re-launched my site just recently I am thinking that either I am hitting a limit here (see the CT logs or this is due to the recent certificate bug and somehow interferes with re-issuing…?

Could anybody shed some light here? What am I doing wrong?

Thanks so much for your time, been struggling with this for hours now…

error message is right:

% dig +short _acme-challenge.www.e-vance.net txt
[no output]
# for ns in `dig +short e-vance.net ns`; do dig +short @$ns _acme-challenge.www.e-vance.net txt; done
[no output]

did you add that txt record?

Do you need to use DNS validation?

1 Like

Oh wow, I finally got around to solving this… Possible issues:

  • A (stupid) manual nginx redirect template that triggered all requests to www to be re-written which in turn caused the certificate requests to fail
  • The DNS records needed more time to propagate (although I could ping them fine and used tools like DNSChecker to verifiy)

Thanks @9peppe for chipping in!

1 Like

nope. it’s your own provider that’s slow in updating your own authoritative servers.