DNS problem: NXDOMAIN looking up TXT

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: nyresidentsalliance.org

I ran this command:sudo certbot -d $DOMAIN -d $WILDCARD --manual --preferred-challenges dns certonly

It produced this output:
Failed authorization procedure. nyresidentsalliance.org (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT
for _acme-challenge.nyresidentsalliance.org - check that a DNS record exists for this domain

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: nyresidentsalliance.org
    Type: None
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.nyresidentsalliance.org - check that a DNS record
    exists for this domain

My web server is (include version):
bitnami@ip-172-26-3-150:~$ httpd -v
Server version: Apache/2.4.41 (Unix)
Server built: Feb 7 2020 11:05:17

The operating system my web server runs on is (include version):
NAME="Ubuntu"
VERSION="16.04.6 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.6 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial

My hosting provider, if applicable, is: AWS Lightsail

I can login to a root shell on my machine (yes or no, or I don't know):Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 0.31.0

1 Like

Hello @queenian Welcome to the community.

I'm certainly not an expert but at first glance it looks like you may have an issue with your server time configuration.

Not Before Tue, 29 Dec 2020 01:18:06 GMT
Not After Mon, 29 Mar 2021 01:18:06 GMT

https://www.ssllabs.com/ssltest/analyze.html?d=nyresidentsalliance.org

https://crt.sh/?q=nyresidentsalliance.org

Hope this helps at least with a starting point

1 Like

The ssl was working fine, and I think there was some problem when I tried to renew it (it was due to renewal on 3/29). After the renewal failed, then I tried to create to new one, then I got the above error. I think the server time is correct,
Last login: Mon Mar 29 14:45:00 2021 from 72.21.217.129
bitnami@ip-172-26-3-150:~ date Mon Mar 29 17:19:44 UTC 2021 bitnami@ip-172-26-3-150:~

I keep getting this error each time I create to execute this command:
sudo certbot -d $DOMAIN -d $WILDCARD --manual --preferred-challenges dns certonly

error I got::
_acme-challenge.nyresidentsalliance.org - check that a DNS record
exists for this domain

Please help.

2 Likes

Welcome to the Let's Encrypt Community, Vito :slightly_smiling_face:

You probably already know this, but you need to create new TXT records each time you create or renew a certificate. Since you're using manual authentication (without manual-auth-hook or manual-cleanup-hook scripts to add and remove the TXT records automatically), you'll need to add and remove the specified TXT records yourself, being sure to give adequate time for the TXT records to propagate. You can check for the propagation of the TXT records with dig. Once your certificate has been successfully issued, you can remove all existing _acme-challenge TXT records.

Here's what currently exists:

id 8031
opcode QUERY
rcode NOERROR
flags QR RD RA
;QUESTION
_acme-challenge.nyresidentsalliance.org. IN TXT
;ANSWER
_acme-challenge.nyresidentsalliance.org. 299 IN TXT "LSz1DWF-9igLH_u-pBVL8VMy79oRN9DXyQLfOvnO5AU"
;AUTHORITY
;ADDITIONAL

Example command:

sudo certbot certonly --cert-name nyresidentsalliance.org --manual --preferred-challenges dns -d "nyresidentsalliance.org,*.nyresidentsalliance.org" --keep

The command above will require creating 2 TXT records, both with a host of _acme-challenge.nyresidentsalliance.org, but with different values.

Side note:

You cannot use sudo certbot renew when using manual authentication because the renew function runs "non-interactively", meaning that it doesn't pause to let you manually add the TXT records. Hence why you would need manual-auth-hook and manual-cleanup-hook scripts.

You might consider using acme-dns to help you automate your renewals.

Thanks for your help. I gave it enough time to refresh before I hit the return key. It is working now.

2 Likes

Beautiful! :partying_face:

Glad to hear it! :smiley:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.