DNS problem: NXDOMAIN looking up TXT

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: odaku.net

I ran this command:
sudo certbot --server https://acme-v02.api.letsencrypt.org/directory -d odaku.net -d www.odaku.net --manual --preferred-challenges dns-01 certonly

It produced this output:

Waiting for verification...
Challenge failed for domain odaku.net
Challenge failed for domain www.odaku.net
dns-01 challenge for odaku.net
dns-01 challenge for www.odaku.net
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: odaku.net
    Type: dns
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.odaku.net - check that a DNS record exists for this
    domain

    Domain: www.odaku.net
    Type: dns
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.www.odaku.net - check that a DNS record exists for
    this domain

My web server is (include version):
nginx
The operating system my web server runs on is (include version):
Ubuntu 20.04.2 LTS (Focal Fossa)
My hosting provider, if applicable, is:
Go Daddy

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
N

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0

2

Welcome to the Let's Encrypt Community :slightly_smiling_face:

I don't see the TXT records either. Did you add them to your DNS?

https://toolbox.googleapps.com/apps/dig/#TXT/

Screenshot_20210813-164413_Samsung Internet
Screenshot_20210813-164413_Samsung Internet1440×1686 167 KB

Screenshot_20210813-164145_Samsung Internet
Screenshot_20210813-164145_Samsung Internet1440×1680 171 KB

3

I have TXT records for that for both _acme-challenge.odaku.net and _acme-challenge.www.odaku.net. What is the tool you have used above. I ran the following commands and the results below:
$dig _acme-challenge.www.odaku.net TXT

; <<>> DiG 9.16.1-Ubuntu <<>> _acme-challenge.www.odaku.net TXT

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6255

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 65494

;; QUESTION SECTION:

;_acme-challenge.www.odaku.net. IN TXT

;; Query time: 252 msec

;; SERVER: 127.0.0.53#53(127.0.0.53)

;; WHEN: Fri Aug 13 22:59:31 UTC 2021

;; MSG SIZE rcvd: 58

And for odaku.net:
$ dig _acme-challenge.odaku.net TXT

; <<>> DiG 9.16.1-Ubuntu <<>> _acme-challenge.odaku.net TXT

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22237

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 65494

;; QUESTION SECTION:

;_acme-challenge.odaku.net. IN TXT

;; Query time: 256 msec

;; SERVER: 127.0.0.53#53(127.0.0.53)

;; WHEN: Fri Aug 13 23:00:50 UTC 2021

;; MSG SIZE rcvd: 54

4

I used Google dig. There were no TXT records found in my search OR yours. Are you sure you're adding them to the correct DNS zone?

5

What you have is:

nslookup -q=txt _acme-challenge.odaku.net.odaku.net
_acme-challenge.odaku.net.odaku.net     text =
        "Eb5a0nW5F4z_pJzFNdT9DAmlvBOMo17EQI06R6VaoSg"

nslookup -q=txt _acme-challenge.www.odaku.net.odaku.net
_acme-challenge.www.odaku.net.odaku.net text =
        "3LtYG5IfCVwjnxs_RL3fXy-_Vrr2I6fvHCzE8_3PIgo"

When creating the TXT record, don't include the domain name in the domain zone.

6

I concur. You beat me to it, @rg305. :beer:

Screenshot_20210813-173515_Samsung Internet
Screenshot_20210813-173515_Samsung Internet1440×1690 194 KB

7

You guys are awesome!
I deleted the existing TXT records and created new ones and this time I used _acme-challenge and _acme-challenge.www and it worked!
Is "Go Daddy" appending the DNS names to the TXT record? Because this does not happen on my other domain on AWS.
Thank you!

8

Different DNS systems handle this differently.
Some apparently need some AI added; as a human would catch that immediately. LOL
So it depends, and it should be tested to see how your individual DNS systems react.
Perhaps, when adding an FQDN entry, using a period at the end could help too.
YMMV.

Glad to see that you got the cert :slight_smile:
Cheers from Miami :beers:

#FreeCuba

9

Thanks for the explanation! One more upvote for restating the benefits of AI .. ha ha...