DNS problem: NXDOMAIN looking up TXT

Help
1

My domain is: admin.itracklive.co.za

I ran this command:

certbot certonly --manual --preferred-challenges dns --cert-name admin.itracklive.co.za

It produced this output:

Failed authorization procedure. admin.itracklive.co.za (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.admin.itracklive.co.za - check that a DNS record exists for this domain

My web server is (include version):

Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is (include version):

Ubuntu 18.04.1 LTS

My hosting provider, if applicable, is:

xneelo (Hetzner)

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

konsoleH

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 0.27.0

  • I can confirm that the TXT record exists and is correct by running "dig _acme-challenge.admin.itracklive.co.za txt" on the same server.

  • I can confirm that the TXT record can be seen in the wild by checking on https://mxtoolbox.com

  • The TTL of the TXT record has been set to 2

2

The TTL doesn't matter: the Let's Encrypt validation server queries the nameservers directly, from the root to the authorative nameservers.

It might be as simple as to wait a little bit longer before triggering the validation attempt. Sometimes it takes a while for the RR to propogate to all nameservers of the DNS provider. Note that DNS providers often use anycast, so a single IP address might have multiple physical servers around the world. Thus it's often not possible to determine with a dig if every nameserver actually has the correct TXT RR.

Also note that the manual plugin is not recommended, as the resulting certificate cannot be automatically renewed. Do you even require the dns-01 challenge? Can't you use the http-01 challenge using port 80?

3 Likes
4

I am using dns-01 because I already have another server (with the same domain name) using http-01.

I have 2 servers admin5.itracklive.co.za and admin6.itracklive.co.za, I want them both to have certificates for admin.itracklive.co.za.

1 Like
5

SOLUTION:

I was able to get the dns-01 challenge to work by just waiting about 10 minutes before pressing enter at the "Before continuing, verify the record is deployed." step.

However, it would appear the the only way to issue a dns-01 challenge certificate with certbot is with the manual plugin, which means that it will not automatically renew. This is not ideal.

1 Like
6

Depending on your DNS provider there may be options to automate the challenge. Or e.g. use acme-dns.

3 Likes
7

Then you may need to do one (or more) of the following:

  • update the version of certbot in use
    OR
  • use a different ACME client
    OR
  • change your DSP
    OR
  • delegate the DNS challenge to anywhere that it can be automated
4 Likes
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.