DNS problem: NXDOMAIN

My domain is:

aap.internal.ames.net

I ran this command:

certbot -v certonly --nginx

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?


1: aap.internal.ames.net


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for aap.internal.ames.net
Performing the following challenges:
http-01 challenge for aap.internal.ames.net
Waiting for verification...
Challenge failed for domain aap.internal.ames.net
http-01 challenge for aap.internal.ames.net

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: aap.internal.ames.net
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for aap.internal.ames.net - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for aap.internal.ames.net - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):

nginx version: nginx/1.18.0

The operating system my web server runs on is (include version):

Red Hat Enterprise Linux release 8.5 (Ootpa)

My hosting provider, if applicable, is:

NA

I can login to a root shell on my machine (yes or no, or I don't know):

yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.26.0

I have verified that forward and reverse entries are in my DNS server.

nslookup aap.internal.ames.net
Server: 172.16.1.1
Address: 172.16.1.1#53

Name: aap.internal.ames.net
Address: 172.16.1.4

nslookup 172.16.1.4
4.1.16.172.in-addr.arpa name = aap.internal.ames.net.

Hi @zigfreed, and welcome to the LE community forum :slight_smile:

LE can't validate your domain against your personal DNS server.
It must validate it against what the Internet sees/trusts.

Think about it this way...
If anyone could force LE to validate any domain against any DNS server, they could get certs issued for any/every domain on the Internet.
LE come validate me as "bank.com", see that I'm in control of that domain at these private DNS servers
[not the DNS servers that the bank.com domain lists to be authoritative].

So, you would need to put real Internet reachable IPs for your FQDN in the listed authoritative DNS servers for ames.net" before you can validate the certificate request via HTTP:

ames.net        nameserver = ns15.domaincontrol.com
ames.net        nameserver = ns16.domaincontrol.com
2 Likes

Thank you for the feedback. I am looking for a way to secure my internal only websites. :sunglasses:

1 Like

@zigfreed do you really control ames.net as a whole, or are you just using that because you chose to?

That is, is this an internal name under your own domain, but not visible to the rest of the Internet or is it more of an internal name that you just made up?

In the first case, Let's Encrypt has a possible workaround for you. In the second case, you can't get a publicly trusted certificate for this name at all; it would be against industry rules for any publicly-trusted CA to give that certificate to you, for the reason that @rg305 mentioned before (the certificate is meant to be proof, for anyone, that you are really entitled to use that name, so it can never be a name that you just unilaterally decided to use).

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.