How to avoid or fix this problem for intranet. I want to fix this for localhost.
I’m using centos7 and apache

certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Which names would you like to activate HTTPS for?

1: dvwa.lab.net
2: www.dvwa.lab.net
3: dvwa.test.net
4: www.dvwa.test.net

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for dvwa.lab.net
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. dvwa.lab.net (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up A for dvwa.lab.net


  • The following errors were reported by the server:

    Domain: dvwa.lab.net
    Type: None
    Detail: DNS problem: SERVFAIL looking up A for dvwa.lab.net


Hi @mitul9727001893

you can’t get a certificate with a non-public domain name.

nslookup dvwa.lab.net
Non-existent domain

Are you the owner of lab.net? If yes, create A-records dvwa.lab.net -> your ip.

If no, you can’t get a certificate with this name.


Sure you can, if you use DNS validation instead of HTTP.


If he isn’t the owner of lab.net, then he can’t create a dns-entry.

And I don’t think he is the owner of test.net.


Granted. If he is, though, he can get a cert for dvwa.lab.net without an A record for that name.


lab.net has DNSSEC enabled at the TLD, but disabled on the domain’s authoritative DNS servers.

lab.net.                86359   IN      DS      2371 13 2 1E06862E75CAA7D2ADFF5619CEB78EAA7728987B0A40B3CDA7C7F61F D2A49EAF

Resolvers that validate DNSSEC, such as those used by Let’s Encrypt, won’t be able to resolve the domain.

That’s a Cloudflare DS record, and the domain is using Cloudflare DNS servers, but it looks like DNSSEC got turned off at Cloudflare.

You need to turn it back on and, possibly, change the DS record, if they tell you to.

Or you can delete the DS record at the registrar to finish disabling DNSSEC.


I’m noob for these things so I even don’t know how to modify this DNSSEC thing.
Can you help me?
Because I’m doing this on localhost by giving it a domain name as dvwa.lab.net and I want to use https for it for my intranet not for public or open internet.


Are lab.net and test.net your domain names?

Publicly trusted certificates can only be issued for real domain names to people who control them.

Let’s Encrypt doesn’t have any other options.

While you can get certificates for hostnames that aren’t publicly accessible – such as by using DNS validation, or split horizon DNS – you have to use your own domain name.



If you want to use that domain (proven that you aren’t the domain owner) in local network, please use a self-signed certificate.

All public trusted certificates must at least prove domain ownership in order for the certificates being issued. (Or there’s some trouble and a CA will suffer)

Thank you


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.