DNS validation failed

My domain is: sirona.cnrgh.fr

I ran this command: certbot -d sirona.cnrgh.fr --manual --preferred-challenge dns certonly

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for sirona.cnrgh.fr

NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.

Are you OK with your IP being logged

(Y)es/(N)o: Y

Please deploy a DNS TXT record under the name
_acme-challenge.sirona.cnrgh.fr with the following value:


Before continuing, verify the record is deployed.

Press Enter to Continue
Waiting for verification…
Challenge failed for domain sirona.cnrgh.fr
dns-01 challenge for sirona.cnrgh.fr
Cleaning up challenges
Some challenges have failed.


  • The following errors were reported by the server:

    Domain: sirona.cnrgh.fr
    Type: dns
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.sirona.cnrgh.fr - check that a DNS record exists
    for this domain

My web server is (include version): N/A

The operating system my web server runs on is (include version): N/A

My hosting provider, if applicable, is: myself

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

all my DNS server have the good value for the TXT
dig @ns1.genoscope.cns.fr _acme-challenge.sirona.cnrgh.fr ANY +noall +answer

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> @ns1.genoscope.cns.fr _acme-challenge.sirona.cnrgh.fr ANY +noall +answer
; (1 server found)
;; global options: +cmd
_acme-challenge.sirona.cnrgh.fr. 1 IN TXT “AWtwywYCJCWHuejnfdtiC7Z6KOAGX6aZ_s_uDlICtrs”

and i wait 5 minutes to validate.

I m really puzzled

1 Like

It is possible that 5 minutes was not enough.
You need to:

That means ALL authoritative DNS servers must have this information before proceeding:

cnrgh.fr        nameserver = ns1.cng.fr
cnrgh.fr        nameserver = ns1.genoscope.cns.fr
cnrgh.fr        nameserver = ns2.cng.fr

[you need to DIG at all three of those]

1 Like

I dig all my server and the TXT record was here and lal server

i have tried with the dns-rfc2136 plugin

sudo certbot certonly
–dns-rfc2136-credentials /etc/letsencrypt/certbot.ini
-d ‘sirona.cnrgh.fr

the update of the key work well in my dns
here is the output of my dig command on all my servers

dig @ip _acme-challenge.sirona.cnrgh.fr TXT +short

but i still get a DNS validation failed

in the letsenctypr.log i can read

020-08-26 12:09:17,407:INFO:certbot._internal.auth_handler:dns-01 challenge for sirona.cnrgh.fr
2020-08-26 12:09:17,413:DEBUG:certbot_dns_rfc2136._internal.dns_rfc2136:No authoritative SOA record found for _acme-challenge.sirona.cnrgh.fr
2020-08-26 12:09:17,416:DEBUG:certbot_dns_rfc2136._internal.dns_rfc2136:No authoritative SOA record found for sirona.cnrgh.fr
2020-08-26 12:09:17,419:DEBUG:certbot_dns_rfc2136._internal.dns_rfc2136:Received authoritative SOA response for cnrgh.fr
2020-08-26 12:09:17,426:DEBUG:certbot_dns_rfc2136._internal.dns_rfc2136:Successfully added TXT record _acme-challenge.sirona.cnrgh.fr
2020-08-26 12:09:17,427:INFO:certbot.plugins.dns_common:Waiting 60 seconds for DNS changes to propagate
2020-08-26 12:10:17,487:INFO:certbot._internal.auth_handler:Waiting for verification…

then the update in the dns is done

but later on the log i got
“status”: “invalid”,
“expires”: “2020-09-02T10:09:17Z”,
“challenges”: [
“type”: “dns-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:dns”,
“detail”: “DNS problem: NXDOMAIN looking up TXT for _acme-challenge.sirona.cnrgh.fr - check that a DNS record exists for this domain”,
“status”: 400

Strange. I get:

root@Quake:~# dig ns cnrgh.fr +short 
root@Quake:~# dig ns cnrgh.fr +short | while read r; do dig txt @$r +short _acme-challenge.sirona.cnrgh.fr ; done

thanks for your answer

indeed i get diferent answer from the outside
i have to check that

well i found the problem

i have an internal and a external view.
the update work for the internal and not for the external.
i have to find a way to force the update for the external

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.