DNS validation failed

My domain is: sirona.cnrgh.fr

I ran this command: certbot -d sirona.cnrgh.fr --manual --preferred-challenge dns certonly

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for sirona.cnrgh.fr


NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If youā€™re running certbot in manual mode on a machine that is not
your server, please ensure youā€™re okay with that.

Are you OK with your IP being logged


(Y)es/(N)o: Y


Please deploy a DNS TXT record under the name
_acme-challenge.sirona.cnrgh.fr with the following value:

AWtwywYCJCWHuejnfdtiC7Z6KOAGX6aZ_s_uDlICtrs

Before continuing, verify the record is deployed.


Press Enter to Continue
Waiting for verificationā€¦
Challenge failed for domain sirona.cnrgh.fr
dns-01 challenge for sirona.cnrgh.fr
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: sirona.cnrgh.fr
    Type: dns
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.sirona.cnrgh.fr - check that a DNS record exists
    for this domain

My web server is (include version): N/A

The operating system my web server runs on is (include version): N/A

My hosting provider, if applicable, is: myself

I can login to a root shell on my machine (yes or no, or I donā€™t know): yes

Iā€™m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if youā€™re using Certbot):

all my DNS server have the good value for the TXT
dig @ns1.genoscope.cns.fr _acme-challenge.sirona.cnrgh.fr ANY +noall +answer

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> @ns1.genoscope.cns.fr _acme-challenge.sirona.cnrgh.fr ANY +noall +answer
; (1 server found)
;; global options: +cmd
_acme-challenge.sirona.cnrgh.fr. 1 IN TXT ā€œAWtwywYCJCWHuejnfdtiC7Z6KOAGX6aZ_s_uDlICtrsā€

and i wait 5 minutes to validate.

I m really puzzled

1 Like

It is possible that 5 minutes was not enough.
You need to:

That means ALL authoritative DNS servers must have this information before proceeding:

cnrgh.fr        nameserver = ns1.cng.fr
cnrgh.fr        nameserver = ns1.genoscope.cns.fr
cnrgh.fr        nameserver = ns2.cng.fr

[you need to DIG at all three of those]

1 Like

I dig all my server and the TXT record was here and lal server

i have tried with the dns-rfc2136 plugin

sudo certbot certonly
ā€“dns-rfc2136
ā€“dns-rfc2136-credentials /etc/letsencrypt/certbot.ini
-d ā€˜sirona.cnrgh.frā€™

the update of the key work well in my dns
here is the output of my dig command on all my servers

dig @ip _acme-challenge.sirona.cnrgh.fr TXT +short

193.50.0.34
ā€œpwKi_ugQo9uScUv1_M65UHrKRzRcT53m2FSqZrzEAZcā€
193.50.0.35
ā€œpwKi_ugQo9uScUv1_M65UHrKRzRcT53m2FSqZrzEAZcā€
195.83.221.37
ā€œpwKi_ugQo9uScUv1_M65UHrKRzRcT53m2FSqZrzEAZcā€

but i still get a DNS validation failed

in the letsenctypr.log i can read

020-08-26 12:09:17,407:INFO:certbot._internal.auth_handler:dns-01 challenge for sirona.cnrgh.fr
2020-08-26 12:09:17,413:DEBUG:certbot_dns_rfc2136._internal.dns_rfc2136:No authoritative SOA record found for _acme-challenge.sirona.cnrgh.fr
2020-08-26 12:09:17,416:DEBUG:certbot_dns_rfc2136._internal.dns_rfc2136:No authoritative SOA record found for sirona.cnrgh.fr
2020-08-26 12:09:17,419:DEBUG:certbot_dns_rfc2136._internal.dns_rfc2136:Received authoritative SOA response for cnrgh.fr
2020-08-26 12:09:17,426:DEBUG:certbot_dns_rfc2136._internal.dns_rfc2136:Successfully added TXT record _acme-challenge.sirona.cnrgh.fr
2020-08-26 12:09:17,427:INFO:certbot.plugins.dns_common:Waiting 60 seconds for DNS changes to propagate
2020-08-26 12:10:17,487:INFO:certbot._internal.auth_handler:Waiting for verificationā€¦

then the update in the dns is done

but later on the log i got
},
ā€œstatusā€: ā€œinvalidā€,
ā€œexpiresā€: ā€œ2020-09-02T10:09:17Zā€,
ā€œchallengesā€: [
{
ā€œtypeā€: ā€œdns-01ā€,
ā€œstatusā€: ā€œinvalidā€,
ā€œerrorā€: {
ā€œtypeā€: ā€œurn:ietf:params:acme:error:dnsā€,
ā€œdetailā€: ā€œDNS problem: NXDOMAIN looking up TXT for _acme-challenge.sirona.cnrgh.fr - check that a DNS record exists for this domainā€,
ā€œstatusā€: 400
},

Strange. I get:

root@Quake:~# dig ns cnrgh.fr +short 
ns1.cng.fr.
ns2.cng.fr.
ns1.genoscope.cns.fr.
root@Quake:~# dig ns cnrgh.fr +short | while read r; do dig txt @$r +short _acme-challenge.sirona.cnrgh.fr ; done
root@Quake:~# 

thanks for your answer

indeed i get diferent answer from the outside
i have to check that

well i found the problem

i have an internal and a external view.
the update work for the internal and not for the external.
i have to find a way to force the update for the external

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.