DNS validation failed

My domain is: sirona.cnrgh.fr

I ran this command: certbot -d sirona.cnrgh.fr --manual --preferred-challenge dns certonly

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for sirona.cnrgh.fr


NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.

Are you OK with your IP being logged


(Y)es/(N)o: Y


Please deploy a DNS TXT record under the name
_acme-challenge.sirona.cnrgh.fr with the following value:

AWtwywYCJCWHuejnfdtiC7Z6KOAGX6aZ_s_uDlICtrs

Before continuing, verify the record is deployed.


Press Enter to Continue
Waiting for verification…
Challenge failed for domain sirona.cnrgh.fr
dns-01 challenge for sirona.cnrgh.fr
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: sirona.cnrgh.fr
    Type: dns
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.sirona.cnrgh.fr - check that a DNS record exists
    for this domain

My web server is (include version): N/A

The operating system my web server runs on is (include version): N/A

My hosting provider, if applicable, is: myself

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

all my DNS server have the good value for the TXT
dig @ns1.genoscope.cns.fr _acme-challenge.sirona.cnrgh.fr ANY +noall +answer

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> @ns1.genoscope.cns.fr _acme-challenge.sirona.cnrgh.fr ANY +noall +answer
; (1 server found)
;; global options: +cmd
_acme-challenge.sirona.cnrgh.fr. 1 IN TXT “AWtwywYCJCWHuejnfdtiC7Z6KOAGX6aZ_s_uDlICtrs”

and i wait 5 minutes to validate.

I m really puzzled

1 Like

It is possible that 5 minutes was not enough.
You need to:

That means ALL authoritative DNS servers must have this information before proceeding:

cnrgh.fr        nameserver = ns1.cng.fr
cnrgh.fr        nameserver = ns1.genoscope.cns.fr
cnrgh.fr        nameserver = ns2.cng.fr

[you need to DIG at all three of those]

1 Like

I dig all my server and the TXT record was here and lal server

i have tried with the dns-rfc2136 plugin

sudo certbot certonly
–dns-rfc2136
–dns-rfc2136-credentials /etc/letsencrypt/certbot.ini
-d ‘sirona.cnrgh.fr

the update of the key work well in my dns
here is the output of my dig command on all my servers

dig @ip _acme-challenge.sirona.cnrgh.fr TXT +short

193.50.0.34
“pwKi_ugQo9uScUv1_M65UHrKRzRcT53m2FSqZrzEAZc”
193.50.0.35
“pwKi_ugQo9uScUv1_M65UHrKRzRcT53m2FSqZrzEAZc”
195.83.221.37
“pwKi_ugQo9uScUv1_M65UHrKRzRcT53m2FSqZrzEAZc”

but i still get a DNS validation failed

in the letsenctypr.log i can read

020-08-26 12:09:17,407:INFO:certbot._internal.auth_handler:dns-01 challenge for sirona.cnrgh.fr
2020-08-26 12:09:17,413:DEBUG:certbot_dns_rfc2136._internal.dns_rfc2136:No authoritative SOA record found for _acme-challenge.sirona.cnrgh.fr
2020-08-26 12:09:17,416:DEBUG:certbot_dns_rfc2136._internal.dns_rfc2136:No authoritative SOA record found for sirona.cnrgh.fr
2020-08-26 12:09:17,419:DEBUG:certbot_dns_rfc2136._internal.dns_rfc2136:Received authoritative SOA response for cnrgh.fr
2020-08-26 12:09:17,426:DEBUG:certbot_dns_rfc2136._internal.dns_rfc2136:Successfully added TXT record _acme-challenge.sirona.cnrgh.fr
2020-08-26 12:09:17,427:INFO:certbot.plugins.dns_common:Waiting 60 seconds for DNS changes to propagate
2020-08-26 12:10:17,487:INFO:certbot._internal.auth_handler:Waiting for verification…

then the update in the dns is done

but later on the log i got
},
“status”: “invalid”,
“expires”: “2020-09-02T10:09:17Z”,
“challenges”: [
{
“type”: “dns-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:dns”,
“detail”: “DNS problem: NXDOMAIN looking up TXT for _acme-challenge.sirona.cnrgh.fr - check that a DNS record exists for this domain”,
“status”: 400
},

Strange. I get:

root@Quake:~# dig ns cnrgh.fr +short 
ns1.cng.fr.
ns2.cng.fr.
ns1.genoscope.cns.fr.
root@Quake:~# dig ns cnrgh.fr +short | while read r; do dig txt @$r +short _acme-challenge.sirona.cnrgh.fr ; done
root@Quake:~# 

thanks for your answer

indeed i get diferent answer from the outside
i have to check that

well i found the problem

i have an internal and a external view.
the update work for the internal and not for the external.
i have to find a way to force the update for the external