Domain: Type: dns Detail: DNS problem: NXDOMAIN looking up TXT for - check that a DNS record exists for this domain Hint: The Certificate Authority failed to verify the DNS TXT records created by

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: sudo certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/bind/certbot-credentials.ini -d '' -d '*'

It produced this output:
Requesting a certificate for and *
Waiting 60 seconds for DNS changes to propagate

Certbot failed to authenticate some domains (authenticator: dns-rfc2136). The Certificate Authority reported these problems:
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for - check that a DNS record exists for this domain

Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-rfc2136. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-rfc2136-propagation-seconds (currently 60 seconds).

My web server is (include version):apache

ubuntu server 20
I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 1.21.0

What's the problem?

I dont know if its even posible but bare with me and what im trying to do. I have an apache server running on I have a virtualhost and added a made up domain called :"" everything works fine, now i want to add de certificate, but every time i try to do so i keep getting error from certbot, so i decided to install BIND9, i configuerd it as i was reading from other people. so basicly. i have this:
"root@axpteksvr:/etc/bind# cat
; BIND data file for
$TTL 86400
@ IN SOA (
2022032601 ; Serial
3600 ; Refresh
1800 ; Retry
604800 ; Expire
86400 ) ; Minimum TTL

; Name servers

; A records
axpteksvr IN A
www IN A

; MX record
@ IN MX 10

; Mail server
mail IN A

; TXT record
@ IN TXT "Welcome to"
root@axpteksvr:/etc/bind#" as my BIND dns server

NEXT i have this: "root@axpteksvr:/etc/bind# cat certbot-credentials.ini

Target DNS server

dns_rfc2136_server =

Target DNS port

dns_rfc2136_port = 53

TSIG key name

dns_rfc2136_name = certbot.

TSIG key secret

dns_rfc2136_secret = 1Sbkw3/ICx6mZYrN2j4V/L1tasA//VGmhlVY61QfWljfUUJGgqHZY2aXpGljPVT+1o8aws0cWaZMyggIL/jj+A==

TSIG key algorithm

dns_rfc2136_algorithm = HMAC-SHA512"

i also have this: "root@axpteksvr:/etc/bind# cat named.conf
// This is the primary configuration file for the BIND DNS server named.
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, BEFORE you customize
// this configuration file.
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/named.conf.certbot";"

and i have this :"root@axpteksvr:/etc/bind# cat named.conf.certbot
key "certbot." {
algorithm hmac-sha512;
secret "1Sbkw3/ICx6mZYrN2j4V/L1tasA//VGmhlVY61QfWljfUUJGgqHZY2aXpGljPVT+1o8aws0cWaZMyggIL/jj+A==";

zone "" {
type master;
file "/var/lib/bind/";
allow-query { any; };
update-policy {
grant certbot. name txt;

and this: "root@axpteksvr:/etc/bind# cat named.conf.local
// Do any local configuration here

zone "" {
type master;
file "/etc/bind/";


// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";"

wich i think its not even being used because i have this otherone

"omar@axpteksvr:/var/lib/bind$ cat
$TTL 300 ; 5 minutes IN SOA (
2022032601 ; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
86400 ; minimum (1 day)
$TTL 60 ; 1 minute
TXT "rYPft_CCsLLpJsI2kaoA3pPuOq-BcOY4q14E9Yldi6k"

in another file with another db name lol, but it works guess...

SO YEAH... thats pretty much what i think is important. The deal here is that i want to use certbot locally with bind9. Please guide me i cant resolve it anymore

It looks like the domain does not exist in the public DNS. It's seems to be free for anyone to register at the moment, you or anyone else.

As Let's Encrypt is a publicly trusted CA, it requires all domain names to be in the public DNS. You can't use Let's Encrypt (or any publicly trusted CA for that matter) for local domains only.

Also, it's unwise to use domain names which could be public domains for local purposes. Usually one would use the .local TLD for local purposes.


Thanks for the response, i made up that domain. And i was wondering if i could get some sort of cetificate any possible way using bind9 and certbot. They say you can but its hard

1 Like

Only if you'd run your own local CA.

As mentioned earlier, publicly trusted CAs require a publicly available domain name. In the regular DNS.


Ok heres the thing, i have an HPE proliant server, with an ip of I have my projects in the virtual hosts. But since i dont want to make certbot look for a public domain, i want it to look in my bind9 dns. So that it can issue me a certificate. I read something about a certbot plugin or somthing. Do you know anything about that ?

Certbot can only interface with your BIND9 to put the TXT RR for the challenge there. The ACME server will afterwards check that TXT RR: that's not Certbot doing, but the ACME server. (E.g. Let's Encrypt from their own servers.)

If you want a PUBLICLY trusted certificate you need to have your domain name in PUBLIC DNS.

If you want a LOCALLY trusted certificate, you need to deploy your own ACME server (and thus run your own local CA) LOCALLY. There are multiple guides on how to do that. "step-ca" comes to mind.