Error Getting Validation Data - Using Domain Forwarding

I am new to Nginx w/ LetsEncrypt and used it to initial setup the cert 90 days ago but the time has come to renew. Right now all of the traffic just gets blanketly forwarded using my DNS. I don’t have an A/AAA records setup for it other than www. (@?) going to my host IP. Was reading other posts like mine and saw some information about IPv6 configs for Nginx but I didn’t see a good solution. I already broke my Nginx instance once trying to troubleshoot and had to restore a backup.

My domain is: (forwarding) -->

I ran this command: ./certbow-auto renew

It produced this output:

All renewal attempts failed. The following certs could not be renewed:
***/ (Failure)

Type: connection
Detail: Error getting validation data

(Says that I need to enter a DNS A /AAAA record on the domain to contain the proper IP address)

My web server is (include version): Nginx 1.12.2

The operating system my web server runs on is (include version): CentOS 6.9

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No


I don’t feel the domain forwarding would work like this…

The usual forwarding is 301 (on server) which LE would follow…

Thank you

How, exactly?

Yes, you do. You have A records for pointing to four different IPs: 216.239.{32|34|36|38}.21.

No, it doesn't. It gives much more information than that, which would be critical to determining exactly what happened. Admittedly, whenever validation fails, certbot suggests a DNS failure, which is (IMO) pretty misleading--but it always gives more detail.

There are a bunch of ways to do redirects; some play better with LE than others. A HTTP 301 works fine. A CNAME record works fine. Most other methods, not so much.

Hey Dan,

I am using the domain forwarding option using the Google Domains DNS synthetic records. The four A/AAA records you are referring to are apart of that domain forwarding that Google does for analytics and what-not, I guess I didn’t actually know those were there without looking at the DNS records again, my bad.

Do you think I should get rid of this “forwarding” option using the Google DNS and set up another method to redirect so LE plays nice?

The actual error in full says:

1 renew failure(s), 0 parse failure(s)


  • The following errors were reported by the server:

Domain: 1
Type: connection
Detail: Error getting validation data

To fix these errors, please make sure that your domain name was entered correctly and the dns A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you’re using webroot plugin, you should also verify that you are serving files from the webroot path you provided.

Hey Steven,

As mentioned in my other response to Dan, I assume my problem is that I am trying to use the Google DNS manager to forward everything to my other domain. Do you have any alternatives or references to documentation for other methods?

I have two domains and I want all of the traffic from the .com to forward to the other one.



As Dan and I said, the domain redirection on register will not forward the path to your destination.
For example, will not forward to, instead it will forward only to, hense you would need an 301 redirect that seted up on your server to do the trick.

Thank you

Hi @idrewt,

You need to activate Path Forwarding on your Google DNS forward configuration.



Hey Sahsanu,

Wanted to post an update even though I haven’t had success yet. I made too many requests trying different things but I expect once I’ve waited for my cooldown to finish I will have it fixed.

The Google DNS forwarding option was disabled, after enabling it I was able to have success with a dry run. The dry run ran the HTTP-01 challenge and succeeded, I proceeded to run the renew challenge and it failed, but it used the tls-sni-01 challenge.

When I can test again I will try adding --preferred-challenges http-01 to my renew command to see if that works. It may just be a timing thing after making the change with the DNS forwarding option.

I’ll write an update if it works!

1 Like

After trying to run the renewal again it was successful.

The problem was initially because I had the forwarding option disabled (which is the default for Google DNS). After enabling it I had issues passing the tls-sni-01 challenge, to get around this I used the following command:

./certbot-auto renew --preferred-challenges http-01

After running this command the renewals succeeded. Thanks everyone!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.