Error while renewing ceritificates using DNSapi method


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
./ --issue -d --challenge-alias --dns dns_gd is an alias domain(used DNS API and alias method to issue certificates)

It produced this output: error:DNS problem: NXDOMAIN looking up TXT for

My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version): RHEL

My hosting provider, if applicable, is: LOCAL DNS

I can login to a root shell on my machine (yes or no, or I don’t know): No

The certificates were issued to

These domains were hosted in GoDaddy when issued the certificates using Lets Encrypt DNSAPI method using an alias.

Recently these domains were moved to Internal DNS and the entries[1] were added to the DNS.

Domain Host/Name Type Points to _acme-challenge CNAME CNAME CNAME

The get the error error:DNS problem: NXDOMAIN looking up TXT for
while renewing



Do you mind to tell us if matches with

Thank you


I am sorry for the confusion, I made an edit to the question for better understanding.

I am having an issue renewing certificates to all three of them. Initially I issued certificates seperatly to these domains



The int and qa does not have a valid cname record.
Could you please double check if that’s correctly setup?

Thank you



Is there a way I can check that online about the entries made in the DNS using a tool. We don’t manage the DNS and it takes a long time to get a reply from that department.


There’s a tool online called

Or you could also try to query directly to your NS server and ask them the latest status.
First, you’ll need to check the CNAME status
Then, if all the CNAME showed up as usual, check the TXT record.
dig TXT

Thank you


There are no TXT record for:

I do see one for:


@stevenzhu @rg305

Just want to make sure that the entries that I posted in the in the question are correct?


If you are trying to request certificates for,, and, the entries should be correct (all with _acme-challenge.)…

However, you haven’t added CNAME to and… (which you said should CNAME to, according to that table)

Thank you



Those were the entries initially added when The certificates were issued

I remember GoDaddy automatically picks up after That was the reason I did not make a CNAME entry to

Thank you for bringing that up. I have a followup question if you dont mind.

Is it the same with all hosting services or just GoDaddy. Because now this domain is moved to a local DNS.


If you are asking about automatically add the root domain to DNS records, it depends on the DNS service (software)

Thank you


A local DNS system will (should) be easier to manage; but you still have to have one CNAME per: > > >



For, The entry that was added is

_acme-challenge CNAME

I could successfully renew the certificates for that domain. The problem I am having is with and

One more question, when I ping there is no response. Is it normal or could that be creating an issue.


Hi @Pradeep

this is normal. These are only txt entries, so there is no server required -> no server is able to answer a ping.


nslookup returns:

nslookup returns:
UnKnown can't find Non-existent domain

nslookup returns:
UnKnown can't find Non-existent domain

Also, when renewing multiple names that require TXT records:
You will need to ensure that all TXT records are added and exist (simultaneously).
That is, if for any reason subsequent TXT record additions overwrite any previous TXT record entries (so that only one TXT record exists at a time), you will need to add all the required TXT records at once (at the same time - with a line break between them).


This is not resolving because they are internal domains. When I do
nslookup ---- I get

Non-authoritative answer: canonical name =

I added and it seems like it still doesnt resolve the issue. I am attaching the log file. Can you please take a look if you dont mind.

Thank you @rg305 @JuergenAuer @stevenzhuacme.txt (12.8 KB)



In this case, could you please try to add those records (only txt records) to the public DNS the domain is using? Else Let’s Encrypt are not able to issue certificates for those domains.

Thank you


Steven, we added CNAME

I attached the log file that was generated after after I tried to renew. Can you please take a look.

Also, after adding instead of, and do NSLOOKUP, I get

** server can’t find NXDOMAIN

acme.txt (12.8 KB)


Validation happens entirely on the external side.
You will have to obtain the cert from a system that has access to the Internet and can also update an Internet DNS zone.
The CNAME entries were to permanently forward the non-public zones to a publicly accessible zone.
They have to be in place for this to work.
The CNAME entries only need to be added to the public DNS zone.


It still doesn’t exist in your public DNS records.

$ dig txt

; <<>> DiG <<>> txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 32249
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096

;; AUTHORITY SECTION: 300 IN    SOA 2018101702 14400 3600 2419200 300

;; Query time: 25 msec
;; SERVER: ::1#53(::1)
;; WHEN: Tue Dec 04 17:14:43 UTC 2018
;; MSG SIZE  rcvd: 154