Failed authorization - DNS problem: NXDOMAIN looking up TXT

The only thing I saw regarding the custom name servers is:

I tried to hook my domain to Google cloud DNS (and Compute engine behind that)

I'm not sure what this means or how that's an actual reason for the use of custom name servers.

Let's step back a little bit: Of which control panel of what service is this screenshot? Please be as exact as possible. (E.g., not just "Google".)


dig -t CNAME @


In google cloud DNS , I have to create a zone. In that I need to create an A record for IP , and CNAME for domain url. I need to copy NS entry name servers in Domain.

I can temporarily make the switch. to Default name servers ,
If I toggle, whet command should I run to verify please ?

nslookup -q=ns
dig NS @ +short


Ah I see that google cloud dns and domains are separate but similar (at least NS-wise) things. It looks like you're working with google domains panel instead of google cloud dns panel.

1 Like

yes. I am creating certificate for domain. So I am wrong then?

You have to make these records in the panel that actually controls dns records for the domain, in your case: cloud dns.


I dont know the link
See where I am changing

Maybe this will help:

1 Like

If I search for "google cloud DNS control panel" with Google Images, I'm getting pictures of control panels which are NOT looking like the control panel of your screenshots.

As @Nekit I suspect you're using the DNS zone editor of Google Domains, but your custom name servers are of Google Cloud.

If you don't have any good reason to use custom name servers to begin with, I certainly would switch back to the default name servers. If you still have the CNAME set up correctly, your setup should work. If you've removed the CNAME record, then you should add it again as previously recommended.


Lets come to the basics.
I have a domain and I want to create a certificate, then I am going to use the below right (?)

sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/ --preferred-challenges dns --debug-challenges -d * -d
In this case, we copy output to custom record in "Default Name Server" tab as CNAME

If Google Cloud DNS comes into picture, do I need to creat certificate for my CloudDNS ?

{ App - (static ip) firewall - Cloud DNS - } ......DOmain .....browser

Is my target not Domain , if I use cloud DNS?

If we're talking REALLY basic then no, not necessarily.

You're using a very specific method for getting a wildcard certificate using acme-dns. If you don't need a wildcard certificate, but are fine with a certificate for just a few well-defined hostnames, you usually don't need the dns-01 challenge and don't need acme-dns.

When using acme-dns and you're using Google Domains as nameservers (and do NOT have Google Cloud nameservers configured for your domain) then yes, you should put the custom record as CNAME in your "Default Name Server" editor.

However, if you're using custom name servers, you should add that CNAME record at the DNS zone editor of those custom name servers, which in your case appears to be Google Cloud (which is different from Google Domains).

I have no idea what you mean by this.

I have no idea what you mean by this.

I have no idea what you mean by this.


I do not know what this means
I am using custom name server. It is true

I am assuming, I can add another CNAME record set in Google cloud Zone (NOT Domains). But what will be the DNS name ? type is CNAME (OK) and what about cannonical name ?

IF I then run sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/ --preferred-challenges dns --debug-challenges -d * -d

will it work ?

If you have Google Cloud nameservers set up as the authorative name servers for your domain then yes, you should add the CNAME record in the Google Cloud zone.

It would be exactly the same as in your Google Domains zone editor.

If the CNAME is set up correctly finally, then yes, it should work.


Can you advice what to do here ?

That should be the value you got from the script. I.e., the long hostname ending with


Thank you and DNS name empty or www ? ( I presume it is _acme** sorry for a daft question)

No, not empty or www. You have posted multiple screenshots of the instructions of the script already where it says to add the CNAME for

I'm starting to think this entire thread is one big giant troll :roll_eyes:

You've asumed correctly.


I see you've managed to correctly set up the CNAME record and got a certificate :slight_smile: