FAILURE of renewal due to DNS problem

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version): I don't know

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): I don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Cpanel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): i don't know

I was sent this email

Automatic Let's Encrypt renewal for was attempted and failed.
This certificate expires on 2022-04-05 17:10:16 +0700 WIB.

Unable to renew certificate: Updating challenge for acme: error code 400 "urn:ietf:params:acme:error:dns": DNS problem: NXDOMAIN looking up TXT for - check that a DNS record exists for this domain (order URL:

You can configure/re-install/remove this certificate by logging into cPanel, and visiting the Lets Encrypt SSL page.

1 Like

Welcome to the community @meisterakbar

Can you explain more what you are trying to do?

I ask because I see your main domain name server is using a Cloudflare cert which you got on Jan16 2022 which does not expire for a year.

Before you setup Cloudflare you got a cert from Let's Encrypt (maybe with cPanel?) on Jan5 2022.

I am guessing the cert you got on Jan5 needs to be changed for your newer Cloudflare configuration. But, it would help if you would explain what you are trying to do. Thanks


If you originally set up your certificate with DNS validation in cPanel, it means you were using cPanel nameservers for your domain at the time.

I would guess that you have since moved your domain to Cloudflare nameservers. This means that you can no longer use the DNS validation method within cPanel, because cPanel does not have access to modify your DNS records in Cloudflare.

What you can do is login to cPanel and recreate the certificate through the Lets Encrypt SSL interface, choosing the HTTP validation method instead.


Except that doesn't resolve to any IP (presently) - and may require DNS-01 authentication to obtain a certificate. [catch-22]

Maybe there is some clever way to use CNAME that can overcome this limitation.


Hi Mike,

I was trying to renew my SSL Certificate, and yes, my certificate was registered before I configured the Cloudflare.

Oh, and I didn't that cPanel can't modify my records in Cloudflare. So, I'll have to delete my current certificate and issue a new one using the HTTP method?

Just issue a new one without deleting the current one.

Or ask cloudflare for a certificate from their "origin CA"


Well... You only need a TXT record on can NXDOMAIN all it wants.

1 Like

NXDOMAIN means that subdomains don't exist as well. If a subdomain exists, but there's just no record for the subdomain level being requested, it should still return NOERROR. (So if is supposed to have a TXT record, then name.example needs to return NOERROR with no records instead of NXDOMAIN.) This has been a common source of confusion in some DNSSEC implementations, though.


Didn't know that.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.