Get certificate for a domain without A record

I am trying to get a certificate for a domain that do not have an A record (let it be but it has a NS record to an IP resolvable domain (let it be Getting the certificate for and using a service delegated on, I get an alert on my service clients that is not trusted. When I tried to get an certificate for, I got an error because it is not a resolvable domain. What I need to do?

My domain is:
I ran this command:
certbot certonly -d --standalone
It produced this output:
Type: unknownHost
Detail: No valid IP address found for
My operating system is (include version):
Debian 3.16.36
I can login to a root shell on my machine (yes or no, or I don’t know): I have root access only on

Hi @sym, I didn’t understand what you meant by “using a service delegated on”. How is the service “delegated on” if isn’t a resolvable domain and doesn’t have an A record?

I have a XMPP server running on but I want the relevant JID’s to be I am sorry for being inaccurate in my question, I am still a newbie…

I don’t know exactly how XMPP handles this kind of naming or how that interacts with certificates. Are you sure that the DNS record that relates the two is an NS record? Like the nameserver is an authoritative nameserver for the domain?

Yes, I am sure about that.

When you said [quote=“sym, post:1, topic:26837”]
I get an alert on my service clients that is not trusted

how did the service clients know how or where to connect at all if doesn’t have an A record? Why didn’t they just say that doesn’t exist?

In the configuration file of the XMPP server I have in the hosts block (domains served by ejabberd) as well as in the access control lists part where I have specified an admin at I guess this makes things work…

I'm no XMPP expert but I think I remember reading that it was a SRV record. Googling this hunch brings me here, which seems to agree.

XMPP is indeed delegated via SRV records in DNS. In the scenario put forth by @sym, has a well-known SRV record that points XMPP clients to a service hosted on

However, for clients to validate the TLS certificate, it must be valid for, regardless of whatever may be found in the SRV record. Hence sym needing to get an LE certificate for rather than

@sym, to answer your question, you will either need to add an A record and run a simple server there to issue your certificate before moving it over to your XMPP server on, or you may be able to use one of the DNS API or manual methods; I’m not at all familiar with those, however, but hopefully with the confusion vis-a-vis XMPP and the various hosts involved here cleared up someone else can step in and point you in the right direction.


Yeah, that's about it. To do DNS-01 validation for, you'd create a TXT record named containing the required magic random data. You don't need any A or AAAA records.

You can use Certbot's manual mode, and edit your DNS records by hand, and have to do this again every 2-3 months to renew the certificate.

If you have a programmatic way to change your DNS records (nsupdate, sed, an API server...) or can set up a CNAME record or delegation to a DNS host with a programmatic way to change the records, you can automate everything.

Several of the bash clients have supported scriptable DNS-01 validation for years. Certbot only added the feature in version 0.10, with cerbot manual --manual-auth-hook and --manual-cleanup-hook; it ought to be relatively simple to write or adapt a script for it, but there probably aren't many already written.

It may be easier to set up A and/or AAAA records for and use HTTP-01 or TLS-SNI-01 validation with, for example, Certbot's standalone server mode.

1 Like

I tried to make such a record in the zone file for but it was ignored as out-of-zone data. Where I should place this record? Or maybe I have not entered the right thing.. my record is: 300 IN TXT "667drN...Undc"

Hard to say. What precisely did you try? Opening the zone, creating a record of name _acme-challenge, type TXT and value "667...ndc"?

I opened the zone and there I create the TXT record, I do not have a zone file for, but on is the XMPP server.

did you “open the zone” in some kind of control panel ? or open it as a text file in an editor ?

I opened the zone file for it in text editor :slight_smile:

OK - you will then need to reload that to your DNS servers ( possibly restarting bind … I don’t know what you are using ) .

I’ve done it but in Pidgin it still says that the certificate for cannot be validated and it claims to be from This makes my server unable to connect to another server that requires verification…

Would you like to show us the certificate and domain names in question?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.