How do i manually register subdomains using dns verification?

Hello, i’m trying to register a root domain with about 5 subdomains. As there are various configurations between services, i’m trying to use the manual installation process with dns TXT record verification.

My domain is:

Redacted: using as an example

I ran this command:

$ sudo certbot certonly --cert-name -d --manual --preferred-challenges dns

It procuded the following output

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None

You are updating certificate to include domains:

It previously included domains:

Did you intend to make this change?
(U)pdate cert/(C)ancel: U
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for

NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
(Y)es/(N)o: Y

Please deploy a DNS TXT record under the name with the following value:


Before continuing, verify the record is deployed.
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. (dns-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up TXT for

 - The following errors were reported by the server:

   Type:   connection
   Detail: DNS problem: NXDOMAIN looking up TXT for

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

My hosting provider, if applicable, is:

Digital Ocean has the following entry:

HOWEVER, there is no ANSWER sections:

HOWEVER, there is no ANSWER sections:

$ dig -t txt                                                                                                                                               

; <<>> DiG 9.8.3-P1 <<>> -t txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46967
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0


;; AUTHORITY SECTION:		1800	IN	SOA 1509646706 10800 3600 604800 1800

;; Query time: 112 msec
;; WHEN: Thu Nov  2 14:29:51 2017
;; MSG SIZE  rcvd: 112

I dont think thats a valid TXT record.

What is the proper way to manually generate certs using DNS authentication?

  1. Maybe you have to wait a little longer for the DNS change at DigitalOcean to start working. How long did you wait?

    I’m not sure they document how updates work, unfortunately.

  2. Make sure the record isn’t called “”. If you entered “”, maybe DigitalOcean requires “” (with a dot) or “_acme-challenge.www”.

What’s the domain? Does the TXT record you created still exist?

(As far as Let’s Encrypt’s goes, you can delete it now, but if you haven’t, it may be useful for debugging the situation.)

1 Like

You should also be aware that this will cause the new certificate not to cover itself (that’s what this warning is referring to). If you want to cover both and in the new certificate, you would need -d -d

1 Like

Argh. Looks like diital ocean out smarted me and automagically apeneded to the entires. So the recorded entry was *

@schoen thanks for the tip. I have made your modification to preserve coverage.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.