I can't renew: NXDOMAIN looking up TXT

dig @ UUID.auth.acme-dns.io txt
dig @ UUID.auth.acme-dns.io txt

It seems that quad9 can resolve TXT. I suggest letsencrypt adding:

zone "auth.acme-dns.io" IN {
type forward;
forward only;
forwarders {;; };

or resolv.conf adding

1 Like

LE doesn't use any forwarders.
[never did - never will]


But we are suffering from unable to renew until cloudflare can fix this problem. All the web sites will shutdown!

This is already a 12-day problem. If it can fix, why wait?

If it's added, the letsencrypt can temporarily fix until cloudflare find her problem.

1 Like

The DNS software used by LE doesn't even have a place to put in a forwarder.
It cant.
And it won't.
Whatever problem you are encountering is no fault of LE.


How about adding a resolver to ?

Which part do you NOT understand?
The software LE uses is the resolver.
It doesn't rely on any third party DNS resolution.


Then, what's the problem when renewing?

Domain: XXXXX
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.XXXXX - check that a DNS record exists for this domain

I can resolve TXT by adding

1 Like

You have joined this thread to discuss your problem but it may have nothing to do with the original thread. Please post a new question to describe your exact problem and also provide your real domain so others can examine the DNS entries.

1 Like

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):


My domain: comp.hkbu.edu.hk *.comp.hkbu.edu.hk

Ran: /usr/bin/certbot renew --quiet --manual-public-ip-logging-ok
certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d *.comp.hkbu.edu.hk -d comp.hkbu.edu.hk

dig @ _acme-challenge.comp.hkbu.edu.hk txt
(it works for resolving)
dig @ _acme-challenge.comp.hkbu.edu.hk txt
(it does not work for resolving)

Domain: comp.hkbu.edu.hk
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.comp.hkbu.edu.hk - check that a DNS record exists for this domain

OS: CentOS 7
certbot 1.6.0

Hope this help.

1 Like

For what it's worth:


No TXT record found.

1 Like

Please try "dig @ _acme-challenge.comp.hkbu.edu.hk txt"

1 Like

If Google can't resolve it, I'm highly doubting that Let's Encrypt will be able to.

1 Like

unboundtest succeeded though:


1 Like

Yes. I this what I mean. This is not a client-side DNS problem.

I can't fix cloudflare's problem. But it blows a lot of websites, not only me.

Can anyone can help (from ACME or LE)?

1 Like

Usually if unboundtest succeeds then Let's Encrypt will succeed. :thinking:

1 Like

cloudflare problem:

_acme-challenge.comp.hkbu.edu.hk. 21599 IN CNAME 4aac37e7-1c30-43f0-864c-26b888dac908.auth.acme-dns.io.

acme-dns.io. 1799 IN SOA bonnie.ns.cloudflare.com. dns.cloudflare.com. 2034849170 10000 2400 604800 3600

1 Like

Hopefully someone with more detailed knowledge here than I will come by.

1 Like

How should LE get back TXT to renew my cert? via which DNS resolver's partner?

1 Like

I'll try to ask them. Please be patient though as it's the middle of the night here, so they might not answer for a while.


Any thoughts here?

1 Like