dig @8.8.8.8 UUID.auth.acme-dns.io txt
dig @9.9.9.9 UUID.auth.acme-dns.io txt
It seems that quad9 can resolve TXT. I suggest letsencrypt adding:
zone "auth.acme-dns.io" IN {
type forward;
forward only;
forwarders { 46.4.128.227; 9.9.9.9; };
};
or resolv.conf adding 9.9.9.9.
LE doesn't use any forwarders.
[never did - never will]
But we are suffering from unable to renew until cloudflare can fix this problem. All the web sites will shutdown!
This is already a 12-day problem. If it can fix, why wait?
If it's added, the letsencrypt can temporarily fix until cloudflare find her problem.
The DNS software used by LE doesn't even have a place to put in a forwarder.
It cant.
And it won't.
Whatever problem you are encountering is no fault of LE.
How about adding a resolver to 9.9.9.9 ?
Which part do you NOT understand?
The software LE uses is the resolver.
It doesn't rely on any third party DNS resolution.
Then, what's the problem when renewing?
Domain: XXXXX
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.XXXXX - check that a DNS record exists for this domain
I can resolve TXT by adding 9.9.9.9.
You have joined this thread to discuss your problem but it may have nothing to do with the original thread. Please post a new question to describe your exact problem and also provide your real domain so others can examine the DNS entries.
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
My domain: comp.hkbu.edu.hk *.comp.hkbu.edu.hk
Ran: /usr/bin/certbot renew --quiet --manual-public-ip-logging-ok
or
certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d *.comp.hkbu.edu.hk -d comp.hkbu.edu.hk
dig @9.9.9.9 _acme-challenge.comp.hkbu.edu.hk txt
(it works for resolving)
dig @8.8.8.8 _acme-challenge.comp.hkbu.edu.hk txt
(it does not work for resolving)
Domain: comp.hkbu.edu.hk
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.comp.hkbu.edu.hk - check that a DNS record exists for this domain
OS: CentOS 7
certbot 1.6.0
Hope this help.
Please try "dig @9.9.9.9 _acme-challenge.comp.hkbu.edu.hk txt"
If Google can't resolve it, I'm highly doubting that Let's Encrypt will be able to.
unboundtest succeeded though:
https://unboundtest.com/m/TXT/_acme-challenge.comp.hkbu.edu.hk/EXGMKFPE
Yes. I this what I mean. This is not a client-side DNS problem.
I can't fix cloudflare's problem. But it blows a lot of websites, not only me.
Can anyone can help (from ACME or LE)?
Usually if unboundtest succeeds then Let's Encrypt will succeed. 
cloudflare problem:
;; ANSWER SECTION:
_acme-challenge.comp.hkbu.edu.hk. 21599 IN CNAME 4aac37e7-1c30-43f0-864c-26b888dac908.auth.acme-dns.io.
;; AUTHORITY SECTION:
acme-dns.io. 1799 IN SOA bonnie.ns.cloudflare.com. dns.cloudflare.com. 2034849170 10000 2400 604800 3600
Hopefully someone with more detailed knowledge here than I will come by.
How should LE get back TXT to renew my cert? via which DNS resolver's partner?
I'll try to ask them. Please be patient though as it's the middle of the night here, so they might not answer for a while.
Any thoughts here?
