I failed to apply for a certificate for my Chinese domain name

Help
1

My domain is:
广东省中医院海南医院.公益
It produced this output:
https://acme-v02.api.letsencrypt.org/acme/chall/2920527116/639502117876/ASxOGQ
DNS problem: NXDOMAIN looking up TXT for _acme-challenge.xn--xhq8a69ya3lu72erwyd4qyr8dda.xn--55qw42g - check that a DNS record exists for this domain

However, when I tested using the dig command, there was no issue:
dig NS 广东省中医院海南医院.公益 @114.114.114.114

; <<>> DiG 9.16.23 <<>> NS 广东省中医院海南医院.公益 @114.114.114.114
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61168
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;广东省中医院海南医院.公益. IN NS

;; ANSWER SECTION:
广东省中医院海南医院.公益. 23051 IN NS ns1.alidns.com.
广东省中医院海南医院.公益. 23051 IN NS ns2.alidns.com.

;; Query time: 31 msec
;; SERVER: 114.114.114.114#53(114.114.114.114)
;; WHEN: Thu Jan 08 09:42:50 CST 2026
;; MSG SIZE rcvd: 118

But if I use 8.8.8.8, I encounter the issue mentioned above. I would like to ask: does Let's Encrypt support specifying a DNS server for validation?

2

No.
LE uses the global Internet DNS system [starting at trusted roots].

3 Likes
3

So even though the authoritative DNS server 114.114.114.114 has a resolution record, Let's Encrypt still does not recognize it, correct?Is there a solution to my situation?

4

Have you recently changed DNS providers? If so have you updated your renewal method to account for this?

2 Likes
5

NO,I have been using this DNS vendor

6

It's just that 公益 is showing you as having the name servers ns1.sdc.org.cn, ns2.sdc.org.cn and ns3.sdc.org.cn which is different to what your dig command is showing (ns1.alidns.com and ns2.alidns.com.)

Which name servers are you using?

4 Likes
7

114.114.114.114 does not appear to be an authoritative DNS server. It is a public recursive server like Google's 8.8.8.8 or Cloudflare's 1.1.1.1. They may also provide authoritative zone hosting, but the authoritative nameservers would likely be different than the public recursives.

As @MaxHearnden said, the authoritative nameservers for the xn--55qw42g TLD (ns1.conac.cn,ns2.conac.cn,ns3.conac.cn,ns4.conac.cn,ns5.conac.cn) all seem to agree that the authoritative nameservers for your domain, xn--xhq8a69ya3lu72erwyd4qyr8dda.xn--55qw42g are these:

> dig @ns1.conac.cn xn--xhq8a69ya3lu72erwyd4qyr8dda.xn--55qw42g ns +norecurse

; <<>> DiG 9.17.15 <<>> @ns1.conac.cn ns xn--xhq8a69ya3lu72erwyd4qyr8dda.xn--55qw42g +norecurse
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12398
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;xn--xhq8a69ya3lu72erwyd4qyr8dda.xn--55qw42g. IN        NS

;; AUTHORITY SECTION:
xn--xhq8a69ya3lu72erwyd4qyr8dda.xn--55qw42g. 43200 IN NS ns1.sdc.org.cn.
xn--xhq8a69ya3lu72erwyd4qyr8dda.xn--55qw42g. 43200 IN NS ns3.sdc.org.cn.
xn--xhq8a69ya3lu72erwyd4qyr8dda.xn--55qw42g. 43200 IN NS ns2.sdc.org.cn.

;; Query time: 193 msec
;; SERVER: 111.235.161.1#53(ns1.conac.cn) (UDP)
;; WHEN: Wed Jan 07 23:21:16 Pacific Standard Time 2026
;; MSG SIZE  rcvd: 136

Let's Encrypt's validation servers will only query those 3 sdc.org.cn authoritative nameservers for your TXT record validations. And those 3 nameservers don't appear to even have an A record for the domain apex, let alone a TXT record for _acme-challenge.xn--xhq8a69ya3lu72erwyd4qyr8dda.xn--55qw42g.

> dig @ns1.sdc.org.cn xn--xhq8a69ya3lu72erwyd4qyr8dda.xn--55qw42g +norecurse +nostats

; <<>> DiG 9.17.15 <<>> @ns1.sdc.org.cn xn--xhq8a69ya3lu72erwyd4qyr8dda.xn--55qw42g +norecurse +nostats
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48288
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;xn--xhq8a69ya3lu72erwyd4qyr8dda.xn--55qw42g. IN        A

;; AUTHORITY SECTION:
xn--xhq8a69ya3lu72erwyd4qyr8dda.xn--55qw42g. 28800 IN SOA ns1.sdc.org.cn. rdns.conac.cn. 1767686253 28800 14400 604800 28800

> dig @ns1.sdc.org.cn _acme-challenge.xn--xhq8a69ya3lu72erwyd4qyr8dda.xn--55qw42g txt +norecurse +nostats

; <<>> DiG 9.17.15 <<>> @ns1.sdc.org.cn _acme-challenge.xn--xhq8a69ya3lu72erwyd4qyr8dda.xn--55qw42g txt +norecurse +nostats
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53298
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_acme-challenge.xn--xhq8a69ya3lu72erwyd4qyr8dda.xn--55qw42g. IN        TXT

;; AUTHORITY SECTION:
xn--xhq8a69ya3lu72erwyd4qyr8dda.xn--55qw42g. 28800 IN SOA ns1.sdc.org.cn. rdns.conac.cn. 1767686253 28800 14400 604800 28800
7 Likes