Invalid response from

@MadDemon eventually, it works, but you have to use GTS instead of Let's Encrypt.

It's all automatic but it takes a few hours and it wants you to hit buttons manually.

It still is messed up, tho. So look if you have alternatives. SSL Server Test: (Powered by Qualys SSL Labs)


I see that. This confirms they send only the leaf and no intermediates. Not good.

A quicker but less detailed check than SSL Labs


Thanks but I did it with went with another option, but I needed Let'sEncrypt :smiling_face_with_tear:


Well I found a solution for adding Let'sEncrypt SSL manually in InfinityFree

Step 1.

Choose certbot DNS challenge
certbot certonly --manual --preferred-challenges dns -d "*.YourDomain"

Also, the subdomains work fine for Example: certbot certonly --manual --preferred-challenges dns -d "*"


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:

with the following value:


Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox:
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Step 2.
Login to your InfinityFree cpanel scroll to the bottom and click on the CNAME

Step 3.
In the "Record Name" box enter (_acme-challenge), in "Domains" let it be the default, and in the " Destination" box enter the value that certbot provided, for Example: "M6DRvcOBx6_apw_CGHR7VgqHBRSgE3586Q1c-plEWU4"

Step 4.
Don't click enter yet...
Check if the DNS has updated yet
nslookup -type=TXT
cause the DNS usually takes 1 to 2 or more hours to update
Keep the certbot verification window open in the background

I don't see a Let's Encrypt cert for your domain. Your domain is currently using a cert from Google. And, as per previous discussion that hosting site does not support intermediate certs so may fail validation like shown here:

I don't see a Let's Encrypt cert in the public logs but sometimes those are delayed as much as 24H.


You need to check the authoritative DNS servers directly.
[it may be updating much faster than that]
nslookup -q=ns


Ya :sweat_smile: I was just writing and applying the steps at the same time

Also, I am finding a faster way to update or use an updated DNS for faster verification :grinning:

I was thinking of using their own DNS server rather than Google's DNS ( for nslookup and it worked

With Default Google's DNS (


** server can't find NXDOMAIN`

Their DNS (
nslookup -type=TXT


Address:        canonical name = m6drvcobx6_apw_cghr7vgqhbrsge3586q1c-plewu4.```

So, what if I use their DNS in certbot for verification

certbot isn't the one doing the verification - it is just an ACME client.
If the ACME client could also do the verification ... we would have a broken/exploited system!
The DNS verification is being done by LE.
And they only follow the authoritative DNS tree/path.
So, it will never use systems like [for verification].


oh :sweat_smile: Thanks

sorry guys this method will not work until there is a way to use their DNS in certbot cause it will not update or it will take a long time to populate the Google DNS

It has been up to 24 hours but nslookup -type=TXT still shows


** server can't find NXDOMAIN`

and the certbot gave me a Time-out error

I am still looking in certbot-dns-CustomDns like certbot-dns-cloudflare etc...
to make certbot-dns-infinityfree

$ dig txt

; <<>> DiG 9.18.12-0ubuntu0.22.04.2-Ubuntu <<>> txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 49293
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 1232
; IN   TXT

;; ANSWER SECTION: 86400 IN CNAME m6drvcobx6_apw_cghr7vgqhbrsge3586q1c-plewu4.

.                       86400   IN      SOA 2023083001 1800 900 604800 86400

;; Query time: 209 msec
;; WHEN: Wed Aug 30 20:28:08 CEST 2023
;; MSG SIZE  rcvd: 193

You should add a TXT record, not a CNAME record :wink:


Is your DNS even hosted by Google?

If not, then what's the relevance of Google DNS?


Nope, that's what I am saying :man_facepalming:

Steps :sweat_smile:

Let's Encrypt crawls the authorative nameservers from the root servers down to the authorative nameserver of the hostname. Please don't use third party DNS servers to check for propogation, but use e.g. dig +trace or


Idk, But it's a txt record nslookup -type=TXT

Address:        canonical name = m6drvcobx6_apw_cghr7vgqhbrsge3586q1c-plewu4.

canonical name


it literally means "look there instead" -- and it applies to every record type.

you then get a NXDOMAIN because that string does not exist as a domain.