I always get the error message shown below when requesting a certificate. According to letsdebug.net everything is configured and ok. Nevertheless it doesn’t work.
Can somebody help me out?
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
It produced this output:
time=“2019-01-16T18:06:35Z” level=error msg=“Unable to obtain ACME certificate for domains “hydra.local.home.goroot.de” detected thanksto rule “Host:hydra.local.home.goroot.de; PathPrefix:/grafana” : unable to generate a certificate for the domains [hydra.local.home.goroot.de]: acme: Error -> One or more domains had a problem:\n[hydra.local.home.goroot.de] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.hydra.local.home.goroot.de, url: \n”
My web server is (include version): Traefik 1.7.7
The operating system my web server runs on is (include version): Docker version 18.09.1@ 4.9.0-6-amd64
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
no not a typo. There is simply no IP address, as it is hosting the TXT record only.
Is it required? If so, I wonder why letsdebug doesn’t show any errors.
dig TXT _acme-challenge.hydra.local.home.goroot.de
_acme-challenge.hydra.local.home.goroot.de. 740 IN CNAME ba71bec7-2c7f-4dd3-abef- 20714ad63f64.local.home.goroot.de.
ba71bec7-2c7f-4dd3-abef-20714ad63f64.local.home.goroot.de. 1 IN TXT "3-dRrATy4huKdbG5ppYLme9H-ZYrQheB-pnfFuZnRRc"
For DNS validations, Let's Debug would only check if your DNS servers are functioning normally, or anything that would indirectly affect your validation. (Like CAA records)
And i didn't see any CAA records that would block the issurance...
I think it's fine to "not exist" because when the CAA does not exist on this level, it would query the next level, till the root domain itself...
The DNS responses across your authoritative name servers are inconsistent:
SOA records are only returned for the full FQDN by: ns.inwx.de ns2.inwx.de
The other three return NXDOMAN (for the SOA record) [THIS IS NOT GOOD]