NXDOMAIN but records are in place


Hi Everybody,

I always get the error message shown below when requesting a certificate. According to letsdebug.net everything is configured and ok. Nevertheless it doesn’t work.

Can somebody help me out?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: hydra.local.home.goroot.de

I ran this command: docker traefik restart

It produced this output:
time=“2019-01-16T18:06:35Z” level=error msg=“Unable to obtain ACME certificate for domains “hydra.local.home.goroot.de” detected thanksto rule “Host:hydra.local.home.goroot.de; PathPrefix:/grafana” : unable to generate a certificate for the domains [hydra.local.home.goroot.de]: acme: Error -> One or more domains had a problem:\n[hydra.local.home.goroot.de] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.hydra.local.home.goroot.de, url: \n”

My web server is (include version): Traefik 1.7.7

The operating system my web server runs on is (include version): Docker version 18.09.1@ 4.9.0-6-amd64

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


Hi @gorootde

I can’t see an ip address ( https://check-your-website.server-daten.de/?q=hydra.local.home.goroot.de ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
hydra.local.home.goroot.de Name Error yes 1 0
www.hydra.local.home.goroot.de Name Error yes 1 0

No ipv4, no ipv6. Checked manual - the same:

D:\temp>nslookup hydra.local.home.goroot.de.
*** hydra.local.home.goroot.de. Non-existent domain.

Is there a typo?

PS: You are using dns-01 - validation. But (1) there are no txt entries. And (2) there is a CAA entry that may block:

CAA - Entries

Domainname flag Name Value ∑ Queries ∑ Timeout
local.home.goroot.de -3 Name Error - The domain name does not exist 1 0

txt entries don’t exist.


Hi Juergen,

no not a typo. There is simply no IP address, as it is hosting the TXT record only.
Is it required? If so, I wonder why letsdebug doesn’t show any errors.

dig TXT _acme-challenge.hydra.local.home.goroot.de
_acme-challenge.hydra.local.home.goroot.de. 740 IN CNAME ba71bec7-2c7f-4dd3-abef-  20714ad63f64.local.home.goroot.de.
ba71bec7-2c7f-4dd3-abef-20714ad63f64.local.home.goroot.de. 1 IN TXT "3-dRrATy4huKdbG5ppYLme9H-ZYrQheB-pnfFuZnRRc"

Is that not enough?


For DNS validations, Let’s Debug would only check if your DNS servers are functioning normally, or anything that would indirectly affect your validation. (Like CAA records)
And i didn’t see any CAA records that would block the issurance…

I think it’s fine to “not exist” because when the CAA does not exist on this level, it would query the next level, till the root domain itself…

Thank you


Unboundtest actually could find your NS server and query it…

But the answer is NXDOMAIN


This is not right… It should return a CNAME right?

Thank you


Hi Steven,

unfortunately this didn’t help anything. Added delayBeforeCheck = 60 to my Traefik configuration.

Why is there is a difference between a dig command and unboundtest.com? Aren’t they asking the same DNS server the exact same question in the end?


You can get a certificate with a domain name.

But hydra.local.home.goroot.de isn’t a defined domain name, the answer is “Not existing domain”.

So the certificate request is incomplete.

You have only a CNAME definition


But this isn’t a domain name.

So add the domain name in your DNS.


Actually when i query it with dig & TXT. It returns NXDOMAIN too…

When i returns with dig CNAME, it returns the right CNAME, but no answer in there.

Not sure what’s wrong…


The DNS server is behaving incorrectly. It should be returning the CNAME record in response to a TXT query, not NXDOMAIN.

It should never return NXDOMAIN when a name exists (including when it’s an empty non-terminal).

Plus negative responses should have an authority section with an SOA record so that they can be cached.


This needs to work globally not just on your own private DNS system.


The DNS responses across your authoritative name servers are inconsistent:
SOA records are only returned for the full FQDN by:
The other three return NXDOMAN (for the SOA record) [THIS IS NOT GOOD]

nslookup -q=ns goroot.de. a.nic.de.
goroot.de nameserver = ns.inwx.de
goroot.de nameserver = ns2.inwx.de
goroot.de nameserver = ns3.inwx.eu
goroot.de nameserver = ns4.inwx.com
goroot.de nameserver = ns5.inwx.net

nslookup -q=ns home.goroot.de. ns.inwx.de.
nslookup -q=ns local.home.goroot.de. ns.inwx.de.
nslookup -q=ns hydra.local.home.goroot.de. ns.inwx.de.
all 3 return: NUL [SOA]

nslookup -q=ns home.goroot.de. ns2.inwx.de.
nslookup -q=ns local.home.goroot.de. ns2.inwx.de.
nslookup -q=ns hydra.local.home.goroot.de. ns2.inwx.de.
all 3 return: NUL [SOA]

nslookup -q=ns home.goroot.de. ns3.inwx.eu.
returns: NUL [SOA]
nslookup -q=ns local.home.goroot.de. ns3.inwx.eu.
nslookup -q=ns hydra.local.home.goroot.de. ns3.inwx.eu.
These 2 return: NXDOMAIN

nslookup -q=ns home.goroot.de. ns4.inwx.com.
returns: NUL [SOA]
nslookup -q=ns local.home.goroot.de. ns4.inwx.com.
nslookup -q=ns hydra.local.home.goroot.de. ns4.inwx.com.
These 2 return: NXDOMAIN

nslookup -q=ns home.goroot.de. ns5.inwx.net.
returns: NUL [SOA]
nslookup -q=ns local.home.goroot.de. ns5.inwx.net.
nslookup -q=ns hydra.local.home.goroot.de. ns5.inwx.net.
These 2 return: NXDOMAIN


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.