Setting up letsencrypt for subdomains


I've followed this toturial (, to set up influxdb and grafana on my server. However, I am not sure what the _acme-challenge files need to hold. I have generated a personal DNS token from Hetzner, put it in the _acme-challenge but no luck (see below). When this token is put in, I also get incorrect TXT record.

I have also added the hetzner nameservers in the _acme-challenge files, but this also does not work. I am just trying, but perhaps someone can help me out here. Much appreciated.

My domain is:

I ran this command:

echo <HETZNER_PERSONAL_ACCES_TOKEN> > /etc/hetzner-dns-token

certbot certonly --manual --preferred-challenges=dns --manual-auth-hook /usr/local/bin/ --manual-cleanup-hook /usr/local/bin/ -d -d

It produced this output:

 - The following errors were reported by the server:

   Type:   unauthorized
   Detail: Incorrect TXT record "" found at

   Type:   unauthorized
   Detail: Incorrect TXT record "" found at

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):
The operating system my web server runs on is (include version):
Ubuntu 20.0.8
My hosting provider, if applicable, is:
Namecheap as hosting provider, server is from Hetzner. Advanced DNS as follows:

A Record	
A Record	
A Record	
TXT Record	
TXT Record	

I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0

Thank you very much in advance.

Well, that ain't right.

Also, could you perhaps clarify the following bit?

What exact role does Namecheap have? You say "hosting provider", which usually means the company providing either the shared hosting platform or the VPS server. But you also say the server is from Hetzner? Which one does what exactly? Especially, who's the DNS service provider?

Edit: Dug a little bit further and it seems your DNS service provider is Namecheap. Well, you obviously can't change Namecheap settings using a Hetzner token.. Also, looking at the current TXT record value, it seems you might have tried to "redirect" the TXT resource record to the "helium" nameserver of Hetzner? Not in a correct way by the way, but that doesn't matter, because if I request anything regarding your domain from, the server returns a "REFUSED" status. Which makes sense if Hetzner is just providing your the hosting server, but not the DNS service.

Note that Namecheap does have an API which would enable you to automate the dns-01 challenge, but that service has some strict requirements, which you can find here: GitHub - iHamsterball/certbot-dns-namecheap: Certbot plugin to provide dns-01 challenge support for

Another note: do you actually require the dns-01 challenge? Why not simply use the http-01 challenge for those two hostnames? That would make your life MUCH easier..


Thanks for your quick reply. Yes, my DNS service provider is namecheap. I would prefer the road of least resistance, if you have any better suggestions; please let me know. I do not require the dns-01 challenge, if the other what you said is simpler; I would do that. I am however, not familiar with a lot of this.

1 Like

The tutorial you've followed makes it a little bit harder to "walk the easy path", as it seems it has nginx configured already, but with non-existing certificate/private key values. Making nginx actually fail to start. My suggestion is to modify part 5, "Step 5 - Install Nginx" of the tutorial as follows:

  • don't set up the proxy_pass redirects yet;
  • just make two server {} blocks using HTTP on port 80 first
    • these server blocks just need a listen and server_name directive, nothing more
  • get the certificate using sudo certbot --nginx
    • Certbot should have generated two HTTPS server blocks from the stubs you made above
    • And a redirect for HTTP to HTTPS
  • now you can modify the now HTTPS stubs to incorporate the location/proxy_pass stuff

Now, I don't have much nginx experience and perhaps the stubs require a little bit more than just listen/server_name, but I'd try the above first if I were you :slight_smile:


Awesome, thanks.

Yes, the tutorial made it all a bit harder. I have now

server {                                                                                                                     
    location / {                                                                                                             
        proxy_pass           http://localhost:3000/;                                                                         
    listen [::]:443 ssl ipv6only=on; # managed by Certbot                                                                    
    listen 443 ssl; # managed by Certbot                                                                                     
    ssl_certificate /etc/letsencrypt/live/; # managed by Certbot                              
    ssl_certificate_key /etc/letsencrypt/live/; # managed by Certbot                            
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot                                                    
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot                                                      
server {                                                                                                                     
    if ($host = {                                                                                         
        return 301 https://$host$request_uri;                                                                                
    } # managed by Certbot                                                                                                   
    listen 80;                                                                                                               
    listen [::]:80;                                                                                                          
    return 404; # managed by Certbot                                                                                         

and your certbot worked. I did not do it for influxdb, as there was nothing to be seen there anyway. Thank you so much for your time.


Looks good! :slight_smile: Note that the Certbot team gets all the credits for developing Certbot :wink:

Also, I agree regarding influx: if you only use influx locally (i.e., it doesn't require a certificate.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.