Trying to create cert for internal-only server using DNS-01


A bit of background – This is an internal only webserver. I do have the ability of making DNS changes where I did add the TXT record for this dns name. The DNS record is not viewable via external DNS. Is that an issue?

My domain is:

I ran this command: certbot certonly --manual --preferred-challenges dns-01 -d --dry-run

It produced this output: `
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for

NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.

Are you OK with your IP being logged?

(Y)es/(N)o: y

Please deploy a DNS TXT record under the name with the following value:


Before continuing, verify the record is deployed.

Press Enter to Continue
Waiting for verification…

Here I run watch -n1 host -t txt on a separate terminal…
when it updates, I press ENTER

Cleaning up challenges
Failed authorization procedure. (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for


  • The following errors were reported by the server:

    Type: None
    Detail: DNS problem: NXDOMAIN looking up TXT for`

My web server is (include version): httpd v2.4.6

The operating system my web server runs on is (include version): RHEL 7.5

I can login to a root shell on my machine (yes or no, or I don’t know): Yes


Yes. The record needs to be externally observed, or else your control of the domain cannot be proven.


Thanks for the quick response. So there’s no way of getting a cert for this.


Split-horizon DNS is pretty common in government and would provide a solution - you could add a TXT record into the public view.

If you don’t have that ability, then yeah, probably Let’s Encrypt is not suitable.


(In the situation @_az is referring to, only the TXT record needs to be publicly visible—the A record doesn’t need to be publicly visible.)


And only for long enough to validate the challenge.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.