Unable to procure a SSL cert. for a domain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: gitlab.ndc.com

I ran this command: letsencrypt certonly -d gitlab.ndc.com

It produced this output:
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for gitlab.ndc.com
Input the webroot for gitlab.ndc.com: (Enter ‘c’ to cancel): /var/opt/gitlab/nginx/www
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. gitlab.ndc.com (http-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for gitlab.ndc.com - check that a DNS record exists for this domain

My web server is (include version): since we’ve installed gitlab, it’s running on nginx

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: This is an internal portal, there is no hosting provider in this case.

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):0.27.0


It seems like this hostname doesn’t exist on external DNS servers.
Query for this hostname showed “NXDOMAIN” for A record.

If you want to use HTTP based validation, you’ll need to at least enter A or AAAA records for this hostname.

Thank you

1 Like

Hi @okayencrypt

then you can create a certificate via dns validation. But it’s required to create a DNS TXT entry. Letsencrypt must be able to check that DNS entry.


Thanks Steve. This is an internal portal. So, we won’t be having this on external DNS servers.

Thanks Juergen for the advise. I believe there is a DNS TXT entry created since, I can go to the domain via http. So, why can’t LetsEncrypt can’t see that domain added to our DNS server?
Between, our Ubuntu server is behind the firewall for security reasons.

A TXT entry has nothing to do with a http answer.

There are some checks of your domain - from this morning (or yesterday in your time zone) - https://check-your-website.server-daten.de/?q=gitlab.ndc.com


13. TXT - Entries

No TXT entries found

is no TXT entry.

And if you want to use dns validation, you must use another command.

 letsencrypt certonly -d gitlab.ndc.com --manual --preferred-challenges dns
1 Like

Okay. Sorry Juergen, I wasn’t aware of having a TXT entry added to our dns server. So, just to be user, I need to ask our sysadmin team to add a TXT entry to an already created domain on our dns server. Is that the correct?

Currently you are using HTTP-01 validation, which Let’s Encrypt will try to resolve the domain and find content on the webserver.

Since this is an internal portal, you should ask your sysadmin team to complete the validation (by adding a TXT record) every 60 days via manual action to the ATT NS server. (which should be your external NS server for this domain).
This might be painful, so you might want to also ask your sysadmin team if there’s any method to automate the process. They might want to write some scripts to add/remove the specified record automatically. the scripts can be specified with certbot hooks. (--manual-auth-hook for adding and verifying the record, --manual-cleanup-hook for removing the records after validation passed)

Thank you

1 Like

Thanks Steve. I’ll check with my sysadmin team if they can automate the validation process. Between, is there a requirement to change the TXT record every 60 days?

Each time you attempt to request a certificate, you’ll be asked to enter a specific TXT record (every attempt has a different value) to your DNS records. Let’s Encrypt will attempt to find the record on your external DNS and validate if that’s what you are required to add. After you complete/failed the challenge, you are able to remove it. (and recommended)
The reason i said you might need to add a txt record every 60 days is because certbot will attempt to renew your certificate starting from 60 days point, and if you used manual plugin (--manual), the certificate will not renew automatically.

Thank you

1 Like

I see. So, in that case instead of using a manual plug-in, can I or is there an option such as
“letsencrypt certonly -d domain_name --perferred-challenges dns” or something similar on those lines? I don’t intend to manually renew the certificates every 60 days.

This will still result in an manual operation… (since certbot can’t complete the challenge automatically)
However, the manual plugin doesn’t mean you must manually complete the challenge.
If you use --manual with the hook / script i mentioned (if your sysadmin can make one), the renewal process will complete automatically.

P.S. renewing with certonly will not reload your website configuration automatically, your certificate will be renewed (if success) but your web server will still use the old configuration / certificate, which you’ll need to manually reload your web server.
You can specify --installer apache or --installer nginx when requesting/renewing the certificate, so certbot will know what web server to reload if a new certificate is issued (or renewed).

Thank you

1 Like

Thanks for clarifying and the info Steve. Yes, I understand that renewing the cert will renew the cert only and not reload the cert.

I’m revisiting this issue and I wanted to know what should be placed in TXT record for the DNS validation to succeed in order to obtain the SSL cert.?


Please take a look at this page https://letsencrypt.org/docs/challenge-types/

1 Like

Thanks Steve. However, according to the document, it says ACME client will provide a token, which can then be inserted into TXT record of DNS. At the moment, we aren’t able to generate the token from LetsEncrypt.

How can we generate this token?

If you run the command: certbot certonly -d domain_name --perferred-challenges dns, you can see the required value / record you need to add to your DNS panel.

1 Like

Here you go. I ran cerbot command will the necessary options and here I what I receive.

certbot certonly -d gitlab.xxx.com --preferred-challenges dns
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
None of the preferred challenges are supported by the selected plugin

As you see, it’s complaining that none of the preferred challenges are supported by the plugin

Sorry, it should be certbot certonly --manual -d domain_name --perferred-challenges dns

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.