Request error using DNS challenge type


I’m trying to request a new SSL cert for a subdomain but I’m getting an error during the validation process:

Validation of the required challenges did not complete successfully. Domain validation failed:
DNS problem: NXDOMAIN looking up TXT for - check that a DNS record exists for this domain BadRequest urn:ietf:params:acme:error:dns

The challenge file gets created successfully, but for some reason the validation fails. What am I doing wrong?

Hi Nuri,

Validation can either be HTTP or DNS, it sounds like you currently have DNS validation selected (under the Authorization tab) but whichever DNS provider you are trying use has not created the required TXT record. If you intend to use DNS validation can you confirm you have configured the DNS provider API settings (it looks like your DNS is via AWS Route 53) and that the “Test” button passes OK.

If you mean to use HTTP validation instead (where Let’s Encrypt checks your site using http) check that http-01 is selected on the Authorization tab.

Hi webprofusion,

I have chosen DNS validation as I don’t have access to the web server for the root domain (I have access to the DNS for the domain).

The DNS is hosted in AWS Route53 and I have configured the API for it. I can confirm the TXT record gets created in the hosted zone (I can actually see the record), and then gets deleted once the SSL request fails. Below is the log entry:

2022-05-04 12:06:13.800 +10:00 [INF] ---- Beginning Request [domain redacted] ----
2022-05-04 12:06:13.800 +10:00 [INF] Certify/ (Windows; Microsoft Windows NT 10.0.17763.0)
2022-05-04 12:06:13.804 +10:00 [INF] Beginning Certificate Request Process: domain redacted using ACME Provider:Certes
2022-05-04 12:06:13.804 +10:00 [INF] Requested identifiers to include on certificate: domain redacted
2022-05-04 12:06:13.806 +10:00 [INF] Beginning certificate order for requested domains
2022-05-04 12:06:13.806 +10:00 [INF] BeginCertificateOrder: creating/retrieving order. Retries remaining:2
2022-05-04 12:06:15.110 +10:00 [INF] Created ACME Order:
2022-05-04 12:06:15.470 +10:00 [INF] Fetching Authorizations.
2022-05-04 12:06:16.547 +10:00 [INF] Got http-01 challenge
2022-05-04 12:06:16.907 +10:00 [INF] Got dns-01 challenge
2022-05-04 12:06:16.907 +10:00 [INF] Attempting Domain Validation: domain redacted
2022-05-04 12:06:16.908 +10:00 [INF] Registering and Validating domain redacted
2022-05-04 12:06:16.908 +10:00 [INF] Preparing automated challenge responses (domain redacted)
2022-05-04 12:06:16.911 +10:00 [INF] DNS: Creating TXT Record ‘_acme-challenge.domain redacted’ with value ‘hU3qlgRsnYzNhDVUR5YDDwy2n7fKDAkZ4yempMYx7_g’, in Zone Id ‘/hostedzone/Z16CEZHWWVFCX1’ using API provider ‘Amazon Route 53 DNS API’
2022-05-04 12:06:48.145 +10:00 [INF] DNS change completed.
2022-05-04 12:06:48.146 +10:00 [INF] DNS: Amazon Route 53 DNS API :: Dns Record Created/Updated: _acme-challenge.domain redacted
2022-05-04 12:06:48.147 +10:00 [INF] Requesting Validation: domain redacted
2022-05-04 12:07:18.288 +10:00 [INF] Attempting Challenge Response Validation for Domain: domain redacted
2022-05-04 12:07:18.289 +10:00 [INF] Registering and Validating domain redacted
2022-05-04 12:07:18.289 +10:00 [INF] Checking automated challenge response for Domain: domain redacted
2022-05-04 12:07:19.373 +10:00 [INF] Domain validation failed: domain redacted
DNS problem: NXDOMAIN looking up TXT for _acme-challenge.domain redacted - check that a DNS record exists for this domain BadRequest urn:ietf:params:acme:error:dns

Thanks, you don’t need to redact the domain because you included it in your first post.

You mentioned you don’t have don’t have access to the root domain - I assume the Route 53 zone you are updating is the actual primary zone for this domain and not just a delegated zone for the ftp subdomain?

Once test you can do is manually create a TXT record called _acme-challenge-example.ftp with a value of hello. Then check that is actually resolving ok using (the TXT option).

The other thing you may need to do is increase the DNS propagation delay (it’s usually 60 seconds but your TXT record update needs time to copy to all the nameservers, so you could try increasing that to 120).

Thanks, I only redacted the domain as it wouldn’t let me make the post with too many links. I’ll give that a shot and let you know if there are any issues.

1 Like

No problem, note that you can wrap log files, urls etc with 3 backticks ``` before and after the content and the forum software (discourse) will see it as code and not try to make it into URLs etc.

Thanks for that. I also worked out the issue. Turns out someone had migrated the client’s DNS to our portal without my knowledge, so I had been trying to do this using their old DNS which was never going to work.

created a new user in the new Route53 portal and all is working now.

1 Like

Great, glad you got it working.