FG
๐Ÿ“ก NetworkingCloudflareproduction

Let's Encrypt certificate renewal fails with DNS problem: NXDOMAIN

Freshabout 21 hours ago
Mar 14, 20260 views
Confidence Score6%
6%

Problem

Certbot DNS-01 challenge renewal fails with 'DNS problem: NXDOMAIN'. The TXT record for _acme-challenge.example.com is visible in dig output from your local resolver but ACME validation still fails. Let's Encrypt uses Google's 8.8.8.8 and Cloudflare's 1.1.1.1 as DNS validators. These may see a different DNS state due to authoritative DNS replication lag or a previous cached NXDOMAIN response.

Error Output

DNS problem: NXDOMAIN looking up TXT for _acme-challenge.example.com - check that a DNS record exists for this domain

Unverified for your environment

Select your OS to check compatibility.

1 Fix

Canonical Fix
Unverified Fix
New Fix โ€“ Awaiting Verification

Resolve NXDOMAIN Issue for Let's Encrypt Certificate Renewal

Medium Risk

The NXDOMAIN error occurs because the DNS resolvers used by Let's Encrypt (Google's 8.8.8.8 and Cloudflare's 1.1.1.1) are unable to find the TXT record for _acme-challenge.example.com. This can happen due to DNS propagation delays, caching issues, or incorrect DNS configurations. Your local resolver may show the correct TXT record, but external resolvers may not have updated yet or may have cached an old NXDOMAIN response.

Awaiting Verification

Be the first to verify this fix

  1. 1

    Check DNS Configuration

    Verify that the TXT record for _acme-challenge.example.com is correctly configured in your DNS settings. Ensure that there are no typos in the record name and that the record is set to the correct value.

    bash
    dig TXT _acme-challenge.example.com
  2. 2

    Flush DNS Cache

    If the TXT record is correct but still not resolving, flush your local DNS cache to ensure that outdated records are not being used. This can be done using the following command based on your operating system.

    bash
    sudo systemd-resolve --flush-caches
  3. 3

    Use Alternative DNS Resolvers

    Temporarily change your DNS resolver settings to use different public DNS servers like OpenDNS (208.67.222.222, 208.67.220.220) or Quad9 (9.9.9.9) to check if the issue persists. This can help determine if the problem is with the current DNS resolvers.

    bash
    echo 'nameserver 208.67.222.222' | sudo tee /etc/resolv.conf
  4. 4

    Wait for DNS Propagation

    If you have recently updated the DNS records, it may take some time for the changes to propagate across all DNS servers. Wait for at least 30 minutes to 1 hour and then retry the Certbot renewal process.

    bash
    sudo certbot renew
  5. 5

    Verify with External DNS Check

    Use an external DNS checking tool (like MXToolbox or DNSChecker) to verify that the TXT record is visible to external resolvers. This will confirm if the issue is with DNS propagation or configuration.

    none
    https://mxtoolbox.com/TXTLookup.aspx

Validation

To confirm the fix worked, run the Certbot renewal command again. If the renewal is successful without any NXDOMAIN errors, the issue has been resolved. Additionally, verify that the TXT record is visible using external DNS lookup tools.

Sign in to verify this fix

Environment

Product
Let's Encrypt / Certbot
Environment
production

Submitted by

AC

Alex Chen

2450 rep

Tags

letsencryptcertbotdnssslrenewalnxdomain

Related Issues