DNS-01 challenge fails for CNAME-delegated subdomains (DNS resolution error) / Request for update cerbot-dns-desec plugin

[Hendrixx-hue]

Description

When using Nginx Proxy Manager (NPM) to create Let’s Encrypt certificates via DNS-01 challenge, certificate issuance fails for CNAME-delegated subdomains, although the same setup works with certbot on another machine.

Environment

Nginx Proxy Manager: v2.12.6 and latest

Deployment: Docker (docker-compose)

Docker version: 28.3.3 (or latest)

Host system: Proxmox 8 and 9 in LXC (Debian 12)

Custom DNS in Docker: none configured

ACME CA: Let’s Encrypt (production and staging)

DNS Setup

Registered main domain, Subdomains delegated via CNAME records to:

DuckDNS or
deSEC DNS

DNS-01 challenge using TXT records

Expected Behavior

NPM should successfully resolve Let’s Encrypt ACME endpoints and complete the DNS-01 challenge for CNAME-delegated subdomains.

Actual Behavior

v2.12.6:
CommandError: Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
Encountered exception during recovery: certbot.errors.PluginError: Could not find suitable domain in your account (did you create it?): _acme-challenge.sub.fqdn.de
Could not find suitable domain in your account (did you create it?): _acme-challenge.sub.fqdn.de
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

Latest version: Generic “Internal Error”

Relevant Log Output
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443):
Max retries exceeded with url: /directory
(Caused by NameResolutionError:
Failed to resolve 'acme-v02.api.letsencrypt.org'
([Errno -3] Temporary failure in name resolution))

Certificate issuance fails before completion

Additional Notes

The same domain and DNS setup works flawlessly when using certbot directly (Debian, certbot 5.2, Python 3.11).

DNS-01 certificates succeed in NPM when:

Using DuckDNS domain directly

Using deSEC DNS directly for another Domain

The issue only occurs with CNAME-delegated subdomains for both DNS plugins. However, I was able to generate a *-Wildcard Cert for my domain CNAMEd to DuckDns a while ago, which can be renewed without hassel. It seems that I cannot create more new certificates anymore (I had only 2 so far).

I appreciate your help in this case, since it is driving me insane
Jan

[Hendrixx-hue]

Hypothese

This appears to be a DNS resolution issue caused by split-brain DNS, not a problem with Let’s Encrypt or the domain registration itself.

Findings

I am using split-brain DNS:

Internal DNS zones use the same domain names as external
Internal DNS correctly resolves internal A records

However, the internal DNS does NOT know about external _acme-challenge CNAME/TXT delegations

Impact

NPM (inside Docker) resolves DNS using the internal DNS server During the DNS-01 challenge:

_acme-challenge. is resolved internally

The internal DNS does not forward or delegate these records to the external DNS provider. This may result in failed DNS resolution and ultimately causes the ACME client to fail early, leading to the observed error.

Resolution

Not yet found.

[Hendrixx-hue]

I have 2 comments to this.

1. duckdns seems again working when using following changes to docker-compose.yml

   dns:

   • 8.8.8.8
   • 9.9.9.9

2. desec is not working, maybe because of some hotfixes needed in the plugin?

https://talk.desec.io/t/patch-for-cname-support-with-certbot-dns-desec/1438

Current release => certbot-dns-desec 1.3.2

installed version in v2.13.5
"desec": {
"name": "deSEC",
"package_name": "certbot-dns-desec",
"version": "~=1.2.1",
"dependencies": "",
"credentials": "dns_desec_token = YOUR_DESEC_API_TOKEN\ndns_desec_endpoint = https://desec.io/api/v1/",
"full_plugin_name": "dns-desec"

Can I change it somehow manually?

[Hendrixx-hue]

### Resolution / Workaround

I think I was able to resolve the issue by manually updating the deSEC DNS plugin version used by Nginx Proxy Manager.

Root Cause

NPM was using an outdated deSEC DNS plugin (v1.2.1), which fails with:

Could not find suitable domain in your account (did you create it?)

After manually upgrading the plugin to v1.3.2, the DNS-01 challenge works correctly for my CNAMEd Domains.

Workaround Steps

Step 1: Copy the plugin definition file from the container

docker cp nginx-proxy-manager:/app/certbot/dns-plugins.json ./dns-plugins.json

Step 2: Update the plugin version locally

Edit dns-plugins.json and change the deSEC plugin version to:

"version": "~=1.3.2",

Step 3: Mount the updated file back into the container (read-only)
Add this to your docker-compose.yml file:

volumes:
  - ./dns-plugins.json:/app/certbot/dns-plugins.json:ro

Restart the container and check for logs.

Connect to the container and check the version string.

docker exec -it nginx-proxy-manager /bin/bash
pip index versions certbot-dns-desec
exit

Result

DNS-01 challenge via deSEC DNS works as expected and certificates can be issued successfully via the NPM UI

Final Notes

This confirms the issue was caused by an outdated DNS plugin version, not by DNS configuration, domain delegation, or Let’s Encrypt itself.

[jaredcdep]

Was the plugin updated in the project?

We have a similar split dns setup and I am looking at NginxProxyManager

[Hendrixx-hue]

TLDR;
If you mean the deSEC DNS Plugin: according to this = > no, not yet (as of writing this in 2026-01-13).
https://github.com/NginxProxyManager/nginx-proxy-manager/blob/develop/backend/certbot/dns-plugins.json

DR;
I updated the plugin from outside the docker container, since after a reboot/reload of the stack the original config from the package maintainer seems to be loaded. Therefore, I took the origignal dns-plugins file, modified the version string of the deSEC Plugin manually, put it in the directory where the docker-compose.yml sits, mounted it inside my docker-compose.yml as additionally resource and reloaded the stack.
There are still some issues happening here and the certificate generation is not perfect. However, some errors are maybe due to the new ui, I guess?

Maybe I will open a pull request to update the version of the DNS plugin, since this issue itself is closed.

Best regards,
Jan

[jaredcdep]

Thanks for the info

Apologies - I think I read your OP wrong - I would probably be using the rfc2136 plugin that does not have cname support at all it seems

In dehydrated nsupdate and caddy rfc2136 plugin I can specify the cname - plus the resolver that the plugin should use to check the dns zones (we also have split dns)

[SpaceAgeHero]

I'm running NPM within a Proxmox LXC. Do you know which file I can replace manually?

[Hendrixx-hue]

As far as I know, if you are running NPM on LXC, not inside a docker, I suggest you install/update the dns plugin manually and systemwide. NPM and the underlying certbot are using the globally installed plugins.

check which plugins are installed:
certbot plugins
/opt/certbot/bin/pip show certbot-dns-desec

Depending on your installation method, I may have used the LXC community script and I would suggest:
/opt/certbot/bin/pip install --upgrade certbot certbot-dns-XXXXX

Don't forget to reboot ? Otherwise I have had issues with not finding the plugin.

You can try to get a certificate manually using the certbot commands. If this worked, NPM worked out for me also.
See e.g.
https://pypi.org/project/certbot-dns-desec/

[SpaceAgeHero]

Thanks a lot for your efforts. Very comprehensive instructions.
I was able to verify the outdated desec plugin that way and also upgrading worked.
However when I try to manually obtain a wildcard certificate according to the documentation I get this error:
certbot: error: unrecognized arguments: --dns-desec-credentials

When trying this from NPM web UI, I still get an internal error.
Also right after that, plugin version is back to 1.2.1 when checking in CLI.

[Hendrixx-hue]

The --dns-desec-credentials should also work in v1.2.1.

How did you setup your NPM in your LXC, if not using docker?

[SpaceAgeHero]

Proxmox VE Helper-Scripts

Also tried /app/scripts/install-certbot-plugins as suggested on the page, but didn't help either.
I have deployed individual subdomain certificates for now by http method until this hopefully gets updated / fixed.
Thanks for your help.

[alju67]

Hello,

I'm also in this case (NPM 2.14 in Proxmox LXC)

/opt/certbot/bin/pip show certbot-dns-desec
--> certbot-dns-desec version 1.2.1

making upgrade /opt/certbot/bin/pip install --upgrade certbot certbot-dns-desec
--> Successfully installed certbot-dns-desec-1.3.2

/opt/certbot/bin/pip show certbot-dns-desec
--> certbot-dns-desec version 1.3.2

reboot

/opt/certbot/bin/pip show certbot-dns-desec
--> certbot-dns-desec version 1.2.1 back again :-(

Any other ideas ?