I recently ran into this issue when trying to create / renew my SSL certificate with Nginx Proxy Manager and wanted to share what I did to finally get it renewed to help save others hours of the same issue.
The Problem
No matter how many times I tried, I would continually get this response when trying to renew or create a certificate using a DNS challenge with DuckDNS using Nginx Proxy Manager: The DNS response does not contain an answer to the question: IN TXT
Context
My home network stack is composed of:
A fairly standard AdGuard instance running on a Raspberry Pi
A Home Assistant instance running AdGuard and Nginx Proxy Manager
DuckDNS routes
My AdGuard instance were redirecting DNS queries for my Home Assistant Domain, call it my-home-assistant.duckdns.org to the IP of my Nginx Proxy Manager instance which was running on my Home Assistant.
The Solution
I’m not sure what tipped me off but it dawned on me that the AdGuard instances may have been interfering with the certificate renewal process, even though I was making a DNS challenge using DuckDNS, and low and behold I was correct.
I removed the AdGuard DNS instances from my router’s DNS table, navigated to my Home Assistant’s IP, went to the Nginx Proxy Manager instance and performed the certificate renewal again and it worked!
I’m not sure what in AdGuard is causing DuckDNS to return this kind of response but the solution is to remove AdGuard from your DNS on the router and then perform your certificate renewal.
You can force certbot not to use TXT, just add the following in the “Credentials File Content” text box when configuring DuckDNS, during the new proxy host setup:
Fixing the cert renewal for an existing host requires access to the conf files, no GUI option I’m afraid.
Edit the npm-??.conf file located in .../letsencrypt/renewal/ and add the dns_duckdns_no_txt_restore = True line there.
I have also a similar error on my HA while trying to create the letsencrypt certificate, but my configuration is different:
HA (Hassio OS) running as a proxmox-VM
AdGuard is running as a proxmox-lxc-Container on the same proxmox host
my AdGuard rewrites my HA-URL (let’s name ist myha.duckdns.org) to the LAN-IP of my HA-VM (192.168.x.y)
no nginx- or ngninx-proxy-manager-addon activated in my HA
no portforwarding to the HA-VM in my router
on duckdns.org.WebUI I pointed the URL myha.duckdns.org to the LAN-IP of my HA-VM (192.168.x.y)
With this configuration I tried to create a letsencrypt certificate by using the DNS-challenge-method, but I alwasy get the error
“*Requesting a certificate for myha.duckdns. org * The DNS response does not contain an answer to the question: myha.duckdns. org. IN TXT”
in letsencrypt-addon-protocol.
I also tried to put in the line “dns_duckdns_no_txt_restore: True” to the letsencrypt-addon-config in the DNS-field.
If I disable AdGuard as my DNS my HA-URL won’t be resolved and I can’t open the HA-WebUI (As written: my AdGuard is also the DNS-rewriter for myha.duckdns.org - address.)
I managed to create a letsencrypt certificate (DNS challenge) in my NginxProxyManager (also a lxc-container on my proxmox server), downloaded it and moved (SFTP) the extracted (and renamed) privkey.pem and fullchain.pem to the /ssl folder on my HA. Now all Apps (iOS, Android) connect to my server without error messages.
Starting the letsencrypt addon in my HA, the protocol says “No certificate found - using ‘ecdsa’ key type.”. Is the addon looking for the files on the right folder?
Go to both of your AdGuard instances and where you map myha.duckdns.org to your Nginx Proxy Manager, update the mapping to be tmp-myha.duckdns.org and keep the IP its pointing to.
Wait a few min for the DNS records to update and then go to your Nginx Proxy Manager and renew the cert, it should now work.
Revert the redirection in Step 2 and wait a few min for the records to update again.
I should mention, the cert was updated and showed me as such in Nginx Proxy manager, however when i went to check the cert in the browser it said it was still set to expire the next day, however when the day came it started using the newest cert to don’t sweat it if it doesn’t look like it right away
