Add DNS provider for NGENIX by ldez · Pull Request #3036 · go-acme/lego

ldez · 2026-05-04T12:55:01Z

Ping @Freack89, can you run the command with your domain, credentials, etc. (and put the output of this command to a comment)?

make build
rm -rf .lego

NGENIX_USERNAME="xxx" \
NGENIX_PASSWORD="yyy" \
NGENIX_CUSTOMER_ID="zzz" \
./dist/lego run --dns ngenix -d '*.example.com' -d example.com -s letsencrypt-staging

Note that the wildcard domain is important.

How to test this PR?

You need Go

Check out the PR:

git clone https://github.com/ldez/lego.git
cd lego
git checkout feat/dns/ngenix

Compile lego:
- if you have make: make build
- if you don't have make: go build -o dist/lego ./cmd/lego

Run the following command with your information (email, domain, credentials):

NGENIX_USERNAME="xxx" \
NGENIX_PASSWORD="yyy" \
NGENIX_CUSTOMER_ID="zzz" \
./dist/lego run --dns ngenix -d '*.example.com' -d example.com -s letsencrypt-staging

The wildcard domain is important

Before each run of the command, you should clean your local environment:
```
rm -rf .lego
```

Freack89 · 2026-05-05T01:35:38Z

Hi.

Details

$ NGENIX_USERNAME="yyy@xxx.ru" \
  NGENIX_PASSWORD="mepassword" \
  NGENIX_CUSTOMER_ID="SSSSS" \
  ./dist/lego run --dns ngenix -d '*.xxx.ru' -d xxx.ru -s letsencrypt-staging
2026-05-05T09:31:38.612967853+08:00 INFO  acme: Obtaining bundled SAN certificate. domains="*.xxx.ru, xxx.ru"
2026-05-05T09:31:39.968921478+08:00 INFO  acme: Could not find the solver. domain=xxx.ru type=tls-alpn-01
2026-05-05T09:31:39.968940578+08:00 INFO  acme: Could not find the solver. domain=xxx.ru type=http-01
2026-05-05T09:31:39.968961178+08:00 INFO  dns01: preparing to solve the challenge. domain=*.xxx.ru
2026-05-05T09:31:40.479861356+08:00 INFO  dns01: preparing to solve the challenge. domain=xxx.ru
2026-05-05T09:31:40.580089377+08:00 INFO  dns01: cleaning DNS-01 challenge. domain=*.xxx.ru
2026-05-05T09:31:40.678305204+08:00 WARN  acme: cleaning up failed. domain=*.xxx.ru error="ngenix: list DNS zones: API error 0: Provided authorization is not valid"
2026-05-05T09:31:40.678337104+08:00 INFO  dns01: cleaning DNS-01 challenge. domain=xxx.ru
2026-05-05T09:31:40.778771724+08:00 WARN  acme: cleaning up failed. domain=xxx.ru error="ngenix: list DNS zones: API error 0: Provided authorization is not valid"
2026-05-05T09:31:41.037679404+08:00 INFO  Deactivating authorization. url=https://acme-staging-v02.api.letsencrypt.org/acme/authz/289267084/1010887374

2026-05-05T09:32:12.566726440+08:00 INFO  Deactivating authorization. url=https://acme-staging-v02.api.letsencrypt.org/acme/authz/289267084/1010887384
2026-05-05T09:32:12.833444004+08:00 ERROR Error error="obtain certificate: error: one or more domains had a problem:\n[*.xxx.ru] [*.xxxru] dns01: error presenting token: ngenix: list DNS zones: API error 0: Provided authorization is not valid\n[xxx.ru] [xxx.ru] dns01: error presenting token: ngenix: list DNS zones: API error 0: Provided authorization is not valid\n"

P.S. xxx.ru - this is a modified domain.

ldez · 2026-05-05T01:44:15Z

Can you try this two commands?

You should replace NGENIX_USERNAME, NGENIX_PASSWORD, and NGENIX_CUSTOMER_ID

curl -u "NGENIX_USERNAME/token:NGENIX_PASSWORD" -X GET 'https://api.ngenix.net/api/v3/whoami'

curl -u "NGENIX_USERNAME/token:NGENIX_PASSWORD" -X GET 'https://api.ngenix.net/api/v3/dns-zone?customerId=NGENIX_CUSTOMER_ID'

Freack89 · 2026-05-05T02:13:13Z

Can try this two commands?

These commands won't work. The token isn't a password, it's an API token. I have a working script that works. Here's the code:

Details

Obtaining zones and their IDs

curl -u "123@xxx.ru/token:my_API_token" "https://api.ngenix.net/api/v3/dns-zone?customerId=SSSSS"

Result:

{"elements": [{"links": {"self": "https://api.ngenix.net/api/v3/dns-zone/1111111"}, "id": 1111111, "name": "testxxx.ru", "hints": {"dnssec": {"enabled": false}}, "modelName": "DnsZoneCollectionView"}, {"links": {"self": "https://api.ngenix.net/api/v3/dns-zone/2222222"}, "id": 2222222, "name": "xxx.ru", "hints": {"dnssec": {"enabled": false}}, "modelName": "DnsZoneCollectionView"}, {"links": {"self": "https://api.ngenix.net/api/v3/dns-zone/3333333"}, "id": 3333333, "name": "xxx2.ru", "hints": {"dnssec": {"enabled": false}}, "modelName": "DnsZoneCollectionView"}], "modelName": "Collection"}

Obtaining a zone by the received ID

curl -s -u "123@xxx.ru/token:my_API_token" "https://api.ngenix.net/api/v3/dns-zone/2222222" | jq '.records' > /tmp/test_records.json

Remove the read-only parameter and add the TXT record

jq -c '[.[] | del(.configRef?.link) | select(.name != "_acme-challenge.test.xxx.ru")] + [{"name":"_acme-challenge.test.xxx.ru","type":"TXT","data":"test-token-12345","ttl":60}]' /tmp/test_records.json > /tmp/test_updated.json

We patch the updated file for the entire zone on the hosting

curl -v -u "123@xxx.ru/token:my_API_token" -X PATCH -H "Content-Type: application/json" -H "accept: application/json" -d "{\"records\":$(cat /tmp/test_updated.json)}"   "https://api.ngenix.net/api/v3/dns-zone/2222222"

On hosting, the minimum TTL is 300 seconds. After adding a record to the DNS zone, you need to wait 300 seconds (the hosting recommendation is 600 seconds), then request a certificate, and then clear the zone.

Clearing the file of records

jq -c '[.[] | del(.configRef?.link) | select(.name != "_acme-challenge.test.xxx.ru")]' /tmp/test_records.json > /tmp/test_clean.json

We patch the updated file of the entire zone on the hosting (cleaned)

curl -v -u "123@xxx.ru/token:my_API_token" -X PATCH -H "Content-Type: application/json" -H "accept: application/json" -d "{\"records\":$(cat /tmp/test_clean.json)}"   "https://api.ngenix.net/api/v3/dns-zone/2222222"

This is part of a script that is manually edited as a reminder for two zones xxx.ru in xxx2.ru, which is not very convenient and convenient.

ldez · 2026-05-05T02:16:52Z

I will change the name of the env var from NGENIX_PASSWORD to NGENIX_TOKEN but in the meanwhile can you try again and set your token inside the env NGENIX_PASSWORD when runing lego?

Freack89 · 2026-05-05T02:22:24Z

I will change the name of the env var from NGENIX_PASSWORD to NGENIX_TOKEN but in the meanwhile can you try again and set your token inside the env NGENIX_PASSWORD when runing lego?

Yes, result:

Details

2026-05-05T10:19:31.724645749+08:00 INFO  acme: Obtaining bundled SAN certificate. domains="*.xxx.ru, xxx.ru"
2026-05-05T10:19:33.034767591+08:00 INFO  acme: Could not find the solver. domain=xxx.ru type=tls-alpn-01
2026-05-05T10:19:33.034788491+08:00 INFO  acme: Could not find the solver. domain=xxx.ru type=http-01
2026-05-05T10:19:33.034795891+08:00 INFO  dns01: preparing to solve the challenge. domain=*.xxx.ru
2026-05-05T10:19:33.908061854+08:00 INFO  dns01: preparing to solve the challenge. domain=xxx.ru
2026-05-05T10:19:34.397444125+08:00 INFO  dns01: cleaning DNS-01 challenge. domain=*.xxx.ru
2026-05-05T10:19:34.855389562+08:00 WARN  acme: cleaning up failed. domain=*.xxx.ru error="ngenix: update DNS zone (remove): API error 0: '' should be non-empty - 'records.4.data'"
2026-05-05T10:19:34.855437562+08:00 INFO  dns01: cleaning DNS-01 challenge. domain=xxx.ru
2026-05-05T10:19:35.316120794+08:00 WARN  acme: cleaning up failed. domain=xxx.ru error="ngenix: update DNS zone (remove): API error 0: '' should be non-empty - 'records.4.data'"
2026-05-05T10:19:35.565447670+08:00 INFO  Deactivating authorization. url=https://acme-staging-v02.api.letsencrypt.org/acme/authz/289268064/1011721594
2026-05-05T10:20:07.073916008+08:00 INFO  Deactivating authorization. url=https://acme-staging-v02.api.letsencrypt.org/acme/authz/289268064/1011721604
2026-05-05T10:20:07.331204675+08:00 ERROR Error error="obtain certificate: error: one or more domains had a problem:\n[*.xxx.ru] [*.xxx.ru] dns01: error presenting token: ngenix: update DNS zone (add): API error 0: '' should be non-empty - 'records.4.data'\n[xxx.ru] [xxx.ru] dns01: error presenting token: ngenix: update DNS zone (add): API error 0: '' should be non-empty - 'records.4.data'\n"

ldez · 2026-05-05T02:30:37Z

can you pull, build, and run again?

Note: The env var name is now NGENIX_TOKEN.

Freack89 · 2026-05-05T02:57:36Z

can you pull, build, and run again?

Details

2026-05-05T10:55:03.479020540+08:00 INFO  Private key saved. filepath=/usr/adm/lego/.lego/accounts/acme-staging-v02.api.letsencrypt.org/noemail@example.com/noemail@example.com.key
2026-05-05T10:55:04.506632749+08:00 WARN  Please review the TOS. url=https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf
Do you accept the TOS? Y/n
y
2026-05-05T10:55:07.319140025+08:00 WARN  !!!! HEADS UP !!!!

Your account credentials have been saved in your
configuration directory at "/usr/adm/lego/.lego/accounts".

You should make a secure backup of this folder now. This
configuration directory will also contain private keys
generated by lego and certificates obtained from the ACME
server. Making regular backups of this folder is ideal.

2026-05-05T10:55:07.319444825+08:00 INFO  acme: Obtaining bundled SAN certificate. domains="*.xxx.ru, xxx.ru"
2026-05-05T10:55:08.396162200+08:00 INFO  acme: Could not find the solver. domain=xxx.ru type=tls-alpn-01
2026-05-05T10:55:08.396187900+08:00 INFO  acme: Could not find the solver. domain=xxx.ru type=http-01
2026-05-05T10:55:08.396195800+08:00 INFO  dns01: preparing to solve the challenge. domain=*.xxx.ru
2026-05-05T10:55:09.388938723+08:00 INFO  dns01: preparing to solve the challenge. domain=xxx.ru
2026-05-05T10:55:09.860039248+08:00 INFO  dns01: cleaning DNS-01 challenge. domain=*.xxx.ru
2026-05-05T10:55:10.347031564+08:00 WARN  acme: cleaning up failed. domain=*.xxx.ru error="ngenix: update DNS zone (remove): API error 0: '' should be non-empty - 'records.2.data'"
2026-05-05T10:55:10.347060364+08:00 INFO  dns01: cleaning DNS-01 challenge. domain=xxx.ru
2026-05-05T10:55:10.837599777+08:00 WARN  acme: cleaning up failed. domain=xxx.ru error="ngenix: update DNS zone (remove): API error 0: '' should be non-empty - 'records.2.data'"
2026-05-05T10:55:11.090064530+08:00 INFO  Deactivating authorization. url=https://acme-staging-v02.api.letsencrypt.org/acme/authz/289286414/1012270354
2026-05-05T10:55:42.597047165+08:00 INFO  Deactivating authorization. url=https://acme-staging-v02.api.letsencrypt.org/acme/authz/289286414/1012270364
2026-05-05T10:55:42.941181448+08:00 ERROR Error error="obtain certificate: error: one or more domains had a problem:\n[*.xxx.ru] [*.xxx.ru] dns01: error presenting token: ngenix: update DNS zone (add): API error 0: '' should be non-empty - 'records.2.data'\n[xxx.ru] [xxx.ru] dns01: error presenting token: ngenix: update DNS zone (add): API error 0: '' should be non-empty - 'records.2.data'\n"

ldez · 2026-05-05T03:14:47Z

can you pull, build, and run again?

Freack89 · 2026-05-05T03:27:30Z

can you pull, build, and run again?

Yes, here's the result, I looked in the control panel, the records were created and cleared successfully, but the certificate didn't work

Details

2026-05-05T11:20:45.137441947+08:00 INFO  acme: Obtaining bundled SAN certificate. domains="*.xxx.ru, xxx.ru"
2026-05-05T11:20:46.458924381+08:00 INFO  acme: Could not find the solver. domain=xxx.ru type=tls-alpn-01
2026-05-05T11:20:46.458946181+08:00 INFO  acme: Could not find the solver. domain=xxx.ru type=http-01
2026-05-05T11:20:46.458960681+08:00 INFO  dns01: preparing to solve the challenge. domain=*.xxx.ru
2026-05-05T11:20:48.587759300+08:00 INFO  dns01: preparing to solve the challenge. domain=xxx.ru
2026-05-05T11:20:49.709440207+08:00 INFO  dns01: trying to solve the challenge. domain=*.xxx.ru
2026-05-05T11:20:49.710795006+08:00 INFO  dns01: waiting for record propagation timeout=1m0s interval=2s domain=*.xxx.ru
2026-05-05T11:20:51.714429030+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T11:20:53.719067150+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T11:20:55.721962068+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T11:20:57.724975083+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
...
2026-05-05T11:21:45.805678508+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T11:21:47.810519746+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T11:21:49.814869580+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T11:21:51.815966916+08:00 INFO  dns01: trying to solve the challenge. domain=xxx.ru
2026-05-05T11:21:51.817572114+08:00 INFO  dns01: waiting for record propagation timeout=1m0s interval=2s domain=xxx.ru
2026-05-05T11:21:53.820544245+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T11:21:55.824090772+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T11:21:57.827914296+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
...
2026-05-05T11:22:47.915785312+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T11:22:49.919510966+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T11:22:51.922855717+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T11:22:53.924004569+08:00 INFO  dns01: cleaning DNS-01 challenge. domain=*.xxx.ru
2026-05-05T11:22:55.067388654+08:00 INFO  dns01: cleaning DNS-01 challenge. domain=xxx.ru
2026-05-05T11:22:56.397976256+08:00 INFO  Deactivating authorization. url=https://acme-staging-v02.api.letsencrypt.org/acme/authz/289286414/1012711274
2026-05-05T11:23:28.500411710+08:00 WARN  Unable to get the authorization. url=https://acme-staging-v02.api.letsencrypt.org/acme/authz/289286414/1012711284 error="unable to communicate with the API server: error: Post \"https://acme-staging-v02.api.letsencrypt.org/acme/authz/289286414/1012711284\": POST https://acme-staging-v02.api.letsencrypt.org/acme/authz/289286414/1012711284 giving up after 2 attempt(s): acme: error: 400 :: urn:ietf:params:acme:error:badNonce :: JWS has an invalid anti-replay nonce"
2026-05-05T11:23:28.500458310+08:00 ERROR Error error="obtain certificate: error: one or more domains had a problem:\n[*.xxx.ru] dns01: time limit exceeded: last error: recursive nameservers: NS х.х.х.х:53 returned NXDOMAIN for _acme-challenge.xxx.ru.\n[xxx.ru] dns01: time limit exceeded: last error: recursive nameservers: NS х.х.х.х:53 returned NXDOMAIN for _acme-challenge.xxx.ru.\n"

ldez · 2026-05-05T03:33:05Z

recursive nameservers: NS х.х.х.х:53 returned NXDOMAIN

I think this is a propagation issue, I increased the propagation timeout.

can you pull, build, and run again?

Freack89 · 2026-05-05T08:19:48Z

I think this is a propagation issue, I increased the propagation timeout.

can you pull, build, and run again?

TXT records are created and even visible to external services (mxtoolbox), but it seems to me that the cleanup is happening too early, judging by the log.

Details

2026-05-05T15:56:23.418527107+08:00 INFO  acme: Obtaining bundled SAN certificate. domains="*.xxx.ru, xxx.ru"
2026-05-05T15:56:24.720348759+08:00 INFO  acme: Could not find the solver. domain=xxx.ru type=tls-alpn-01
2026-05-05T15:56:24.720370159+08:00 INFO  acme: Could not find the solver. domain=xxx.ru type=http-01
2026-05-05T15:56:24.720389959+08:00 INFO  dns01: preparing to solve the challenge. domain=*.xxx.ru
2026-05-05T15:56:26.448296597+08:00 INFO  dns01: preparing to solve the challenge. domain=xxx.ru
2026-05-05T15:56:27.985764171+08:00 INFO  dns01: trying to solve the challenge. domain=*.xxx.ru
2026-05-05T15:56:28.098267689+08:00 INFO  dns01: waiting for record propagation timeout=10m0s interval=20s domain=*.xxx.ru
2026-05-05T15:56:48.287483520+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T15:57:08.483766737+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T15:57:28.655492584+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
...
2026-05-05T16:05:53.227035755+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T16:06:13.412771492+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T16:06:33.562802603+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T16:06:53.570087725+08:00 INFO  dns01: trying to solve the challenge. domain=xxx.ru
2026-05-05T16:06:53.753248305+08:00 INFO  dns01: waiting for record propagation timeout=10m0s interval=20s domain=xxx.ru
2026-05-05T16:07:13.922912375+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T16:07:34.082494508+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T16:07:54.322427099+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
...
2026-05-05T16:16:18.874143149+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T16:16:39.048494326+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T16:16:59.218529960+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T16:17:19.219492272+08:00 INFO  dns01: cleaning DNS-01 challenge. domain=*.xxx.ru
2026-05-05T16:17:21.440491195+08:00 INFO  dns01: cleaning DNS-01 challenge. domain=xxx.ru
2026-05-05T16:17:23.919956370+08:00 INFO  Deactivating authorization. url=https://acme-staging-v02.api.letsencrypt.org/acme/authz/289286414/1017504884
2026-05-05T16:17:24.447359063+08:00 INFO  Deactivating authorization. url=https://acme-staging-v02.api.letsencrypt.org/acme/authz/289286414/1017504894
2026-05-05T16:17:24.711824408+08:00 ERROR Error error="obtain certificate: error: one or more domains had a problem:\n[*.xxx.ru] dns01: time limit exceeded:ast error: recursive nameservers: NS 8.8.8.8:53 returned SERVFAIL for _acme-challenge.xxx.ru.\n[xxx.ru] dns01: time limit exceeded: last error: recursive neservers: NS 8.8.8.8:53 did not return the expected TXT record [fqdn: _acme-challenge.xxx.ru., value: 8qiNXMpe-gdbvVZII98nQ6sjllQv9mVqoNEJV2PS-S0]: \n"

ldez · 2026-05-05T09:37:52Z

I think NGENIX doesn't support multiple records for the same name.

I changed the implementation.

can you pull, build, and run again?

it seems to me that the cleanup is happening too early,

This is not that: the error in the last log happen before the cleaning, but lego reports the result of the process after the operations.

Freack89 · 2026-05-05T10:31:19Z

can you pull, build, and run again?

Yes, result:

Details

2026-05-05T18:08:22.535145126+08:00 INFO  acme: Obtaining bundled SAN certificate. domains="*.xxx.ru, xxx.ru"
2026-05-05T18:08:23.881137685+08:00 INFO  acme: Could not find the solver. domain=xxx.ru type=tls-alpn-01
2026-05-05T18:08:23.881158285+08:00 INFO  acme: Could not find the solver. domain=xxx.ru type=http-01
2026-05-05T18:08:23.881181885+08:00 INFO  dns01: preparing to solve the challenge. domain=*.xxx.ru
2026-05-05T18:08:25.859259103+08:00 INFO  dns01: trying to solve the challenge. domain=*.xxx.ru
2026-05-05T18:08:25.954759316+08:00 INFO  dns01: waiting for record propagation timeout=10m0s interval=20s domain=*.xxx.ru
2026-05-05T18:08:46.316404859+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T18:09:06.544745262+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T18:09:26.720739564+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T18:09:46.906463944+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T18:10:07.075242455+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T18:10:27.241419681+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T18:10:47.420945273+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T18:11:07.583299114+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T18:11:27.753057311+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T18:11:47.931693090+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T18:12:08.119690979+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T18:12:28.315622902+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T18:12:48.503142703+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T18:13:08.685141004+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T18:13:28.846402846+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T18:13:49.126906391+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T18:14:09.283737039+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T18:14:29.434134079+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T18:14:49.606670295+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T18:15:09.789914920+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T18:15:29.965765795+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T18:15:50.121464455+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T18:16:10.306056452+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T18:16:30.456575887+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T18:16:50.633468294+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T18:17:10.815719817+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T18:17:30.989562388+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T18:17:51.206151751+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T18:18:11.385320031+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T18:18:31.555996000+08:00 INFO  dns01: waiting for record propagation. domain=*.xxx.ru
2026-05-05T18:18:51.562856100+08:00 INFO  dns01: cleaning DNS-01 challenge. domain=*.xxx.ru
2026-05-05T18:18:53.580572449+08:00 INFO  dns01: preparing to solve the challenge. domain=xxx.ru
2026-05-05T18:18:55.155268343+08:00 INFO  dns01: trying to solve the challenge. domain=xxx.ru
2026-05-05T18:18:55.249154806+08:00 INFO  dns01: waiting for record propagation timeout=10m0s interval=20s domain=xxx.ru
2026-05-05T18:19:15.557925214+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T18:19:35.741502920+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T18:19:55.916829966+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T18:20:16.103080332+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T18:20:36.264917283+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T18:20:56.435510578+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T18:21:16.625871010+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T18:21:36.797667246+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T18:21:56.975858556+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T18:22:17.148377168+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T18:22:37.339246052+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T18:22:57.518801762+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T18:23:17.696829590+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T18:23:37.864586258+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T18:23:58.034316452+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T18:24:18.294858935+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T18:24:38.447014337+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T18:24:58.616821659+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T18:25:18.800479813+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T18:25:38.976555840+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T18:25:59.145730244+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T18:26:19.326120500+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T18:26:39.472028191+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T18:26:59.658406794+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T18:27:19.847630977+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T18:27:40.021693475+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T18:28:00.192866573+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T18:28:20.373778352+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T18:28:40.545168250+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T18:29:00.726209236+08:00 INFO  dns01: waiting for record propagation. domain=xxx.ru
2026-05-05T18:29:20.745342212+08:00 INFO  dns01: cleaning DNS-01 challenge. domain=xxx.ru
2026-05-05T18:29:23.507489242+08:00 INFO  Deactivating authorization. url=https://acme-staging-v02.api.letsencrypt.org/acme/authz/289286414/1021370124
2026-05-05T18:29:24.027848743+08:00 INFO  Deactivating authorization. url=https://acme-staging-v02.api.letsencrypt.org/acme/authz/289286414/1021370134
2026-05-05T18:29:24.288712092+08:00 ERROR Error error="obtain certificate: error: one or more domains had a problem:\n[*.xxx.ru] dns01: time limit exceeded: last error: recursive nameservers: NS 8.8.8.8:53 returned SERVFAIL for _acme-challenge.xxx.ru.\n[xxx.ru] dns01: time limit exceeded: last error: recursive nameservers: NS 8.8.8.8:53 returned SERVFAIL for _acme-challenge.xxx.ru.\n"

ldez · 2026-05-05T10:41:25Z

NS 8.8.8.8:53 returned SERVFAIL

This is a DNS error: try to change the resolvers.

Freack89 · 2026-05-05T11:49:43Z

This is a DNS error: try to change the resolvers.

I checked with the hosting company about the recording format. The recording format should be _acme-challenge without specifying the domain. It adds it automatically, but now it turns out to be _acme-challenge.xxx.ru.xxx.ru

ldez · 2026-05-05T12:24:17Z

the recording format should be _acme-challenge without specifying the domain.

This is how I initially implemented the thing, but based on your comment #3036 (comment) I changed it.

I will revert the modifications.

ldez · 2026-05-05T12:26:45Z

I reverted, so here we go again: pull, build, run

Freack89 · 2026-05-05T13:27:06Z

I reverted, so here we go again: pull, build, run

While waiting on the neighboring server, the money team is now giving responses:

Details

dig _acme-challenge.xxx.ru TXT @ns1.ngenix-dns.net

; <<>> DiG 9.20.21-1~deb13u1-Debian <<>> _acme-challenge.xxx.ru TXT @ns1.ngenix-dns.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59317
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1024
;; QUESTION SECTION:
;_acme-challenge.xxx.ru.       IN      TXT

;; ANSWER SECTION:
_acme-challenge.xxx.ru. 300    IN      TXT     "cJbZXKQ1wM-xMvw7NXKWESY6JQ9iW3kClP0UsZLvF8E"
_acme-challenge.xxx.ru. 300    IN      TXT     "-ylt_J1amUH8wArkA96eKNGReZKVwVu38AwBMYbH12o"

;; Query time: 68 msec
;; SERVER: 212.193.150.254#53(ns1.ngenix-dns.net) (UDP)
;; WHEN: Tue May 05 21:23:37 +08 2026
;; MSG SIZE  rcvd: 164

2026-05-05T21:24:31.231056942+08:00 ERROR Error error="obtain certificate: error: one or more domains had a problem:\n[*.xxx.ru] dns01: time limit exceeded: last error: recursive nameservers: NS 77.88.8.1:53 returned SERVFAIL for _acme-challenge.xxx.ru.\n[xxx.ru] dns01: time limit exceeded: last error: recursive nameservers: NS 1.1.1.1:53 returned SERVFAIL for _acme-challenge.xxx.ru.\n"

ldez · 2026-05-05T13:38:52Z

obtain certificate: error: one or more domains had a problem:
[*.xxx.ru] dns01: time limit exceeded: last error: recursive nameservers: NS 77.88.8.1:53 returned SERVFAIL for _acme-challenge.xxx.ru.
[xxx.ru] dns01: time limit exceeded: last error: recursive nameservers: NS 1.1.1.1:53 returned SERVFAIL for _acme-challenge.xxx.ru.

This is still a DNS problem: when lego checks the propagation it call the recursive nameservers, but the answers are SERVFAIL.

This problem is not a lego problem, but a network issue.
I think you either have something that intercept the DNS calls or you have another problem related to some other restrictions.

ldez · 2026-05-05T13:43:46Z

We can try something I don't recommend: we will disable the recursive propagation check.

NGENIX_USERNAME="xxx" \
NGENIX_PASSWORD="yyy" \
NGENIX_CUSTOMER_ID="zzz" \
./dist/lego run --dns ngenix -d '*.example.com' -d example.com -s letsencrypt-staging 
--dns.propagation.disable-rns

Freack89 · 2026-05-06T04:35:17Z

Good afternoon. Everything is working fine, but there were some local issues accessing the DNS servers.

Details

```

2026-05-06T10:53:10.737510705+08:00 INFO acme: Obtaining bundled SAN certificate. domains=".xxx.ru, xxx.ru"
2026-05-06T10:53:12.072083637+08:00 INFO acme: authorization already valid; skipping challenge. domain=xxx.ru
2026-05-06T10:53:12.072120437+08:00 INFO dns01: preparing to solve the challenge. domain=.xxx.ru
2026-05-06T10:53:13.954704378+08:00 INFO dns01: trying to solve the challenge. domain=.xxx.ru
2026-05-06T10:53:14.073930085+08:00 INFO dns01: waiting for record propagation timeout=10m0s interval=20s domain=.xxx.ru
2026-05-06T10:53:34.267800746+08:00 INFO dns01: waiting for record propagation. domain=.xxx.ru
2026-05-06T10:53:54.469200310+08:00 INFO dns01: waiting for record propagation. domain=.xxx.ru
2026-05-06T10:54:14.658912401+08:00 INFO dns01: waiting for record propagation. domain=.xxx.ru
2026-05-06T10:54:34.846424202+08:00 INFO dns01: waiting for record propagation. domain=.xxx.ru
2026-05-06T10:54:55.040134094+08:00 INFO dns01: waiting for record propagation. domain=.xxx.ru
2026-05-06T10:55:15.229275191+08:00 INFO dns01: waiting for record propagation. domain=.xxx.ru
2026-05-06T10:55:35.417942383+08:00 INFO dns01: waiting for record propagation. domain=.xxx.ru
2026-05-06T10:55:55.625203234+08:00 INFO dns01: waiting for record propagation. domain=.xxx.ru
2026-05-06T10:56:15.834048470+08:00 INFO dns01: waiting for record propagation. domain=.xxx.ru
2026-05-06T10:56:36.022720821+08:00 INFO dns01: waiting for record propagation. domain=.xxx.ru
2026-05-06T10:56:56.227158528+08:00 INFO dns01: waiting for record propagation. domain=.xxx.ru
2026-05-06T10:57:16.418244132+08:00 INFO dns01: waiting for record propagation. domain=.xxx.ru
2026-05-06T10:57:43.545371964+08:00 INFO The server validated our request. domain=.xxx.ru
2026-05-06T10:57:43.545398764+08:00 INFO dns01: cleaning DNS-01 challenge. domain=.xxx.ru
2026-05-06T10:57:45.580816382+08:00 INFO acme: Validations succeeded; requesting certificates. domains=".xxx.ru, xxx.ru"
2026-05-06T10:58:17.400521239+08:00 INFO acme: waiting for certificates. timeout=30s interval=500ms domains=".xxx.ru, xxx.ru"
2026-05-06T10:58:18.890753818+08:00 INFO Server responded with a certificate. domains="*.xxx.ru, xxx.ru"
2026-05-06T10:58:18.890904218+08:00 INFO Writing file. filepath=/usr/adm/lego/.lego/certificates/.xxx.ru.crt
2026-05-06T10:58:18.890967818+08:00 INFO Writing file. filepath=/usr/adm/lego/.lego/certificates/.xxx.ru.issuer.crt
2026-05-06T10:58:18.891008118+08:00 INFO Writing file. filepath=/usr/adm/lego/.lego/certificates/.xxx.ru.key
2026-05-06T10:58:18.891088818+08:00 INFO Writing file. filepath=/usr/adm/lego/.lego/certificates/.xxx.ru.json

</details>

ldez added enhancement area/dnsprovider waiting-for/user-tests Need users to test functionality waiting-for/contrib-feedback Awaiting feedback from the contributor. new-provider labels May 4, 2026

ldez marked this pull request as draft May 4, 2026 13:08

ldez force-pushed the feat/dns/ngenix branch from cbd7199 to 361d520 Compare May 4, 2026 13:28

ldez mentioned this pull request May 4, 2026

Support for provider: NGENIX #3035

Open

9 tasks

ldez added 2 commits May 4, 2026 23:44

Add DNS provider for NGENIX

fb7acd3

chore: generate

bb76e47

ldez force-pushed the feat/dns/ngenix branch from 361d520 to bb76e47 Compare May 4, 2026 21:44

fix: change name password to token

dd7cb19

ldez added 2 commits May 5, 2026 04:28

chore: generate

7a37d8e

fix: use the fqdn for record

ff2b26d

fix: change structures

395af2b

ldez added 2 commits May 5, 2026 05:19

fix: copy more fields

506ef76

tests: improve

957b5f6

ldez force-pushed the feat/dns/ngenix branch from 1afcfe5 to 957b5f6 Compare May 5, 2026 03:26

ldez added 2 commits May 5, 2026 05:32

fix: increase propagation timeout

0be8b65

chore: generate

5375f46

feat: sequential

08bb926

ldez added 2 commits May 5, 2026 14:25

fix: revert to use subdomain

1e3aa98

chore: remove sequential

ee8f8d7

chore: lint

1067d59

Uh oh!

Conversation

ldez commented May 4, 2026

Uh oh!

Freack89 commented May 5, 2026 • edited by ldez Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

ldez commented May 5, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Freack89 commented May 5, 2026 • edited by ldez Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

ldez commented May 5, 2026

Uh oh!

Freack89 commented May 5, 2026 • edited by ldez Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

ldez commented May 5, 2026

Uh oh!

Freack89 commented May 5, 2026 • edited by ldez Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

ldez commented May 5, 2026

Uh oh!

Freack89 commented May 5, 2026 • edited by ldez Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

ldez commented May 5, 2026

Uh oh!

Freack89 commented May 5, 2026 • edited by ldez Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

ldez commented May 5, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Freack89 commented May 5, 2026 • edited by ldez Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

ldez commented May 5, 2026

Uh oh!

Freack89 commented May 5, 2026

Uh oh!

ldez commented May 5, 2026

Uh oh!

ldez commented May 5, 2026

Uh oh!

Freack89 commented May 5, 2026 • edited by ldez Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

ldez commented May 5, 2026

Uh oh!

ldez commented May 5, 2026

Uh oh!

Freack89 commented May 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

2 participants

Freack89 commented May 5, 2026 •

edited by ldez

Loading

ldez commented May 5, 2026 •

edited

Loading

Freack89 commented May 5, 2026 •

edited by ldez

Loading

Freack89 commented May 5, 2026 •

edited by ldez

Loading

Freack89 commented May 5, 2026 •

edited by ldez

Loading

Freack89 commented May 5, 2026 •

edited by ldez

Loading

Freack89 commented May 5, 2026 •

edited by ldez

Loading

ldez commented May 5, 2026 •

edited

Loading

Freack89 commented May 5, 2026 •

edited by ldez

Loading

Freack89 commented May 5, 2026 •

edited by ldez

Loading

Freack89 commented May 6, 2026 •

edited

Loading