A little help please

rg305 · December 14, 2022, 5:05pm

Some DNS systems return:

[NOT ns.prs-calarasi.ro]

That's hit or miss.
Your authoritative DNS system is NOT configured correctly.

ctinleonard · December 14, 2022, 5:31pm

certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: www.prs-calarasi.ro
Serial Number: 35603b62da9c62a4a2c6d73fea3c5a7eb7f
Key Type: RSA
Domains: www.prs-calarasi.ro
Expiry Date: 2023-03-14 12:14:38+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.prs-calarasi.ro/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.prs-calarasi.ro/privkey.pem

rg305 · December 14, 2022, 5:46pm

That is only one cert.
And it only has one name one it [not both].

ctinleonard · December 14, 2022, 6:02pm

perfect
and to the same certificate I want to add the name prs-calarasi.ro
I don't want to issue another certificate
how can I enter the name prs-calarasi.ro in the same certificate?

rg305 · December 14, 2022, 6:06pm

Certificates can't be modified.
You have to get a new one.

hmm...
Go back in time and get that cert with both names on it - LOL

ctinleonard · December 14, 2022, 6:07pm

certbot certonly --non-interactive --agree-tos --nginx -m leo@tvnl.eu -d www.prs-calarasi.ro -d prs-calarasi.ro

Missing command line flag or config entry for this setting:
You have an existing certificate that contains a portion of the domains you requested (ref: /etc/letsencrypt/renewal/www.prs-calarasi.ro.conf)

It contains these names: www.prs-calarasi.ro

You requested these names for the new certificate: www.prs-calarasi.ro, prs-calarasi.ro.

Do you want to expand and replace this existing certificate with the new certificate?

(You can set this with the --expand flag)

MikeMcQ · December 14, 2022, 6:17pm

Try adding the --expand option as it describes

ctinleonard · December 14, 2022, 6:21pm

certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: www.prs-calarasi.ro
Serial Number: 3f0c6da22e5b18d8d8f72bafd1b5754bcb2
Key Type: RSA
Domains: prs-calarasi.ro www.prs-calarasi.ro
Expiry Date: 2023-03-14 17:18:22+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.prs-calarasi.ro/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.prs-calarasi.ro/privkey.pem

now I think it's ok

ctinleonard · December 14, 2022, 6:22pm

MikeMcQ
super
you are best of the best
thx

ctinleonard · December 14, 2022, 6:30pm

everything correct

rg305 · December 14, 2022, 7:47pm

There may still be a DNS issue...
But obviously that is not something you care about.

ctinleonard · December 15, 2022, 6:39am

does it look good now?
where is reliable DNS checked?

rg305 · December 15, 2022, 7:01am

Not from my DNS server

Using default root hints, I sometimes get:

prs-calarasi.ro nameserver = ns1-prs-calarasi.ro [217.79.185.18]

And sometimes get:

prs-calarasi.ro nameserver = prs-calarasi.ro [145.53.227.236]

I use this site a lot:
DNS Spy report for prs-calarasi.ro
[but it is not foolproof]

rg305 · December 15, 2022, 7:06am

Got answer:
    HEADER:
        opcode = QUERY, id = 2, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 0,  additional = 1
    QUESTIONS:
        prs-calarasi.ro, type = NS, class = IN
    ANSWERS:
    ->  prs-calarasi.ro
        nameserver = prs-calarasi.ro
        ttl = 85946 (23 hours 52 mins 26 secs)
    ADDITIONAL RECORDS:
    ->  prs-calarasi.ro
        internet address = 145.53.227.236
        ttl = 33231 (9 hours 13 mins 51 secs)
------------
Non-authoritative answer:
prs-calarasi.ro
        nameserver = prs-calarasi.ro
        ttl = 85946 (23 hours 52 mins 26 secs)
prs-calarasi.ro
        internet address = 145.53.227.236
        ttl = 33231 (9 hours 13 mins 51 secs)

rg305 · December 15, 2022, 7:07am

Got answer:
    HEADER:
        opcode = QUERY, id = 2, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 0,  additional = 1
    QUESTIONS:
        prs-calarasi.ro, type = NS, class = IN
    ANSWERS:
    ->  prs-calarasi.ro
        nameserver = ns1.prs-calarasi.ro
        ttl = 604527 (6 days 23 hours 55 mins 27 secs)
    ADDITIONAL RECORDS:
    ->  ns1.prs-calarasi.ro
        internet address = 217.79.185.18
        ttl = 85354 (23 hours 42 mins 34 secs)
------------
Non-authoritative answer:
prs-calarasi.ro
        nameserver = ns1.prs-calarasi.ro
        ttl = 604527 (6 days 23 hours 55 mins 27 secs)
ns1.prs-calarasi.ro
        internet address = 217.79.185.18
        ttl = 85354 (23 hours 42 mins 34 secs)

MikeMcQ · December 15, 2022, 4:04pm

@tooponn Are you working with @ctinleonard

Because I thought we already resolved getting the right names in the same cert.

As a note, once a cert is issued it cannot be changed.

rg305 · December 15, 2022, 5:58pm

Imaging a LE certificate as a "picture".
A "picture" of a certain "group of people" [up to 100 fit into any one shot].
In this case, it was a "picture" of only one "person".
That "picture" was taken many days ago.
Now you want to "edit" that "picture" and add another "person" into it.
A person who was not there.. who wasn't at that place at that time [not in the "picture"].
You will need to take another "picture" [this time with both "people" in it].

ctinleonard · December 16, 2022, 6:28pm

No DNSSEC records found. Consider enabling DNSSEC, as it provides a way to validate DNS responses for data integrity.
but I have something like that already installed
DNS Checker - DNS Check Propagation Tool
DNSSEC Analyzer - prs-calarasi.ro

Bruce5051 · December 16, 2022, 6:50pm

As others have pointed out there are DNS issues, this is just so collect into a quick list of results.

system · January 31, 2023, 6:34pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.