Able to issue against CNAME, but not the actual server

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
ccs.ornl.gov

I ran this command:
certbot certonly --webroot -w /var/www/html -d myproxy.ccs.ornl.gov -d myproxy1.ccs.ornl.gov

It produced this output:

[root@myproxy1 ~]# certbot certonly --webroot -w /var/www/html -d myproxy.ccs.ornl.gov -d myproxy1.ccs.ornl.gov
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for myproxy.ccs.ornl.gov
http-01 challenge for myproxy1.ccs.ornl.gov
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification…
Challenge failed for domain myproxy.ccs.ornl.gov
Challenge failed for domain myproxy1.ccs.ornl.gov
http-01 challenge for myproxy.ccs.ornl.gov
http-01 challenge for myproxy1.ccs.ornl.gov
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version):
Apache HTTP Server

Name : httpd
Arch : x86_64
Version : 2.4.6
Release : 90.el7

The operating system my web server runs on is (include version):

NAME=“Red Hat Enterprise Linux Server”
VERSION=“7.7 (Maipo)”

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.36.0

This problem started in the April time frame (when multi endpoint validation was implemented, or at least coincidentally in that time frame). Validation/issuing became far more hit or miss at that time. At that time we were using acme.sh and dns txt record validation method. This no longer works at all, even when using the staging endpoint. As a result, I’ve switched to certbot as I’m banging my head against a wall and we are close to expiration.

As you can see we get SERVFAIL errors due to CAA records. At least this is the most frequent error. Somtimes it’s for A record. Sometimes we get: Detail: No valid IP addresses found for myproxy1.ccs.ornl.gov. And way every once in a while it will actually work, against staging only (using the command above).

myproxy.ccs.ornl.gov is a cname to myproxy1.ccs.ornl.gov (the actual web server). We are trying to issue a cert with cn=myproxy.ccs.ornl.gov with myproxy1.ccs.ornl.gov as a dns alternate name. Again, prior to April time frame this worked.

Today I discoverd, if I leave off the ‘myproxy1.ccs.ornl.gov’ I am able to issue a cert (staging and prod) for just ‘myproxy.ccs.ornl.gov’. However, I am unable to issue a cert for only ‘myproxy1.ccs.ornl.gov’ or for both in one cert no matter the order.

Errors have been very inconsistent. Any help is appreciated.

1 Like

The site unboundtest.com has some errors (timeouts) in its results: https://unboundtest.com/m/A/myproxy.ccs.ornl.gov/BN7BGJVH

However, the log messages are quite technical and as I’m not an unbound (the DNS resolver used by Let’s Encrypt by the way) expert, I don’t know how to interpret them.

A possible interesting thread I found: How to reproduce CAA SERVFAIL? Works for me, doesn't for LE staging or prod Seems to be a matter of 0x20 (capitalization) randomization not going correctly.

1 Like

Hi @stargelcm

checking your domain some of your name servers are flacky - see https://check-your-website.server-daten.de/?q=myproxy1.ccs.ornl.gov

Most are good, but two ipv6 addresses are fatal.

No TCP-support (authoritative name servers must support TCP):

X Fatal error: Nameserver doesn’t support TCP connection: ns0.ornl.gov / 2620:0:2b30:304::96: Timeout
X Fatal error: Nameserver doesn’t support TCP connection: ns0-alt.ornl.gov / 2620:0:2b30:304::32: Timeout

And critical:

X Nameserver Timeout checking Echo Capitalization: ns0.ornl.gov / 2620:0:2b30:304::96
X Nameserver Timeout checking Echo Capitalization: ns0-alt.ornl.gov / 2620:0:2b30:304::32
X Nameserver Timeout checking EDNS512: ns0.ornl.gov / 2620:0:2b30:304::96
X Nameserver Timeout checking EDNS512: ns0-alt.ornl.gov / 2620:0:2b30:304::32

A not working Echo Capitalization is fatal, that’s the DNS 0x20 problem.

Ah - I see: Rechecked with Unbound, first a Servfail, now

https://unboundtest.com/m/CAA/myproxy1.ccs.ornl.gov/GBTNEDJJ

it works, some seconds later, the next Servfail.

https://unboundtest.com/m/CAA/myproxy1.ccs.ornl.gov/PL3N7TUF

Check, why these two ipv6 addresses are so bad.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.