Attempting to delete existing SSL certificate from DNS

My domain is https://financial-futures.com. My hosting provider is Amazon Web Services, via Route 53 and a Wordpress instance through Lightsail. I setup the original instance incorrectly, so I had to make a new one based off an earlier instance. Using the Lightsail terminal window that uses Bitnami on that instance, I received an SSL certificate. However, on the new instance, I am trying to complete this task window:

I am unable to get past the SSL/TLS certificate step because I suspect it is already detects I have the certificate. What is the best way to delete this certificate?

Hi @Shaggy welcome to the community...
So you are attempting to delete an existing SSL cert from DNS?
According to crt.sh you have a certificatevalid until August?

But i am not seeying your site at all.

A records for financial-futures.com: All nameservers failed to answer the query financial-futures.com. IN A: Server Do53:127.0.0.53@53 answered SERVFAIL
SOA records for financial-futures.com: All nameservers failed to answer the query financial-futures.com. IN SOA: Server Do53:127.0.0.53@53 answered SERVFAIL
rip:T430 ~ >>  nslookup financial-futures.com
Server:         127.0.0.53
Address:        127.0.0.53#53
** server can't find financial-futures.com: SERVFAIL
rip:T430 ~ >>  host financial-futures.com
Host financial-futures.com not found: 2(SERVFAIL)

EG:
ping financial-futures.com
ping: financial-futures.com: Temporary failure in name resolution

So there are some serious issues here,
I fear someone may have deleted or disabled the wrong DNS records for the site..
From where i sit the website doesn't exist from a browsers point of view.
I cant see it, but I know it is/was there only because of the certificate transparency logs.
What gives here.
More information required.
Thanks
Rip

Hello @, welcome to the Let's Encrypt community.

Using the online tool Let's Debug yields these results
https://letsdebug.net/financial-futures.com/2002284

DNS response for financial-futures.com had fatal DNSSEC issues: validation failure <financial-futures.com. SOA IN>: No DNSKEY record from 2600:9000:5303:ce00::1 for key financial-futures.com. while building chain of trust

Checking for the CAA https://unboundtest.com/m/CAA/financial-futures.com/KCWFPHZN gives SERVFAIL

uery results for CAA financial-futures.com

Response:
;; opcode: QUERY, status: SERVFAIL, id: 44879
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 512
; EDE: 9 (DNSKEY Missing): (validation failure <financial-futures.com. CAA IN>: No DNSKEY record from 2600:9000:5304:5700::1 for key financial-futures.com. while building chain of trust)

;; QUESTION SECTION:
;financial-futures.com.	IN	 CAA

----- Unbound logs -----
Jun 04 01:33:31 unbound1.19[2310559:0] debug: creating udp6 socket ::1 1053

financial-futures.com | DNSViz has several DNSSEC Errors

Edit:
And from around the world several "Not found" Results here Permanent link to this check report

Edit
And here too Zonemaster
Hardenize Report: financial-futures.com

It's like the site vanished! In to thin air? That's the internet right?

Yet ICANN presently shows

The "updated" field says it all.. (adjusting for UTC)
not trying to be overly critical here

@Shaggy As noted your DNSSEC configuration in your DNS is broken. You should disable that. Once you get your site working better you can try re-enabling that when you understand that option better.

Do you remember how you initially got your cert? Was that with the bncert tool? Because some older AWS docs say to use Certbot in manual mode which is not recommended. Below is the better AWS docs for Lightsail and Wordpress.

But, as noted you must fix your DNS first. One way to test is with the https://unboundtest.com/ site and make sure you can lookup an "A" record for your domain name. Currently that gives a SERVFAIL

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.