AutoSSL renews subdomains but not TLD

Help
1

When I run AutoSSL from cPanel on my GoDaddy VPS, the Top Level Domain (afaiththatobeys.org) will not pass but all sub-domains under that TLD do pass. Every other domain (15 or so) on the same server have not issues.

I have removed the domain from the server and re-created it. I have removed the Let's Encrypt certificate from the server and received a new one and this does not solve the problem.

My domain is: afaiththatobeys.org

TLDSSLFAILS
TLDSSLFAILS1000×1705 183 KB

I ran this command: Run AutoSSL from cPanel

It produced this output: Only on TLD...all subdomains are fine:
MASTER DCV: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: query timed out looking up A for afaiththatobeys.org; DNS problem: query timed out looking up AAAA for afaiththatobeys.org) 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: query timed out looking up TXT for _acme-challenge.afaiththatobeys.org)

My web server is (include version GoDaddy VPS , cPanel 120.0.14

The operating system my web server runs on is (include version): AlmaLinux v9.4.0 STANDARD kvm

My hosting provider, if applicable, is: GoDaddy

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Yes, cPanel 120.0.14

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Not using certbot.

1 Like
2

Welcome @Accularian

I'll start with a terminology issue. The "TLD" for your domain is "org". The name afaiththatobeys.org is your registered name. People use other names for that such as base name, root name, or just domain name. But it is not a tld.

As for the actual problem, it may be related to your DNS configuration. There are a number of configuration problems shown by dnsviz. The first time I tried to query your registered name the query failed with SERVFAIL. The unboundtest site also has problems resolving that name.

If you don't manage the DNS you should consult with the admin for that.

https://dnsviz.net/d/afaiththatobeys.org/dnssec/

https://unboundtest.com/m/A/afaiththatobeys.org/RJJZZQ6Z

6 Likes
3

Mike,
Thanks so much for the education. I manage the server. It looks like the next step is to find someone who understands DNS. All the support at GoDaddy have (multiple times) told me my DNS is fine so I will need to continue searching. BTW, this is the only domain from about 30 on the server that has the issue and all the domains are set up the same way over at Hover... they all point to NS1 and NS2.machelpglobal.org.
Thanks for the super fast response.

4 Likes
4

To try to rephrase the DNS problem, those servers don't seem to know where they are.

If I ask the .org nameserver who hosts afaiththatobeys.org, I get told that both ns1 and ns2 resolve to 107.180.75.18

$ dig +norecurse afaiththatobeys.org. @a2.org.afilias-nst.info.

; <<>> DiG 9.16.48-RH <<>> +norecurse afaiththatobeys.org. @a2.org.afilias-nst.info.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8993
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;afaiththatobeys.org.           IN      A

;; AUTHORITY SECTION:
afaiththatobeys.org.    3600    IN      NS      ns1.machelpglobal.org.
afaiththatobeys.org.    3600    IN      NS      ns2.machelpglobal.org.

;; ADDITIONAL SECTION:
ns1.machelpglobal.org.  3600    IN      A       107.180.75.18
ns2.machelpglobal.org.  3600    IN      A       107.180.75.18

;; Query time: 0 msec
;; SERVER: 199.249.112.1#53(199.249.112.1)
;; WHEN: Fri Jul 12 19:57:06 UTC 2024
;; MSG SIZE  rcvd: 130

But if you query that IP, it takes a long time and doesn't work.

$ dig +norecurse afaiththatobeys.org. @107.180.75.18

; <<>> DiG 9.16.48-RH <<>> +norecurse afaiththatobeys.org. @107.180.75.18
;; global options: +cmd
;; connection timed out; no servers could be reached

However, if I ask the .org nameserver where it thinks that ns1.machelpglobal.org should point to, it says that the name is hosted by hover.com

$ dig +norecurse ns1.machelpglobal.org. @a2.org.afilias-nst.info.

; <<>> DiG 9.16.48-RH <<>> +norecurse ns1.machelpglobal.org. @a2.org.afilias-nst.info.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9713
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;ns1.machelpglobal.org.         IN      A

;; AUTHORITY SECTION:
machelpglobal.org.      3600    IN      NS      ns1.hover.com.
machelpglobal.org.      3600    IN      NS      ns2.hover.com.

;; Query time: 0 msec
;; SERVER: 199.249.112.1#53(199.249.112.1)
;; WHEN: Fri Jul 12 20:00:56 UTC 2024
;; MSG SIZE  rcvd: 95

And those servers think that ns1.machelpglobal.org. is at 208.109.38.209 instead.

$ dig +norecurse ns1.machelpglobal.org. @ns1.hover.com.

; <<>> DiG 9.16.48-RH <<>> +norecurse ns1.machelpglobal.org. @ns1.hover.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58063
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;ns1.machelpglobal.org.         IN      A

;; ANSWER SECTION:
ns1.machelpglobal.org.  900     IN      A       208.109.38.209

;; Query time: 20 msec
;; SERVER: 216.40.47.26#53(216.40.47.26)
;; WHEN: Fri Jul 12 20:02:34 UTC 2024
;; MSG SIZE  rcvd: 66

I think the upshot of all that is that the glue records that .org has for ns1/ns2.machelpglobal.org are wrong.

Are the other domains, by any chance, on some other TLD than .org?

5 Likes
5

The dnsviz test I linked to said the same. Great explanation by the way :slight_smile:

image
image540×573 39.5 KB

5 Likes
6

Guys, thanks so much and so fast! 107.180.75.18 is a really old server IP address. So I am guessing I have something mis-configured at Hover. I will carefully look at all that. Now this brings up a couple more questions if I may.

  1. Should I set up Glue Records at Hover or on my server? Do I need them at all?
  2. Should I have separate IPs for my Name Servers which are hosted on this server or is that not super critical?

I will dive into hover and report back what I find

Thanks.

4 Likes
7

Eureka! A long time ago I set up Glue records at Hover for the Name Servers. When I moved to the new server with the new IP, I updated that at Hover but missed the Glue Records. I have updated the Glue Records with the correct IP. Awesome help.... let's stand back and watch what happens.

4 Likes
8

:rofl: :popcorn:

I'm lost!

:computer: :flashlight:

4 Likes
9

Thanks. DNSViz has a lot of info, and can be hard for even experienced people to make sense of sometimes (easier than Unboundtest, perhaps, but that isn't saying much). Walking through what each server says with dig is what I needed to do in order to figure out myself exactly where the problem was

Well, that would do it. :slight_smile:

I think you need the glue records for .org, so that anyone querying the .org name for your nameserver name knows where it is.

I'm not sure I'm following the question exactly, but in general it's best to have multiple IPs for DNS, yes, but if they're IPs that all go to the same server that doesn't really help much. Ideally, they'd be on different ISPs but not everyone needs that level of redundancy. Most people use a hosted DNS solution (I suppose called "the cloud" nowadays though it's an old concept) rather than running their own DNS server, which is generally inexpensive and offers the redundancy and simplicity of not needing to manage one more piece of software. Though I certainly understand some people have very good reasons for running their own.

5 Likes
10

This is awesome. You guys gave me the hints I needed. The certificate passed and is installed. This has been dogging me for three months... I am so grateful.

6 Likes
11

Glad you got it resolved! :partying_face:

I marked @petercooperjr's response as the solution.

3 Likes
12

You only need glue records if the nameservers are in the very domain the NS records are pointing to (cyclic dependency), e.g.
example.com NS ns1.example.com would need glue record, but:
example.com NS ns2.example.net doesn't need glue records.

4 Likes
13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.