Bitnami - bncert-tool - No Valid A record or AAAA record

lexleach · April 29, 2024, 5:48pm

I have already verified my A record is in place and nothing has changed that I'm aware of with the A record. dealeralchemit.com A (public ip of lightsail instance)

My domain is: dealeralchemist.com

I ran this command: sudo /opt/bitnami/bncert-tool

It produced this output:

An error occurred renewing certificates with Let's Encrypt:

2024/04/29 17:14:45 [INFO] [dealeralchemist.com] acme: Trying renewal with -22
hours remaining
2024/04/29 17:14:45 [INFO] [dealeralchemist.com, www.dealeralchemist.com] acme:
Obtaining bundled SAN certificate
2024/04/29 17:14:46 [INFO] [dealeralchemist.com] AuthURL:
https://acme-v02.api.letsencrypt.org/acme/authz-v3/343414672437
2024/04/29 17:14:46 [INFO] [www.dealeralchemist.com] AuthURL:
https://acme-v02.api.letsencrypt.org/acme/authz-v3/344598300547
2024/04/29 17:14:46 [INFO] [dealeralchemist.com] acme: authorization already
valid; skipping challenge
2024/04/29 17:14:46 [INFO] [www.dealeralchemist.com] acme: use tls-alpn-01
solver
2024/04/29 17:14:46 [INFO] [www.dealeralchemist.com] acme: Trying to solve
TLS-ALPN-01
2024/04/29 17:14:53 [INFO] Skipping deactivating of valid auth:
https://acme-v02.api.letsencrypt.org/acme/authz-v3/343414672437
2024/04/29 17:14:53 [INFO] Deactivating auth:
https://acme-v02.api.letsencrypt.org/acme/authz-v3/344598300547
2024/04/29 17:14:53 error: one or more domains had a problem:
Press [Enter] to continue:
[www.dealeralchemist.com] acme: error: 400 :: urn:ietf:params:acme:error:dns ::
no valid A records found for www.dealeralchemist.com; no valid AAAA records
found for www.dealeralchemist.com

My web server is (include version): Apache/2.4.57 (Unix)

The operating system my web server runs on is (include version): SMP Debian 5.10.209-2

My hosting provider, if applicable, is: AWS LightSail - Route53

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Bitnami HTTPS Configuration Tool 2.0.0 --- Built on 2024-03-06 11:06:57 IB: 23.1.0-202301121337

Bruce5051 · April 29, 2024, 5:57pm

Hello @lexleach, welcome to the Let's Encrypt community.

https://letsdebug.net/dealeralchemist.com/1913108 reports Port 80 is not accessible.

I get the same with nmap.

$ nmap -Pn -p80,443 dealeralchemist.com
Starting Nmap 7.80 ( https://nmap.org ) at 2024-04-29 10:56 PDT
Nmap scan report for dealeralchemist.com (34.225.148.3)
Host is up (0.081s latency).
rDNS record for 34.225.148.3: ec2-34-225-148-3.compute-1.amazonaws.com

PORT    STATE  SERVICE
80/tcp  closed http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 0.39 seconds

I do see a DNS A Record here https://unboundtest.com/m/A/dealeralchemist.com/QJFSRUOG

Query results for A dealeralchemist.com

Response:
;; opcode: QUERY, status: NOERROR, id: 47606
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 512

;; QUESTION SECTION:
;dealeralchemist.com.	IN	 A

;; ANSWER SECTION:
dealeralchemist.com.	0	IN	A	34.225.148.3

----- Unbound logs -----
Apr 29 17:54:52 unbound1.19[1917945:0] debug: creating udp6 socket ::1 1053
Apr 29 17:54:52 unbound1.19[1917945:0] debug: creating tcp6 socket ::1 1053
Apr 29 17:54:52 unbound1.19[1917945:0] debug: creating udp4 socket 127.0.0.1 1053
Apr 29 17:54:52 unbound1.19[1917945:0] debug: creating tcp4 socket 127.0.0.1 1053
Apr 29 17:54:52 unbound1.19[1917945:0] debug: chdir to .
Apr 29 17:54:52 unbound1.19[1917945:0] debug: switching log to stderr

Bruce5051 · April 29, 2024, 6:02pm

Sorry; here is what Let's Debug with TLS-ALPN-01 (basically the same).
https://letsdebug.net/dealeralchemist.com/1913122?debug=y

IssueFromLetsEncrypt
ERROR
A test authorization for dealeralchemist.com to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
34.225.148.3: Error getting validation data

Bruce5051 · April 29, 2024, 6:10pm

Why TLS-ALPN-01 instead of HTTP-01?

Ok; Port 80 is is now Open

$ nmap -Pn -p80,443 dealeralchemist.com
Starting Nmap 7.80 ( https://nmap.org ) at 2024-04-29 11:06 PDT
Nmap scan report for dealeralchemist.com (34.225.148.3)
Host is up (0.082s latency).
rDNS record for 34.225.148.3: ec2-34-225-148-3.compute-1.amazonaws.com

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds

But TLS-ALPN-01 is still getting an issue https://letsdebug.net/dealeralchemist.com/1913138?debug=y

IssueFromLetsEncrypt
ERROR
A test authorization for dealeralchemist.com to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
34.225.148.3: Error getting validation data

I do not have much experience with the TLS-ALPN-01 of the Challenge Types - Let's Encrypt
Kindly wait for more knowledgeable Let's Encrypt community volunteers to assist.

lexleach · April 29, 2024, 6:23pm

I'm not sure why its using TLS-ALPN-01. I don't recall telling it to and I'm not sure how to change that.

Bruce5051 · April 29, 2024, 6:23pm

Here is a list of issued certificates crt.sh | dealeralchemist.com, the latest being 2024-04-29.
Did you solve your issue?

Bruce5051 · April 29, 2024, 6:41pm

@lexleach I presently see both Ports 80 & 443 are closed;
of the Challenge Types - Let's Encrypt only the DNS-01 challenge
has a possibility of success under that condition.

$ nmap -Pn -p80,443 dealeralchemist.com
Starting Nmap 7.80 ( https://nmap.org ) at 2024-04-29 11:37 PDT
Nmap scan report for dealeralchemist.com (34.225.148.3)
Host is up (0.080s latency).
rDNS record for 34.225.148.3: ec2-34-225-148-3.compute-1.amazonaws.com

PORT    STATE  SERVICE
80/tcp  closed http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

lexleach · April 29, 2024, 7:38pm

I don't know how to make the bcert-tool use another method. Currently I can see both ports open but it still fails with the same error.

bitnami@ip-:~$ sudo netstat -tulnp | grep -E ':80|:443'
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 5523/httpd
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 5523/httpd

Bruce5051 · April 29, 2024, 7:53pm

Sorry @lexleach I don't know anything about bcert-tool or Bitnami.

Other likely do.

lexleach · April 29, 2024, 8:51pm

I think it was an issue with bitnami bncert-tool. I switched to Certbot and its working now. Thank you Bruce for your time. I appreciate it.

Bruce5051 · April 29, 2024, 8:55pm

You are welcome @lexleach
Have a pleasant day.

Bruce5051 · April 29, 2024, 9:20pm

Hey @lexleach,

This is the presently being served certificate https://decoder.link/sslchecker/dealeralchemist.com/443
crt.sh | 12897594077

The previous few certificates had SANs domain names of dealeralchemist.com and the wildcard name *.dealeralchemist.com; the certificate issued today only has dealeralchemist.com

Thus names like www.dealeralchemist.com will produce the "insecure warnings".

Other (older) previous had SANs domain names of dealeralchemist.com and www.dealeralchemist.com

rg305 · April 29, 2024, 11:59pm

There might be an issue with AWS and the CNAME in use.
[there is no way for anyone to be certain (outside of AWS)]

I would replace the CNAMEd "www" entry with the IP it now resolves to.
Then retry.
In any case, I would then put the CNAME back as it was.

If that happened to work, I would take that up with AWS.
If that failed, then you are no closer to cracking the case.
[I suspect that it won't fail]