Bncert tool failing

neil3k · June 18, 2024, 8:23pm

Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:warboysgutterclearing.co.uk

I tried to generate an ssl certificate using certbot and the bncert tool

2024/06/18 20:18:59 [INFO] [warboysgutterclearing.co.uk] acme: Trying renewal
with -430 hours remaining
2024/06/18 20:18:59 [INFO] [warboysgutterclearing.co.uk,
www.warboysgutterclearing.co.uk] acme: Obtaining bundled SAN certificate
2024/06/18 20:19:00 [INFO] [warboysgutterclearing.co.uk] AuthURL:
https://acme-v02.api.letsencrypt.org/acme/authz-v3/357167520382
2024/06/18 20:19:00 [INFO] [www.warboysgutterclearing.co.uk] AuthURL:
https://acme-v02.api.letsencrypt.org/acme/authz-v3/365691465497
2024/06/18 20:19:00 [INFO] [warboysgutterclearing.co.uk] acme: authorization
already valid; skipping challenge
2024/06/18 20:19:00 [INFO] [www.warboysgutterclearing.co.uk] acme: use
tls-alpn-01 solver
2024/06/18 20:19:00 [INFO] [www.warboysgutterclearing.co.uk] acme: Trying to
solve TLS-ALPN-01
2024/06/18 20:19:06 [INFO] Skipping deactivating of valid auth:
https://acme-v02.api.letsencrypt.org/acme/authz-v3/357167520382
2024/06/18 20:19:06 [INFO] Deactivating auth:
https://acme-v02.api.letsencrypt.org/acme/authz-v3/365691465497
2024/06/18 20:19:06 error: one or more domains had a problem:
Press [Enter] to continue:
[www.warboysgutterclearing.co.uk] acme: error: 400 ::
urn:ietf:params:acme:error:dns :: During secondary validation: DNS problem:
SERVFAIL looking up CAA for www.warboysgutterclearing.co.uk - the domain's
nameservers may be malfunctioning

Can someone help me because I think my CAA records are correct.

Bruce5051 · June 18, 2024, 8:30pm

Hello @neil3k, welcome to the Let's Encrypt community.

The TLS-ALPN-01 challenge states
" it is performed via TLS on port 443."

Using the online tool Let's Debug yields these results
https://letsdebug.net/www.warboysgutterclearing.co.uk/2041558?debug=y

IssueFromLetsEncrypt
ERROR
A test authorization for www.warboysgutterclearing.co.uk to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
3.9.91.79: Connection refused

Using nmap shows Ports 80 & 443 are Closed.

$ nmap -Pn -p80,443 www.warboysgutterclearing.co.uk
Starting Nmap 7.80 ( https://nmap.org ) at 2024-06-18 20:26 UTC
Nmap scan report for www.warboysgutterclearing.co.uk (3.9.91.79)
Host is up (0.16s latency).
Other addresses for www.warboysgutterclearing.co.uk (not scanned): 2a05:d01c:b6d:c000:7838:1685:80a7:ccb7
rDNS record for 3.9.91.79: ec2-3-9-91-79.eu-west-2.compute.amazonaws.com

PORT    STATE  SERVICE
80/tcp  closed http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds

neil3k · June 18, 2024, 8:31pm

Hello,

Thanks for your reply

I'm getting the folowing issue though when i run th same test

IssueFromLetsEncrypt

ERROR

A test authorization for warboysgutterclearing.co.uk to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.

3.9.91.79: Error getting validation data

MikeMcQ · June 18, 2024, 8:32pm

We have seen Route53 problems more often recently.

You should visit this thread and check that your registrar and DNS match as described. As with this thread, you may have other problems too but this is one that should be fixed anyway

Below is a good visualization tool for DNS checking
https://dnsviz.net/d/www.warboysgutterclearing.co.uk/dnssec/

Bruce5051 · June 18, 2024, 8:34pm

The online tool https://unboundtest.com/ is not having any issue with the CAA
https://unboundtest.com/m/CAA/www.warboysgutterclearing.co.uk/CNJBSNSY

Query results for CAA www.warboysgutterclearing.co.uk

Response:
;; opcode: QUERY, status: NOERROR, id: 16606
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 512

;; QUESTION SECTION:
;www.warboysgutterclearing.co.uk.	IN	 CAA

;; ANSWER SECTION:
www.warboysgutterclearing.co.uk.	0	IN	CAA	0 issue "letsencrypt.org"

----- Unbound logs -----
Jun 18 20:33:08 unbound1.19[2469103:0] debug: creating udp6 socket ::1 1053
Jun 18 20:33:08 unbound1.19[2469103:0] debug: creating tcp6 socket ::1 1053
Jun 18 20:33:08 unbound1.19[2469103:0] debug: creating udp4 socket 127.0.0.1 1053
Jun 18 20:33:08 unbound1.19[2469103:0] debug: creating tcp4 socket 127.0.0.1 1053

neil3k · June 18, 2024, 8:40pm

Yep that was it

Thank you

system · July 18, 2024, 8:41pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Issue when creating ssl Help	4	854	May 30, 2020
Certificate renewal failed for second-level domain Help	4	727	December 18, 2021
Some challenges have failed Help	2	601	May 17, 2023
Help for Novice Help	7	643	September 26, 2020
Domain's name servers maybe malfunctioning Help	30	2121	August 28, 2021

Bncert tool failing

Related topics