Bncert tool failing

Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:warboysgutterclearing.co.uk

I tried to generate an ssl certificate using certbot and the bncert tool

2024/06/18 20:18:59 [INFO] [warboysgutterclearing.co.uk] acme: Trying renewal
with -430 hours remaining
2024/06/18 20:18:59 [INFO] [warboysgutterclearing.co.uk,
www.warboysgutterclearing.co.uk] acme: Obtaining bundled SAN certificate
2024/06/18 20:19:00 [INFO] [warboysgutterclearing.co.uk] AuthURL:
https://acme-v02.api.letsencrypt.org/acme/authz-v3/357167520382
2024/06/18 20:19:00 [INFO] [www.warboysgutterclearing.co.uk] AuthURL:
https://acme-v02.api.letsencrypt.org/acme/authz-v3/365691465497
2024/06/18 20:19:00 [INFO] [warboysgutterclearing.co.uk] acme: authorization
already valid; skipping challenge
2024/06/18 20:19:00 [INFO] [www.warboysgutterclearing.co.uk] acme: use
tls-alpn-01 solver
2024/06/18 20:19:00 [INFO] [www.warboysgutterclearing.co.uk] acme: Trying to
solve TLS-ALPN-01
2024/06/18 20:19:06 [INFO] Skipping deactivating of valid auth:
https://acme-v02.api.letsencrypt.org/acme/authz-v3/357167520382
2024/06/18 20:19:06 [INFO] Deactivating auth:
https://acme-v02.api.letsencrypt.org/acme/authz-v3/365691465497
2024/06/18 20:19:06 error: one or more domains had a problem:
Press [Enter] to continue:
[www.warboysgutterclearing.co.uk] acme: error: 400 ::
urn:ietf:params:acme:error:dns :: During secondary validation: DNS problem:
SERVFAIL looking up CAA for www.warboysgutterclearing.co.uk - the domain's
nameservers may be malfunctioning

Can someone help me because I think my CAA records are correct.

Hello @neil3k, welcome to the Let's Encrypt community. :slightly_smiling_face:

The TLS-ALPN-01 challenge states
" it is performed via TLS on port 443."

Using the online tool Let's Debug yields these results
https://letsdebug.net/www.warboysgutterclearing.co.uk/2041558?debug=y

IssueFromLetsEncrypt
ERROR
A test authorization for www.warboysgutterclearing.co.uk to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
3.9.91.79: Connection refused

Using nmap shows Ports 80 & 443 are Closed.

$ nmap -Pn -p80,443 www.warboysgutterclearing.co.uk
Starting Nmap 7.80 ( https://nmap.org ) at 2024-06-18 20:26 UTC
Nmap scan report for www.warboysgutterclearing.co.uk (3.9.91.79)
Host is up (0.16s latency).
Other addresses for www.warboysgutterclearing.co.uk (not scanned): 2a05:d01c:b6d:c000:7838:1685:80a7:ccb7
rDNS record for 3.9.91.79: ec2-3-9-91-79.eu-west-2.compute.amazonaws.com

PORT    STATE  SERVICE
80/tcp  closed http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds
1 Like

Hello,

Thanks for your reply

I'm getting the folowing issue though when i run th same test

IssueFromLetsEncrypt

ERROR

A test authorization for warboysgutterclearing.co.uk to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.

3.9.91.79: Error getting validation data

2 Likes

We have seen Route53 problems more often recently.

You should visit this thread and check that your registrar and DNS match as described. As with this thread, you may have other problems too but this is one that should be fixed anyway

Below is a good visualization tool for DNS checking
https://dnsviz.net/d/www.warboysgutterclearing.co.uk/dnssec/

2 Likes

The online tool https://unboundtest.com/ is not having any issue with the CAA
https://unboundtest.com/m/CAA/www.warboysgutterclearing.co.uk/CNJBSNSY

Query results for CAA www.warboysgutterclearing.co.uk

Response:
;; opcode: QUERY, status: NOERROR, id: 16606
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 512

;; QUESTION SECTION:
;www.warboysgutterclearing.co.uk.	IN	 CAA

;; ANSWER SECTION:
www.warboysgutterclearing.co.uk.	0	IN	CAA	0 issue "letsencrypt.org"

----- Unbound logs -----
Jun 18 20:33:08 unbound1.19[2469103:0] debug: creating udp6 socket ::1 1053
Jun 18 20:33:08 unbound1.19[2469103:0] debug: creating tcp6 socket ::1 1053
Jun 18 20:33:08 unbound1.19[2469103:0] debug: creating udp4 socket 127.0.0.1 1053
Jun 18 20:33:08 unbound1.19[2469103:0] debug: creating tcp4 socket 127.0.0.1 1053
1 Like

Yep that was it

Thank you

3 Likes