Cannot Execute Your Request


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: otemainc.com

I was trying to create a new ssl request from the tool in my direct-admin dashboard:

It produced this output: Cannot Execute Your Request

Details

Requesting new certificate order…
Processing authorization for academy.otemainc.com
Waiting for domain verification…
Challenge is valid.
Challenge is valid.
Processing authorization for ftp.otemainc.com
Challenge is valid.
Processing authorization for mail.otemainc.com
Challenge is valid.
Processing authorization for otemainc.com
Challenge is valid.
Processing authorization for pop.otemainc.com
Challenge is valid.
Processing authorization for smtp.otemainc.com
Challenge is valid.
Processing authorization for www.academy.otemainc.com
Error: http://www.academy.otemainc.com/.well-known/acme-challenge/letsencrypt_1543833401 is not reachable. Aborting the script.
dig output for www.academy.otemainc.com:
Please make sure /.well-known alias is setup in WWW server.

My web server is :Nginx

The operating system my web server runs on is :Ubuntu

My hosting provider, if applicable, is: Webhost kenya

I can login to a root shell on my machine :I don’t know

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): yes DirectAdmin 1.54.1


#2

www.academy.otemainc.com doesn’t have a DNS record/doesn’t exist.

De-select that name when creating the certificate.


#3

It does actually have a record and exists


#4

Hi @Tosby,

Like @_az I can’t replicate that result. Are you using some kind of split-horizon setup that might be giving you one answer but everyone else a different answer?

otemainc.com has two authoritative nameservers: ns4.webhostultima.com and ns2.webhostultima.com.

The first authoritative nameserver (ns4) doesn’t resolve to an IP address:

dig @8.8.8.8 ns4.webhostultima.com | grep "status"
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20183

The second authoritative nameserver does resolve to an IP address, but it doesn’t have any records for www.academy.otemainc.com like @_az mentioned. It seems to be returning a “REFUSED” status when I query it directly for this name:

dig @ns2.webhostultima.com www.academy.otemainc.com A | grep "status:"
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 20081

You’ll have to resolve these problems with your authoritative DNS before Let’s Encrypt will be able to issue a certificate for this name.