Cannot get certificate A/AAAA records error

I’m getting this error and im pretty sure it’s because of the subdomains:

My Domain Settings look like this:

Focus on this:

[that other part of the message seems only to confuse this matter]

Hi @amiramieng

you have a curious configuration ( - Make your website better - DNS, redirects, mixed content, certificates ):

Domainname Http-Status redirect Sec. G 301 0.034 E 403 0.037 M
Forbidden -14 10.023 T
Timeout - The operation has timed out -14 10.027 T
Timeout - The operation has timed out 301 0.037 E 404 0.034 A
Not Found -14 10.027 T
Timeout - The operation has timed out

If you use http-01 validation, a file under /.well-known/acme-challenge is checked.

Your http + non www has a http status 404, which is good.

Your http + www redirects to https + non-www - then follows a timeout.

So Letsencrypt can't validate your www - domain name.

Remove the redirect, then check your config file to find your webroot. Then use something like

certbot run -a webroot -i apache -w yourwebroot -d -d
1 Like

The http to https redirect was a thing i added on my previous server in .htaccess, why is it still an issue, it’s a different IP address.

Let me also add that I had a previous SSL certificate on the cpanel, does that make a difference?

If you use cPanel, you shouldn't use Certbot directly.

cPanel has it's own management.

I used cpanel on my other server with this domain.

What command did you run?

Do you know why port 443 on your site returns a “No route to host” error? A firewall? Is SSL set up on this server currently? Was it before?

@mnordhoff No, I never had any certificates on this server. I ran this command:
sudo certbot certonly --agree-tos --email --webroot -w /var/lib/letsencrypt/ -d -d

Is this really your webroot? Where your domain starts?

Then you have a wrong redirect (rechecked now):

Your http www + /.well-known/acme-challenge redirects to https + non-www. But https has a timeout / doesn't exist.

If you have a working certificate, you can use such a redirect. But if there is no working SSL-configuration, then the redirect result is dead -> timeout -> challenge fails.

So remove this redirect to create a certificate with www.

Non-www hasn't such a redirect.

I had the redirect on my other server through cpanel in my .htaccess file, but not on this IP, could that be an issues?

I don't understand your setup.

Which instance answers if I check your domain via - Make your website better - DNS, redirects, mixed content, certificates

It's impossible to see that.

I see only the result. Redirect http -> https, then a timeout.

You have this settings:

Host T IP-Address is auth. ∑ Queries ∑ Timeout A yes 2 0
AAAA yes C yes 1 0
A yes

So answers. And Certbot should run on the server with this ip.

PS: Letsencrypt must check if you are the domain owner. So if Certbot (the client) works on server (1), but Letsencrypt checks server (2), that can't work.

As @JuergenAuer pointed out:
This does NOT look like a DocumentRoot:

Unless you have made some /.well-known/acme-challenge/ rewrite, the webroot must match the actual documentroot.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.