Cannot get certificate A/AAAA records error


#1

I’m getting this error and im pretty sure it’s because of the subdomains:

My Domain Settings look like this:


#2

Focus on this:

[that other part of the message seems only to confuse this matter]


#3

Hi @amiramieng

you have a curious configuration ( https://check-your-website.server-daten.de/?q=simplebyte.co ):

Domainname Http-Status redirect Sec. G
http://www.simplebyte.co/
95.179.182.197 301 https://simplebyte.co/ 0.034 E
http://simplebyte.co/
95.179.182.197 403 0.037 M
Forbidden
https://simplebyte.co/
95.179.182.197 -14 10.023 T
Timeout - The operation has timed out
https://www.simplebyte.co/
95.179.182.197 -14 10.027 T
Timeout - The operation has timed out
http://www.simplebyte.co/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
95.179.182.197 301 https://simplebyte.co/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.037 E
http://simplebyte.co/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
95.179.182.197 404 0.034 A
Not Found
https://simplebyte.co/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de -14 10.027 T
Timeout - The operation has timed out

If you use http-01 validation, a file under /.well-known/acme-challenge is checked.

Your http + non www has a http status 404, which is good.

Your http + www redirects to https + non-www - then follows a timeout.

So Letsencrypt can’t validate your www - domain name.

Remove the redirect, then check your config file to find your webroot. Then use something like

certbot run -a webroot -i apache -w yourwebroot -d simplebyte.co -d www.simplebyte.co

#4

The http to https redirect was a thing i added on my previous server in .htaccess, why is it still an issue, it’s a different IP address.


#5

Let me also add that I had a previous SSL certificate on the cpanel, does that make a difference?


#6

If you use cPanel, you shouldn’t use Certbot directly.

cPanel has it’s own management.


#7

I used cpanel on my other server with this domain.


#8

What command did you run?

Do you know why port 443 on your site returns a “No route to host” error? A firewall? Is SSL set up on this server currently? Was it before?


#9

@mnordhoff No, I never had any certificates on this server. I ran this command:
sudo certbot certonly --agree-tos --email admin@example.com --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com


#10

Is this really your webroot? Where your domain starts?

Then you have a wrong redirect (rechecked now):

http://www.simplebyte.co/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
95.179.182.197
	301
	https://simplebyte.co/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
	0.037
	E

Your http www + /.well-known/acme-challenge redirects to https + non-www. But https has a timeout / doesn’t exist.

If you have a working certificate, you can use such a redirect. But if there is no working SSL-configuration, then the redirect result is dead -> timeout -> challenge fails.

So remove this redirect to create a certificate with www.

Non-www hasn’t such a redirect.


#11

I had the redirect on my other server through cpanel in my .htaccess file, but not on this IP, could that be an issues?


#12

I don’t understand your setup.

Which instance answers if I check your domain via https://check-your-website.server-daten.de/?q=simplebyte.co

It’s impossible to see that.

I see only the result. Redirect http -> https, then a timeout.

You have this settings:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
simplebyte.co A 95.179.182.197 yes 2 0
AAAA yes
www.simplebyte.co C simplebyte.co yes 1 0
A 95.179.182.197 yes

So 95.179.182.197 answers. And Certbot should run on the server with this ip.


PS: Letsencrypt must check if you are the domain owner. So if Certbot (the client) works on server (1), but Letsencrypt checks server (2), that can’t work.


#13

As @JuergenAuer pointed out:
This does NOT look like a DocumentRoot:

Unless you have made some /.well-known/acme-challenge/ rewrite, the webroot must match the actual documentroot.


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.