Cant generate the certificate

AlrightBabyBoy · August 7, 2023, 8:52pm

I try to generate a cert for my zabbix server. I Have Apache. When i try to generate the certificate with cerbot i have an error. I have the host recording on the DNS server.

My domain is: portlarochelle.com

I ran this command:

-sudo cerbot --apache ;

sudo certbot --apache -d zabbix.portlarochelle.com

both error

Challenge failed for domain zabbix.portlarochelle.com
http-01 challenge for zabbix.portlarochelle.com
Cleaning up challenges
Some challenges have failed.

Domain: zabbix.portlarochelle.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for
zabbix.portlarochelle.com - check that a DNS record exists for this
domain; DNS problem: NXDOMAIN looking up AAAA for
zabbix.portlarochelle.com - check that a DNS record exists for this
domain

Nekit · August 7, 2023, 9:20pm

Not on the zabbix subdomain

$ dig +short zabbix.portlarochelle.com
$

AlrightBabyBoy · August 8, 2023, 8:15pm

It tell me the @IP of the server

rg305 · August 8, 2023, 10:07pm

Try using a public DNS server, like:
dig +short zabbix.portlarochelle.com @8.8.8.8
dig +short zabbix.portlarochelle.com @1.1.1.1
dig +short zabbix.portlarochelle.com @9.9.9.9

AlrightBabyBoy · August 10, 2023, 11:10am

Same error

Nekit · August 10, 2023, 11:10am

You can use tools like unboundtest to check: https://unboundtest.com/m/A/zabbix.portlarochelle.com/RS4PNIQC

Note the absence of ;; ANSWER SECTION:, compared to example.com: https://unboundtest.com/m/A/example.com/BGB2ERKI

rg305 · August 10, 2023, 12:03pm

I don't understand your answer.

AlrightBabyBoy · August 10, 2023, 12:14pm

I did the cmd you wrote and i tried again.
Can't i generate a certificate because we have a website with a CA to our public @IP ?

Nekit · August 10, 2023, 1:22pm

Yes you can get a certificate for a publicly resolvable domain name. Currently the domain name zabbix.portlarochelle.com does not have any records associated with it, at least from the point of view of the internet.

MikeMcQ · August 10, 2023, 1:53pm

You have an A record for the root domain and I see a website with an nginx server. That looks fine.

But, as noted, you do not have an A record for your zabbix subdomain. You need an A and/or AAAA (for IPv6) for people to reach that domain from the public internet. You are also using an HTTP Challenge with the --apache plug-in so need an A and/or AAAA record for that.

You could instead use the DNS Challenge but this is often more difficult to setup. And, people on the public internet still will not be able to reach that zabbix subdomain without the A/AAAA records.

dig +noall +answer portlarochelle.com
portlarochelle.com.     189     IN      A       54.37.151.51

dig +noall +answer zabbix.portlarochelle.com

rg305 · August 10, 2023, 2:54pm

I wanted to see the outputs of those commands.
[they don't fix anything]

AlrightBabyBoy · August 11, 2023, 6:47am

Thank you for your answer.
Maybe i didn't understand anything..

One question, i thought the encryption DNS on OVH was for the internet acess.
I dont want to my zabbix server is open on internet with the adress zabbix.portlarochelle.com

I just want not have anymore the security message from the brower why dont reconize an auto signed certificat by generate a certificat with lets encrypt.
Am i wrong ?!

MikeMcQ · August 11, 2023, 1:17pm

Then you cannot use the HTTP Challenge method to get a cert. The --apache method you chose uses this method.

Instead, you need to use a DNS Challenge. Certbot has support for OVH DNS
https://certbot-dns-ovh.readthedocs.io/en/stable/

Please also read about the DNS Challenge that I linked to previously

system · September 10, 2023, 1:17pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.