Hi, I've been struggling to provision certs for my domain through mailinabox which is failing with the rather unhelpful error "Something went wrong, sorry" and would really appreciate any help or insights you're able to give. I did have a look at the certbot logs but they were very long and wasn't sure which parts were relevant.

My domain is: sqzi.com

I tried letsdebug.net and got SERVFAILS for AAAA and CAA but these shouldn't be relevant should they? I dont use ipv6 and no CAA should be unrestricted right?

Here are the DNS records from Google
:

A Records

AAAA Records

No records present.

CNAME Records

No records present.

MX Records

NS Records

PTR Records

No records present.

SRV Records

No records present.

SOA Records

TXT Records

CAA Records

No records present.

DS Records

No records present.

DNSKEY Records

My web server is (include version): nginx through mailinabox email (v67)

The operating system my web server runs on is (include version): Ubuntu 22.04

My hosting provider, if applicable, is: Hetzner cloud server

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.21.0

Thanks in advance!

Looking at this again now, I see that I still have DNSSEC record in the dig output whereas they're not in the zone file of my dns server. Is this the problem and is the solution just waiting for these cached DNSSEC records to expire?

I see no issue with your dnssec config. mail.sqzi.com | DNSViz

They are. Proper response is an empty NOERROR response (which is what I see). Also, ns1 and ns2 point to the same IP address. Are you sure you want to host your own DNS?

Why would I want an AAAA record when I don't want to run ipv6 on my server?
I was under the impression that the default behaviour with no CAA record was that any authority could issue certs? I've created both CAA and AAAA records now but am currently having an ipv6 connectivity issue which is the only error letsdebug is now indicating. Connectivity should be fine on ipv4 though so I don't see this as the issue.
Yeah, I currently have both DNS records pointing to the same server, once I'm happy it's working properly I'll introduce the secondary.

You wouldn't want an AAAA record, but "there is no record here" and "wtf even is an AAAA record" are two different responses.

You need the answer to be noerror, not servfail.

I don't understand what you're saying. I didn't have an AAAA record because I don't do ipv6 but still got servfail.
Now I've enabled ipv6 and added AAAA and CAA and get "error" because my ipv6 isn't yet working.
This still doesn't explain why this isn't working on ipv4, unless I'm stupid.
Actually perhaps I totally am stupid - presumably I need to enable the certbot http server to listen to get a response? If so, do you know the certbot command for this?

If your DNS server is returning a SERVFAIL if you do not have an AAAA RR present, then your DNS server is malfunctioning.

Obviously adding a non-functional IPv6 address to the AAAA RR isn't going to work.

Without the AAAA RR but with a functioning CAA RR, what's the error message from Let's Encrypt?

Thanks. It looks like this is actually a problem with the mailinabox cert provisioning tool as I have now been able to manually get a cert using...
certbot certonly --config-dir /home/user-data/ssl/lets_encrypt/ -d sqzi.com

Thanks for the replies.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.