Cerbot failed for a domain with only 2 CNAME records


#1

Hello,

The DNS of my domain “funfun.org.cn” contains only 2 CNAME records, which point to a Chinese CDN and an oversee CDN. I don’t have A record. Does it mean I cannot create certificates?

Thank you

My domain is: funfun.org.cn

I ran this command: sudo certbot --nginx -d funfun.org.cn -d www.funfun.org.cn

It produced this output:

Failed authorization procedure. funfun.org.cn (http-01): urn:acme:error:unknownHost :: The server could not resolve a domain name :: No valid IP addresses found for funfun.org.cn, www.funfun.org.cn (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.funfun.org.cn/.well-known/acme-challenge/tEeYd6VuKE1w0KVTwICACr-o-q0lL3iGw9vC18MqP4o: "

body{background-color:#FFFFFF}"

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: funfun.org.cn
    Type: unknownHost
    Detail: No valid IP addresses found for funfun.org.cn

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

  • The following errors were reported by the server:

    Domain: www.funfun.org.cn
    Type: unauthorized
    Detail: Invalid response from
    http://www.funfun.org.cn/.well-known/acme-challenge/tEeYd6VuKE1w0KVTwICACr-o-q0lL3iGw9vC18MqP4o:
    "

    body{background-color:#FFFFFF}"

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version): nginx/1.10.3

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: Alibaba Cloud

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

Hello @chengtie,

The www.funfun.org.cn exists.

But funfun.org.cn doesn’t work.

So the validation of funfun.org.cn produces an error.

Add a nameserver-entry for funfun.org.cn

Or create only a certificate for www.funfun.org.cn


#3

But I still got an error for “sudo certbot --nginx -d www.funfun.org.cn”:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.funfun.org.cn
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.funfun.org.cn (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.funfun.org.cn/.well-known/acme-challenge/8j8QRrol76VAUYAd5Z0c6AePyCxDyXX4Atpx3rYubeE: "

body{background-color:#FFFFFF}"

IMPORTANT NOTES:


#4

Yes, there is a general problem. But I don’t know the details.

Looks that you need some other things before your page is global visible.


#5

I have already got the ICP filing… the message is wired…

But where did you get this screenshots?

Cheers


#6

I called the website http://www.funfun.org.cn/ with FireFox

From Berlin, Germany. Switched to english.

Edit: The same picture with the validation address:

http://www.funfun.org.cn/.well-known/acme-challenge/tEeYd6VuKE1w0KVTwICACr-o-q0lL3iGw9vC18MqP4o

So the validation doesn’t work.


#7

You’ll need to either clear the cache (cdn) / switch to aliyun’s ICP filling… Or just contact aliyun to resolve this issue.

P.S. if you are using qiniu (七牛)'s cdn service, you might want to use their free DV certificate instead of Let’s Encrypts (since your site is pointed to qiniu’s cdn and so you’ll need to add certificate to qiniu instead of aliyun and they offer free trustasia certificate for qiniu user)
https://www.qiniu.com/ssl

Thank you


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.