Cert has Expired, Renewal is Failing


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: sftp.pioneerdm.com

I ran this command: letsencrypt --manualhost sftp.pioneerdm.com --webroot “P:\IT\MAMP\htdocs”

It produced this output: No DNS Pointers Found

My web server is (include version): MAMP PRO 3.3.1

The operating system my web server runs on is (include version): Windows 2012

My hosting provider, if applicable, is: Self Hosted

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#2

Hi,

What’s the software you use to apply the certificate?

Thank you


#3

I’m not 100% sure. The site is hosted internally, it’s run through Mamp Pro with Apache. A previous developer installed the cert that has worked without issue for the last few months. Today people started receiving the “Your connection is not private” error. After some digging I found the LetsEncrypt software on my server. It’s just an executable that runs the Lets Encrypt Windows Simple program. From there I can see that there is a cert on LetsEncrypt, but attempting a renewal tells me that No DNS Pointers Found.

What I can’t figure out is the tie between Mamp and Letsencrypt. Within Mamp itself there are no setting selected for SSL Security. There is a listener for port 80 and 443, but neither of them have SSL Enabled. So I can’t tell if there is something else in windows that I need to be looking at to determine how the SSL Cert is actually installed.


#4

https://letsdebug.net/sftp.pioneerdm.com/377
shows:


However, global DNS shows:
Name: sftp.pioneerdm.com
Address: 24.106.231.78


#5

That makes a little bit of sense. Our primary domain/website is hosted elsewhere. sftp.pioneerdm.com was configured as a subdomain pointed to a local address. The only thing it should do is resolve to the ip address that you found.

There most likely have never been A or AAAA records for that subdomain, which leads me to ask that if that’s an issue how was the cert validated in the first place?


#6

Something has gone terribly wrong…
see: https://dnsspy.io/scan/sftp.pioneerdm.com


#7

That’s vague and ominous. I’m not sure what to do with that though.


#8

Well what it means is that LE can’t reach your domains name servers.
Without that they can’t resolve your FQDN.
Without that - no cert can get issued.

From where I’m sitting…
Your domain name has two name servers:
ns70.domaincontrol.com internet address = 208.109.255.45
ns70.domaincontrol.com AAAA IPv6 address = 2607:f208:302::2d
ns69.domaincontrol.com internet address = 216.69.185.45
ns69.domaincontrol.com AAAA IPv6 address = 2607:f208:206::2d

I’ve tried all four IPs without any error.

So, the problem is somehow network related.
Between the LE network and the GoDaddy network (all four IPs are in AS26496).
Can anyone spell… Single Point Of Failure?

Do you have access to any other Internet DNS system?
If so, load it with a copy of your zone and add that IP to your domains DNS name server list.
Or you could wait for networking to figure out what went wrong and fix it.
Just to be clear this is affecting anyone trying to reach any of your domain entries (that may not be locally cached) and are coming in from the same affected “angle/view”.

# Raid5 is for beginners - LOL
^^^Jab intended at GoDaddy - not you ^^^
You did your part; they dropped the ball.


#9

But from where you are you can also get to my sub-domain through pinging and it resolves correctly. So you can resolve all of the name servers and the subdomain, but for whatever reason the name servers aren’t able to resolve the subdomain. And since LE uses the name servers to validate certs I’m in limbo waiting for someone else to figure out what’s up?

At some point in the past, the name server able to get to the subdomain, so the initial validation went through, but renewals are pooched.


#10

Hi,

I was thinking about this too… the problem is when you pinging from cmd or do nslookup, the query is not sending to your authoritive name server, it usually sent to a public DNS (like 8.8.8.8 which cached it…)

However I have no clue why the GoDaddy DNS is not responding to LE… maybe you can contact GoDaddy and ask them?


#11

LE will not use global DNS system, nor any cached entries.
They check directly to the authoritative DNS source(s).
In this case:
ns70.domaincontrol.com internet address = 208.109.255.45
ns70.domaincontrol.com AAAA IPv6 address = 2607:f208:302::2d
ns69.domaincontrol.com internet address = 216.69.185.45
ns69.domaincontrol.com AAAA IPv6 address = 2607:f208:206::2d

For reasons that are beyond my visibility, they can not reach those IPs.
Thus they can’t issue you a cert.

Again, for reasons that are beyond my visibility (I can’t see the entire Internet from my chair), other paths can reach your name servers and/or are relying on cached information.


#12

You mentioned other Internet DNS Systems…would that be other hosts? Other than GoDaddy. I have sites hosted on HostGator and Omnis. But I don’t really want to move my main site wholesale to another host.

Are there other options?

And its not that the Name Server can’t get to the SubDomain, it’s that LE isn’t getting a response from the Name Server. So would that be an issue with all GoDaddy sites?


#13

For most, that’s usually the nature of the beast (Internet)
For some, we plan for such days and make ample preparations to overcome such potential “outages”.

Case in point, I had one domain that used 4 TLDs and 6 ISPs on 4 AS - that DNS system NEVER went down.
Azure as most other major DNS players attempt to this (albeit not as I would):
—.com nameserver = ns1-09.azure-dns.com
—.com nameserver = ns2-09.azure-dns.net
—.com nameserver = ns3-09.azure-dns.org
—.com nameserver = ns4-09.azure-dns.info


#14

So, realistically, what do I do now? Everything was working yesterday, today it all broke, and the only answer I can come up with is that the internet Gods aren’t paying attention and things stopped working.

Can I add Name Servers to my site through GoDaddy. I don’t have access to that hosting account, but I can try to get it.


#15

Plan A: Start by call GoDaddy (good luck with that).
Plan B: Get you hands on another DNS server to add into your mix (not run by GoDaddy).


#16

How much evidence is there that this is a DNS problem?

What software generates the “No DNS Pointers Found” error message?

What does it mean?


#17

The software that generates that message is the Lets Encrypt Windows Simple application. It’s text based, there’s no explanation as to what it means or how to start troubleshooting.


#18

see: https://letsdebug.net/sftp.pioneerdm.com/377
see: https://dnsspy.io/scan/sftp.pioneerdm.com


#19

But you can run the dnsspy against pioneerdm.com without the subdomain prefix, right?


#20

Yes (barely) see: https://dnsspy.io/scan/pioneerdm.com
There may be a glue record that is holding that up - I can’t be sure.
Also look at the Resilience & Security: 20% score and their comments.