Certbot failed to authenticate some domains (authenticator: nginx)

curl -4 ifconfig.me : 43.205.115.65

1 Like

@MuhammadSanaullah123,

Excellent! :slight_smile:
And presently https://unboundtest.com/ agrees, https://unboundtest.com/m/A/vr.camc.sa/AJFUL7MY

Query results for A vr.camc.sa

Response:
;; opcode: QUERY, status: NOERROR, id: 33778
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 512

;; QUESTION SECTION:
;vr.camc.sa.	IN	 A

;; ANSWER SECTION:
vr.camc.sa.	0	IN	A	43.205.115.65

----- Unbound logs -----
May 13 19:31:19 unbound1.19[2125126:0] debug: creating udp6 socket ::1 1053

Then bluehost has the wrong IP:

nslookup vr.camc[.]sa ns1.bluehost.com

Name:    vr.camc[.]sa
Address: 50.87.184.136
3 Likes

Let me add some info I forgot. I first connected the domian camc[.]sa to my aws ec2 instance where I have deployed my website and got the SSL certificate for it and was succcessful and later I found that a wordpress website was to be connected with camc[.]sa and then I removed this domain and added the subdomain vr.camc[.]sa to aws and tried to get SSL but failed as you all know. Do I have to delete the previously added SSL certificate for camc[.]sa in the ec2 instance ?

Now the online tool Let's Debug yields these results https://letsdebug.net/vr.camc.sa/1951808?debug=y

DNSLookupFailed
FATAL
A fatal issue occurred during the DNS lookup process for camc.sa/CAA.
DNS response for camc.sa/CAA did not have an acceptable response code: SERVFAIL. Additionally, Cloudflare's 1.1.1.1 resolver reported: at delegation camc.sa.

I just checked now vr.camc[.]sa is pointing towards camc[.]sa as you can also see online. Did bluehost mixed up some things

Deleting a certificate doesn't fix anything.

The base domain and the vr subdomain should be treated as two separate things - they are (two distinct FQDNs).

All the AWS DNS servers are now returning "Query Refused" for your domain.
I suppose that means things are starting to syncronize.

2 Likes

Again:

2 Likes

nslookup -q=ns camc[.]sa m1.dns.sa
Server: m1.dns.sa
Address: 86.51.77.213#53

** server can't find camc[.]sa: REFUSED

Try that without the brackets "[", "]"

Those are being inserted [by me] because of the PHISHING/MAILICIOUS findings on that domain.

2 Likes

nslookup -q=ns camc[.]sa m1.dns.sa
Server: m1.dns.sa
Address: 86.51.77.213#53

Non-authoritative answer:
*** Can't find camc[.]sa: No answer

Authoritative answers can be found from:
camc[.]sa nameserver = ns-1925.awsdns-48.co.uk.
camc[.]sa nameserver = ns-991.awsdns-59.net.
camc[.]sa nameserver = ns-1423.awsdns-49.org.
camc[.]sa nameserver = ns-64.awsdns-08.com.

As you can see, that reply is inconsistent with the WHOIS information
Again, have a look at:

And when those four AWS servers are asked about your domain, they return "Query Refused":
nslookup -q=ns camc[.]sa ns-1925.awsdns-48.co.uk

2 Likes

Yes you are right. There are inconsistencies and to add that I was able to connect my aws website to the sub domain by copying the nameservers from aws to the domain registrar and pasting it in the nameserver section. Then vr.camc[.]sa was pointing towards my aws deployed website and now all of sudden, vr.camc[.]sa is pointing towards camc[.]sa

AWS should NOT be providing any DNS for your domain any longer.
You have removed them from such authority at the domain level.

You may need to speak with AWS about that.

2 Likes

Well I copied the nameservers from Route 53 to the domain nameservers. And I believe that I did not made any changes so I am unable to comprehend how I have removed them at the domain level.

The domain registrar is authoritative for which nameservers are to be used for your domain.
Everything starts there.

I could make an entry in my nameservers, the world would NOT use my nameservers to find your domain.

3 Likes

Well instead of sudo certbot --nginx -d vr[.]camc[.]sa -d www[.]vr[.]camc[.]sa
I did sudo certbot --nginx -d vr[.]camc[.]sa and it worked and I got SSL for vr[.]camc[.]sa only. Now vr[.]camc[.]sa itself is a subdomain of camc[.]sa so maybe i cannot get SSL for www[.]vr[.]camc[.]sa is because www[.]camc[.]sa already exists and points to camc[.]sa which is hosted by bluehost and only bluehost can provide SSL for website hosted on bluehost which in this case is camc[.]sa. While on the other hand, since vr[.]camc[.]sa is hosted by aws so I was able to get SSL for it throught aws ec2. But the problem is that i made the configuration in the Route 53 of aws that www[.]vr[.]camc[.]sa should point to vr[.]camc[.]sa which is not happening and ends up opening www[.]vr[.]camc[.]sa which is insecure. Maybe i have to add the www[.]vr[.]camc[.]sa in the A type of dns config of camc[.]sa in bluehost so it can be created as a sub domain and make it points towads the ip address of aws hosted website just like i did with the vr[.]camc[.]sa?