Certbot failed to authenticate some domains

Help
1

Background:

Below I have my information listed.

I am having trouble because if I go to my domain online with HTTP, I get the welcome to the Nginx page. So the name servers are working, and I know this because I configured the Route 53 with GoDaddy to work.

My Nginx configuration is as follows:

server {
    listen 80;
    server_name christianboatersassociation.com www.christianboatersassociation.com;

    location /.well-known/acme-challenge/ {
        root /var/www/letsencrypt;
    }

    location / {
        return 301 https://$server_name$request_uri;
    }
}

I then went through the CertBot process: Certbot Instructions | Certbot

And it is causing a failed to authenticate error below. I am completely lost of how to continue. I am following the tutorials exactly.

Here is my route 53:

image
image2181×375 21 KB

My domain is: http://christianboatersassociation.com/

I ran this command: sudo certbot --nginx

It produced this output:

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Requesting a certificate for christianboatersassociation.com and www.christianboatersassociation.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: christianboatersassociation.com
  Type:   dns
  Detail: DNS problem: SERVFAIL looking up A for christianboatersassociation.com - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for christianboatersassociation.com - the domain's nameservers may be malfunctioning

  Domain: www.christianboatersassociation.com
  Type:   dns
  Detail: DNS problem: SERVFAIL looking up CAA for christianboatersassociation.com - the domain's nameservers may be malfunctioning

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.```

My web server is (include version): Nginx

The operating system my web server runs on is (include version): Unbuntu 20.0

My hosting provider, if applicable, is: GoDaddy

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): AWS

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.10.0

1 Like
2

Welcome to the Let's Encrypt Community, Michael! :slightly_smiling_face:

I'm seeing the apex domain name (christianboatersassociation.com) having different DNS nameservers than its www subdomain name.

GoDaddy

;QUESTION
christianboatersassociation.com. IN ANY
;ANSWER
christianboatersassociation.com. 504 IN A 18.116.153.72
christianboatersassociation.com. 3504 IN NS ns05.domaincontrol.com.
christianboatersassociation.com. 3504 IN NS ns06.domaincontrol.com.
christianboatersassociation.com. 3504 IN SOA ns05.domaincontrol.com. dns.jomax.net. 2024043007 28800 7200 60480

AWS

;QUESTION
www.christianboatersassociation.com. IN ANY
;ANSWER
www.christianboatersassociation.com. 300 IN A 18.116.153.72
www.christianboatersassociation.com. 21600 IN NS ns-1401.awsdns-47.org.
www.christianboatersassociation.com. 21600 IN NS ns-2037.awsdns-62.co.uk.
www.christianboatersassociation.com. 21600 IN NS ns-447.awsdns-55.com.
www.christianboatersassociation.com. 21600 IN NS ns-742.awsdns-28.net.
www.christianboatersassociation.com. 900 IN SOA ns-1401.awsdns-47.org. awsdns-hostmaster.amazon.com. 1 7200 900
5 Likes
3

Thank you for the quick response.

Is it because my route 53 is not configured correctly? The usage of www versus non-www? If so, what are the steps I can do to fix this?

53:

image
image3172×357 39.6 KB

GoDaddy:

christianboatersassociation.com

ns-1401.awsdns-47.org
ns-447.awsdns-55.com
ns-742.awsdns-28.net
ns-2037.awsdns-62.co.uk

I've also checked and can confirm that my instance's ip address (18.116.153.72) is elastic and matches the route 53's ip address.

2 Likes
4

I'm now getting no records at all for the apex domain name (christianboatersassociation.com). Have you made a lot of nameserver changes in the last hour or so?

5 Likes
5

I have not, although, according to my Route 53, I only have an IP set up to link www and route for non-www.

image
image2740×501 51.4 KB

1 Like
6

Which tutorial did you follow? Is there a link? Because your DNS, as already noted, is not setup right.

We are not a general "How to setup DNS" help forum but sometimes people suggest things anyway.

Here is a visual picture of your root domain and is the reason for the SERVFAIL errors
https://dnsviz.net/d/christianboatersassociation.com/dnssec/

6 Likes
7

Hello,

Thank you everyone for the help you have given me. The issue was that I did the DNS configuration wrong.

I followed this tutorial: https://www.youtube.com/watch?v=zFuluVTsF14

But instead of putting christianboatersassociation.com for my Route 53, I created a www.christianboatersassociation.com Route 53 zone instead. This mistake prevented the DNS from functioning correctly with GoDaddy.

To fix this, I deleted and re-created the zone without the www., and created www. as a subdomain in Route 53. Once I did that, I configured my nginx to look like this:

server {
    server_name christianboatersassociation.com www.christianboatersassociation.com;

    location /.well-known/acme-challenge/ {
        root /var/www/letsencrypt;
    }

    location / {
        try_files $uri $uri/ =404;
    }

    root /var/www/christianboatersassociation;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/christianboatersassociation.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/christianboatersassociation.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = christianboatersassociation.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name christianboatersassociation.com www.christianboatersassociation.com;
    return 404; # managed by Certbot


}

And put my index.html into the root directory as specified in the config file above /var/www/christianboatersassociation/index.html.

And it worked once my browser cache was cleared.

image
image2533×442 43.9 KB

4 Likes
8

Hello, just one last question as I finally have the website up and running.

I continued using static hosting for nginx, but I also added a forwarding route for my backend

www.christianboatersassociation/api/<api routes go here>

That redirects to a localhost:3000, on the same computer and returns the user data back.

What I am noticing is that I am getting that my certificate is not valid on the website, https is crossed out.

image
image811×1000 26.7 KB

This only happens when my backend is enabled. When disabled, it does not have an invalid certificate problem.

server {
    server_name christianboatersassociation.com www.christianboatersassociation.com;

    location /.well-known/acme-challenge/ {
        root /var/www/letsencrypt;
    }

    location /api/ {  # Assuming API requests are prefixed with '/api'
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
    location / {
        root /var/www/christianboatersassociation/cba-frontend/dist;
        try_files $uri $uri/ /index.html;
    }
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/christianboatersassociation.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/christianboatersassociation.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    if ($host = christianboatersassociation.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    server_name christianboatersassociation.com www.christianboatersassociation.com;
    return 404; # managed by Certbot
}
9

The certificate being served for www.christianboatersassociation.com only includes christianboatersassociation.com as a SAN. It's missing www.christianboatersassociation.com.

Is your backend returning content with references in it that are loaded via HTTP rather than HTTPS?

5 Likes
10

I have to agree; There is nothing wrong with the location statement, nor with the proxy_pass.

The "problem" must be elsewhere.
Using a name that isn't on the cert would be cause for such an error.
I'd get [and use] a cert with both names on it first.
If the problem persists after that... then we do have a real problem.

4 Likes
11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.