Certbot says no dns record. all nameservers respond ok


#1

I’m trying to register a private NextCloud server at home, and I have created a new record whch can be resolved by all the nameservers and still lets encryp says it can’t.

Is it because it’s a 192.168.0 address and it’s not allowed in lets encrypt?

Imroot@ncserver:/etc/apache2# host -t ns militant.dk
militant.dk name server ns1.unoeuro.com.
militant.dk name server ns2.unoeuro.com.
militant.dk name server ns3.unoeuro.com.
root@ncserver:/etc/apache2# nslookup skyen.militant.dk ns1.unoeuro.com.
Server: ns1.unoeuro.com.
Address: 46.36.215.2#53

Name: skyen.militant.dk
Address: 192.168.8.117

root@ncserver:/etc/apache2# nslookup skyen.militant.dk ns2.unoeuro.com.
Server: ns2.unoeuro.com.
Address: 93.191.156.2#53

Name: skyen.militant.dk
Address: 192.168.8.117

root@ncserver:/etc/apache2# nslookup skyen.militant.dk ns3.unoeuro.com.
Server: ns3.unoeuro.com.
Address: 83.217.78.186#53

Name: skyen.militant.dk
Address: 192.168.8.117

root@ncserver:/etc/apache2# sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?

1: skyen.militant.dk

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for skyen.militant.dk
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. skyen.militant.dk (http-01): urn:acme:error:unknownHost :: The server could not resolve a domain name :: No valid IP addresses found for skyen.militant.dk

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: skyen.militant.dk
    Type: unknownHost
    Detail: No valid IP addresses found for skyen.militant.dk

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.
    root@ncserver:/etc/apache2#


#2

With the method you’re trying to authenticate your hostname for, that’s correct. Let’s Encrypt needs to connect to the IP address for the http-01 challenge.

You might be interested in using the dns-01 challenge, but how to implement it depends on your DNS provider: does it provide you with an API or not?


#3

Unoeuro.com has support for letsencrypt. In what way I don’t know right now, dns does not seem to work. Do I need a special package for that?

root@ncserver:/etc/apache2# certbot --apache --preferred-challenges dns-01
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?

1: skyen.militant.dk

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Obtaining a new certificate
Performing the following challenges:
None of the preferred challenges are supported by the selected plugin
root@ncserver:/etc/apache2#


#4

The apache plugin doesn’t work with the dns-01 challenge directly unfortunately.

The fact unoeuro supports Let’s Encrypt doesn’t actually mean they have an API for their DNS services though. You might want to check that out.

In the mean time, if you don’t mind doing the whole exercise again within 90 days (the lifetime of a Let’s Encrypt certificate), you can use the dns-01 with the manual authenticator plugin:

certbot -i apache -a manual --preferred-challenges dns-01 -d skyen.militant.dk


#5

I’m only using the server for encryption on my local network at home, so no need for trusting something beyond selfsigning. I just wanted to try the smartness of automated renewal.

I think I’m going to use a self-signed 10 year certificate instead.

Thank you so much for your help

Sincerely
Max


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.