Certificate Creation Error Digital Ocean


#1

I want to deploy a rails app to my nginx server on Digital Ocean, but before I do that I want to add SSL. I’ve followed the tutorial here but get the following error in Step 2:

Failed authorization procedure. xxx (http-01):urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for xxx, xxx.co.za (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from xxx/.well-known/acme-challenge/d1kKPdePX3MLO6kMt1pAdFets-N0RkQ_ffM3Y5aEBO8 [xxx.xx.xxx.xx]: 404

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: xxx.co.za
Type: unauthorized
Detail: Invalid response from xxx.co.za/.well-known
/acme-challenge/d1kKPdePX3MLO6kMt1pAdFets-N0RkQ_ffM3Y5aEBO8
[xxx.xx.xxx.xx]: 404

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.

  • The following errors were reported by the server:

Domain: xxx.co.za
Type: connection
Detail: DNS problem: NXDOMAIN looking up A for xxx.co.za

For privacy reasons Ive marked out the IP and Domain name. I also ran a dig request, but not sure what this means.

; <<>> DiG 9.9.5-3ubuntu0.7-Ubuntu <<>> xxx.co.za
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18315
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;xxx.co.za. IN A

;; ANSWER SECTION:
xxx.co.za. 1799 IN A xxx.xx.xxx.xx

;; Query time: 194 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue May 10 10:55:38 SAST 2016
;; MSG SIZE rcvd: 59

Any suggestions? I did only edit the DNS settings on my domain host about 12 hours ago, is this the problem, should I wait longer? What does the “AUTHORITY: 0” mean? Is this part of the problem? I’ve only worked with Heroku before and they do everything for you, now that I manage the server, its a bit more complex. Thanks in advance!


#2

AUTHORITY: 0 means that the server dig spoke to (8.8.8.8 which is operated by Google) does not claim to be authoritative about this information, it is relaying what it heard from somewhere else. Usually this isn’t a problem, DNS relies upon caches relaying information they heard from another server and if you really care DNSSEC makes it possible for this to be done without risk of spoofing.

If you’re concerned that your records might be wrong, it can be useful to ask authoritative servers. You will need to find out which servers are authoritative for your domain (perhaps with WHOIS), and tell dig to ask those directly not 8.8.8.8 for this one query. If you suspect a fault somewhere, it’s worth checking each of the listed servers for your domain, to see if they all have the same answer (since they all claim to be authoritative they should definitely agree).

The time you may need to wait depends mostly on TTL records in DNS which set the time a cache is supposed to remember records it sees. Note that the TTL before the change matters, since obviously even if you say now that you want caches to only last 10 minutes, a previous directive to cache for 48 hours can’t expire in less than 48 hours. Plan DNS changes in advance accordingly.


#3

Thanks, this helps me to understand the dig better, but what do you think is causing my error when I’m trying to generate a certificate? Is it the recent changes made to my DNS records?


#4

I’d suspect it’s not the recent change in itself - as the letsencrypt client will always check your authoritative nameservers, not google or other generic nameservers. Unless of course there is an error with your DNS. Without your domain name though it’s not possible for us to check that. ( your domain name will be made publicly available on the list of issued certificates as soon as you obtain a certificate anyway ) .

If you create a file in webroot/.well-known/acme-challenge/test can you reach it at yourdomain.com/.well-known/acme-challenge/test from a normal public IP address ?


#5

No, the rails app says there is no such page. I think I found the solution in comments on the page after loading more comments from the tutorial. Thanks so much!


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.