Certificate DNS problem


#1

My domain is:
herdtrails.com, www.herdtrails.com

I ran this command:
sudo -H /opt/letsencrypt/letsencrypt-auto certonly --standalone -d herdtrails.com -d www.herdtrails.com

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for herdtrails.com
http-01 challenge for www.herdtrails.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.herdtrails.com (http-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for www.herdtrails.com, herdtrails.com (http-01): urn:ietf:params:acme:error:unknownHost :: The server could not resolve a domain name :: No valid IP addresses found for herdtrails.com

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: herdtrails.com
    Type: unknownHost
    Detail: No valid IP addresses found for herdtrails.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

  • The following errors were reported by the server:

    Domain: www.herdtrails.com
    Type: None
    Detail: DNS problem: NXDOMAIN looking up A for www.herdtrails.com

My web server is (include version):
Amazon Linux AMI
amzn-ami-hvm-2017.09.0.20170930-x86_64-gp2 (ami-1a7f6d7e)
https://aws.amazon.com/amazon-linux-ami/2018.03-release-notes/
The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:
AWS, Route 53

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
n/a


DNS problem: NXDOMAIN looking up A for domain name
#2

Hi @AskBid

checking your domain ( https://check-your-website.server-daten.de/?q=herdtrails.com ) there is no ip address defined. Not ipv4, not ipv6.

Host T IP-Address is auth. ∑ Queries ∑ Timeout
herdtrails.com A yes 1 0
AAAA yes
www.herdtrails.com Name Error yes 1 0

So you can’t use http-01 - validation.

You need webspace and a running webserver if you want to use http-01 validation.

You can use dns-01 validation, but then you have to create a dns txt entry.


#3

isn’t EC2 instance with nginx good for the job?


#4

But your domain isn’t public visible. So Letsencrypt can’t validate you are the domain owner.


#5

why is it not visible?

maybe it takes time after registration?

I am not an expert i simply followed this tutorial:

all because I was trying to get CORS support for this json file I am trying to use in Observablehq:

I guess I simply have to give up as I don’t have enough knowledge to set up such a thing


#6

The first link has something:

You should have four record sets now, two of Type “A”, one “NS” and one “SOA”. The values for “NS” are your Name Servers.

Did you create such an A record? I must be able to see your A record, Letsencrypt must be able to see your A-record.


#7

I think http://herdtrails.com works now?


#8

Then recheck your domain https://check-your-website.server-daten.de/?q=herdtrails.com - then you will see, if the tool is able to see your domain.

If yes, then try to create a new certificate.

Nameserver entries are cached, but the tool and Letsencrypt check the authoritative name server.


#9

I tried without www:

[root@me ec2-user]# sudo -H /opt/letsencrypt/letsencrypt-auto certonly --standalone -d herdtrails.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator standalone, Installer None

Obtaining a new certificate

Performing the following challenges:

http-01 challenge for herdtrails.com

Cleaning up challenges

Problem binding to port 80: Could not bind to IPv4 or IPv6.

does it mean that is the same problem as before? in that case I have no idea how to proceed.

but at least now http://herdtrails.com works


#10

If you have a running webserver, why do you use standalone? Standalone starts an own webserver, but then port 80 must be free. But your webserver blocks port 80.

Please read the basics:


#11

I see, now you have created a certificate.

Most is ok, but rechecking your domain ( https://check-your-website.server-daten.de/?q=herdtrails.com ) there is one thing:

Domainname Http-Status redirect Sec. G
http://herdtrails.com/
52.56.73.140 200 0.054 H
http://www.herdtrails.com/
52.56.73.140 200 0.050 H
https://herdtrails.com/
52.56.73.140 200 1.530 B
https://www.herdtrails.com/
52.56.73.140 200 1.293 N
Certificate error: RemoteCertificateNameMismatch

You have created two dns A entries. With non-www (herdtrails.com) and www. But your certificate has only one domain name:

CN=herdtrails.com
	02.02.2019
	03.05.2019
	herdtrails.com - 1 entry

So your www - version isn’t secure.

So create one certificate with both domain names and use that instead. Change your working command to something like

-d herdtrails.com -d www.herdtrails.com

then one certificate with both domain names is created.


closed #13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.