Certificate DNS problem

My domain is:
herdtrails.com, www.herdtrails.com

I ran this command:
sudo -H /opt/letsencrypt/letsencrypt-auto certonly --standalone -d herdtrails.com -d www.herdtrails.com

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for herdtrails.com
http-01 challenge for www.herdtrails.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.herdtrails.com (http-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for www.herdtrails.com, herdtrails.com (http-01): urn:ietf:params:acme:error:unknownHost :: The server could not resolve a domain name :: No valid IP addresses found for herdtrails.com

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: herdtrails.com
    Type: unknownHost
    Detail: No valid IP addresses found for herdtrails.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

  • The following errors were reported by the server:

    Domain: www.herdtrails.com
    Type: None
    Detail: DNS problem: NXDOMAIN looking up A for www.herdtrails.com

My web server is (include version):
Amazon Linux AMI
amzn-ami-hvm-2017.09.0.20170930-x86_64-gp2 (ami-1a7f6d7e)
https://aws.amazon.com/amazon-linux-ami/2018.03-release-notes/
The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:
AWS, Route 53

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
n/a

Hi @AskBid

checking your domain ( https://check-your-website.server-daten.de/?q=herdtrails.com ) there is no ip address defined. Not ipv4, not ipv6.

Host T IP-Address is auth. ∑ Queries ∑ Timeout
herdtrails.com A yes 1 0
AAAA yes
www.herdtrails.com Name Error yes 1 0

So you can't use http-01 - validation.

You need webspace and a running webserver if you want to use http-01 validation.

You can use dns-01 validation, but then you have to create a dns txt entry.

isn't EC2 instance with nginx good for the job?

But your domain isn't public visible. So Letsencrypt can't validate you are the domain owner.

why is it not visible?

maybe it takes time after registration?

I am not an expert i simply followed this tutorial:

all because I was trying to get CORS support for this json file I am trying to use in Observablehq:

I guess I simply have to give up as I don’t have enough knowledge to set up such a thing

The first link has something:

You should have four record sets now, two of Type “A”, one “NS” and one “SOA”. The values for “NS” are your Name Servers.

Did you create such an A record? I must be able to see your A record, Letsencrypt must be able to see your A-record.

I think http://herdtrails.com works now?

Then recheck your domain https://check-your-website.server-daten.de/?q=herdtrails.com - then you will see, if the tool is able to see your domain.

If yes, then try to create a new certificate.

Nameserver entries are cached, but the tool and Letsencrypt check the authoritative name server.

I tried without www:

[root@me ec2-user]# sudo -H /opt/letsencrypt/letsencrypt-auto certonly --standalone -d herdtrails.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator standalone, Installer None

Obtaining a new certificate

Performing the following challenges:

http-01 challenge for herdtrails.com

Cleaning up challenges

Problem binding to port 80: Could not bind to IPv4 or IPv6.

does it mean that is the same problem as before? in that case I have no idea how to proceed.

but at least now http://herdtrails.com works

If you have a running webserver, why do you use standalone? Standalone starts an own webserver, but then port 80 must be free. But your webserver blocks port 80.

Please read the basics:

1 Like

I see, now you have created a certificate.

Most is ok, but rechecking your domain ( https://check-your-website.server-daten.de/?q=herdtrails.com ) there is one thing:

Domainname Http-Status redirect Sec. G
http://herdtrails.com/
52.56.73.140 200 0.054 H
http://www.herdtrails.com/
52.56.73.140 200 0.050 H
https://herdtrails.com/
52.56.73.140 200 1.530 B
https://www.herdtrails.com/
52.56.73.140 200 1.293 N
Certificate error: RemoteCertificateNameMismatch

You have created two dns A entries. With non-www (herdtrails.com) and www. But your certificate has only one domain name:

CN=herdtrails.com
	02.02.2019
	03.05.2019
	herdtrails.com - 1 entry

So your www - version isn’t secure.

So create one certificate with both domain names and use that instead. Change your working command to something like

-d herdtrails.com -d www.herdtrails.com

then one certificate with both domain names is created.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.