Certificate installation issues


#1

Hi there,
Please I need your help!!!
I am trying to install LetsEncrypt certificate on my zimbra server (8.7.0) which is installed on ubuntu 14.04. My domain name is uam.edu.ne. I have been strugling on this for several weeks now but in vain.
After downloading the certificate I cd to Letsencript directory and typed the command below:
./letsencrypt-auto certonly --standalone
When the command executed it returned the following output:

Failed authorization procedure. uam.edu.ne (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for uam.edu.ne

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: uam.edu.ne
    Type: connection
    Detail: DNS problem: SERVFAIL looking up A for uam.edu.ne

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

Please help me.
thank you in advance


#2

There’s your problem–the Let’s Encrypt servers couldn’t find any DNS record for your hostname, because they couldn’t connect to the authoritative nameserver for your hostname. I note that you have only one nameserver record, which is generally a bad idea, and that you’re running it yourself (indeed, on the same machine), which is also often a bad idea. But with that said, I’m now able to connect to your nameserver, and it does respond to queries for your hostname–what happens if you try again?


#3

I think the problem is possibly:

uam.edu.ne has IPv6 address ::1

In IPv6 this refers to localhost. So it’s not really the correct IPv6 address under which other people can reach the site.

While this wouldn’t normally cause a SERVFAIL error in particular, it’s still a serious DNS problem because the Let’s Encrypt CA now does support, and perform, validations over IPv6. So if you give ::1 as your IPv6 address instead of a correct publicly-reachable IPv6 address, I imagine that would cause problems too.


#4

I just tried to issue a (staging) certificate for that site, and the DNS worked. Of course validation failed because i don’t control your website, but the DNS part functioned correctly.

http://dnsviz.net/d/uam.edu.ne/dnssec/

The DNS servers for the .ne TLD look buggy and/or unreliable. Which may partly or entirely be because of the distance between Africa and US services.

What happens if you try again? It may have just been a temporary issue that will work if you give it a couple tries.

You should still remove that ::1 AAAA record so it doesn’t cause problems for your site’s visitors, though.


#5

Hi mnordhoff,
Thank you very much for your prompt response.
As you suggested we have removed the ::1 AAAA record and gave it several tries but unfortunately we continue having the same error message as follows:

Failed authorization procedure. uam.edu.ne (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for uam.edu.ne

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: uam.edu.ne
Domain: uam.edu.ne
Type: connection
Detail: DNS problem: SERVFAIL looking up A for uam.edu.ne

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.


#6

Hi mnordhoff,
Thank you very much for your prompt response.As you suggested we have removed the ::1 AAAA record and gave it several tries but unfortunately we got another error message as follows:


Failed authorization procedure. uam.edu.ne (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 41.138.51.99:443 for TLS-SNI-01 challenge

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: uam.edu.ne
    Type: connection
    Detail: Failed to connect to 41.138.51.99:443 for TLS-SNI-01
    challenge

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.


Best regards!!!


#7

The TLS-SNI-01 connection failure shows that it got further than before! That’s a new problem!


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.