[Closed] Problem with alias domain - DNS problem: NXDOMAIN looking up A for


#1

Hello,

I am trying to set up a certificate for 2 vhosts on the same VM.
Since I’m not sure how to explain in clearly I’m gonna explain it thoroughly.

I have 2 domains (larez.fr and rez-gif.supelec.fr) stricly equivalent, my VM name is poe (accessible with both domains). I want to set up 2 website named agendav and davical (with larez.fr and rez-gif.supelec.fr). When I try to create the certificate with letsencrypt-auto certonly I get the following error for the domains in larez.fr:

Failed authorization procedure. agendav.larez.fr (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for agendav.larez.fr, davical.larez.fr (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for davical.larez.fr
IMPORTANT NOTES:
 - The following errors were reported by the server:
   Domain: agendav.larez.fr
   Type:   connection
   Detail: DNS problem: NXDOMAIN looking up A for agendav.larez.fr
   Domain: davical.larez.fr
   Type:   connection
   Detail: DNS problem: NXDOMAIN looking up A for davical.larez.fr

When I do a dig agendav.larez.fr A from a server outside of this network I get the following:

; <<>> DiG 9.9.5-9ubuntu0.5-Ubuntu <<>> agendav.larez.fr A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40826
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;agendav.larez.fr.        IN    A
;; ANSWER SECTION:
agendav.larez.fr.    84725    IN    CNAME    poe.rez-gif.supelec.fr.
poe.rez-gif.supelec.fr.    84719    IN    A    160.228.152.124
;; AUTHORITY SECTION:
rez-gif.supelec.fr.    84696    IN    NS    ns2.rez-gif.supelec.fr.
rez-gif.supelec.fr.    84696    IN    NS    ns.rez-gif.supelec.fr.
;; ADDITIONAL SECTION:
ns.rez-gif.supelec.fr.    84696    IN    A    160.228.152.1
ns2.rez-gif.supelec.fr.    84696    IN    A    160.228.152.66
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Feb 17 22:41:16 CET 2016
;; MSG SIZE  rcvd: 162

For davical.larez.fr I have a similar answer.
I am not a expert in sysadmin at all so I’m not sure if that’s enough, too much or whatever ^^

Thanks if you can help me!


#2

Probably because LE doesn’t follow CNAME’s…


#3

Oh… I see how that would be a problem. I haven’t followed LE development very closely, but is it a voluntary choice or just that it’s not yet possible?


#4

Don’t have a clue to be honest… You could search GitHub for issues et cetera.


#5

I just talked to one of the CA developers, @jsha, who said that Let’s Encrypt does follow (and accept) CNAMEs, so a problem with CNAMES is symptomatic of some other problem – not a policy issue.


#6

Thank you very much, do you know what I can do figure out the source of the problem or at least determine if the error is there because of how the DNS server is set up?


#7

This looks to me like a boulder bug. We’ll look into it: https://github.com/letsencrypt/boulder/issues/1516.


#8

Thanks, I will follow the issue to add details about my situation if you need any.


#9

I’ve tried to reproduce this locally using the same set up as prod (unbound resolver). But I can’t reproduce. Similarly, production seems to resolve your domain name fine now. Has anything changed about your setup since you last tried to issue? Could you try again now and see if it still reproduces?

Thanks,
Jacob


#10

I will try this as soon as I can (I just hit the maximum number of certificate issued for the last 7 days).


#11

Okay. You can also try against staging with the --staging flag.


#12

I tried on a different server with a really similar setup and there was no error. I don’t think anything has changed recently but I will try again in a few days on my test and production server just to be sure.


#13

3 posts were split to a new topic: Problem completing challenge


Problem completing challenge
#14

Well I tired to deploy a few other certificates and none seemed to encounter this problem so I guess it may have been a problem with my DNS.