Could Not find A record

My domain is:
http://www.yor.gr/
I ran this command:
sudo certbot --nginx -d yor.gr -d www.yor.gr

It produced this output:
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: yor.gr
Type: dns
Detail: DNS problem: SERVFAIL looking up A for yor.gr - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for yor.gr - the domain's nameservers may be malfunctioning
My web server is (include version):
nginx version: nginx/1.24.0 (Ubuntu)
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
istributor ID: Ubuntu
Description: Ubuntu 23.10
Release: 23.10
Codename: mantic
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.1.0

Certbot cannot find A record for yor.gr - the error message informs me. I use Digital Ocean as a hoster.

There is something that caught my attention. In the digital Ocean control panel I can create an A record for www.yor.gr but not for yor.gr - input validation does not allow me to do so. I cannot understand why.

And I do not know if what I am describing above is the cause of the issue.
So you could say this is a DO problem, I am posting here first just to make sure is not sth else.

Thanks

It's not DO.

It's your nameservers. Did you update them in the gr. zone? (From your registrar's interface)

https://dnsviz.net/d/yor.gr/dnssec/

2 Likes

I do not quite understand what are you trying to say.
In my domain registrar I have only entered the nameservers of DO...nothing else.
nameservers

are you implying to do sth like that?

  • ns3.digitalocean.com.gr

Whatever nameservers are authoritative for your domain need to respond with an A record, pointing to the appropriate IP address. Right now, it doesn't look like you have any authoritative nameservers for your domain--you need to fix that, likely with whoever you bought the domain from:

─ dig ns yor.gr                                                                                               ─╯

; <<>> DiG 9.10.6 <<>> ns yor.gr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19705
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;yor.gr.				IN	NS

;; Query time: 1284 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Thu Dec 07 08:20:46 EST 2023
;; MSG SIZE  rcvd: 35
5 Likes

I know I do not have A record for yor.gr....I am just trying to find out the reason. DO does not let me create A record for yor.gr....I can only create A record for www.yor.gr.

That's important, and you need to figure out how to fix it, but it's less important than the fact that you don't have NS records. NS records tell the Internet what nameservers it should use to resolve your domain, and there are no such records. Without them, you can do whatever you want on DO, and it won't have any effect.

5 Likes

Can't you input yor.gr. as the entry for the A record? Notice the single dot at the end.

2 Likes

See for yourself....see what happens.
input

yor.gr becomes yor.gr.www.yor.gr

And a @?

(Weird by the way, where does the www suddenly come from? Doesn't make sense..)

3 Likes

I do have NS records....link

If iI didn't www.yor.gr would be inacessible.

Weird. Why do all those domains have www in front of it? Even the CAA RR? That's very weird.

Is your entire DNS zone perhaps for www.yor.gr? (Which would be weird.)

If I request the SOA RR for yor.gr on ns1.digitalocean.com it says REFUSED. But when I search for the SOA RR for www.yor.gr, it answers with a SOA RR.

Why do you have your SOA RR set for the www subdomain and not yor.gr?

2 Likes

Typing @ just prints the entire address...link

Yeah, your DNS zone is misconfigured. I have no clue how that works with DigitalOcean, but for some reason you only have access to the DNS zone for www.yor.gr and DigitalOcean thinks the DNS zone for yor.gr does not exist. At least not on their DNS servers.

You want a DNS zone for yor.gr where you can add things for yor.gr and also the subdomain www.

4 Likes

Sorry...I cannot follow you....if you could elaborate a little.

1 Like

How am I suppose to do that?...I have no idea at all.

DNS is separated in "zones". For simple setups you've got the root zone ., the TLD zone (gr.) and the zone for the domain name (yor.gr). Each have their own SOA RR. Within a zone you can have multiple subdomains. For TLDs this would be new/other zones with their own SOA RR, but for a simple domain such as yor.gr, that zone would just have some subdomains like www with a A or perhaps a CAA RR for the zone origin itself (e.g. yor.gr).

For some reason, DigitalOcean does not think the yor.gr domain is a DNS zone on their DNS servers. It seems you can only change things within the DNS zone www.yor.gr which usually is not even a complete DNS zone, but just a single A RR or sometimes perhaps an extra AAAA RR. Not a complete DNS zone with SOA RR and NS RRs.

I don't know either. :man_shrugging:t2: I don't have any experience with DigitalOcean, I have no clue how their configuration system looks like, which options you have. Or not have. You might need to contact Digital Ocean about this.

Looking at https://docs.digitalocean.com/products/networking/dns/how-to/add-domains/:

Did you perhaps enter www.yor.gr when you added your domain to the Digital Ocean domains in your control panel? Instead of just yor.gr?

4 Likes

At the time I posted, you didn't have NS records for yor.gr. Now you do. Good. And in fact you now have an A record for yor.gr too. All steps in the right direction.

4 Likes

I solved it after all....I just added yor.gr as a 2nd domain - with the corresponding DNS records....I got the certificate.

If it's a "second domain", you really didn't solve it; things are still badly misconfigured. yor.gr should be the only domain; www.yor.gr is a subdomain. It shouldn't have its own NS records (it does).

5 Likes

You probably want to remove the www.yor.gr "domain" and place the www subdomains A RR under the yor.gr DNS zone (or "domain" in the Digital Oceans control panel).

3 Likes