Cronjobs keep-secured.php giving Type: urn:ietf:params:acme:error:dns Status: 400

khrsmdtya · June 15, 2023, 12:57am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: kapal-laut.com

I ran this command: Cron psaadm@202-157-184-151 (/usr/local/psa/admin/bin/php -dauto_prepend_file=sdk.php '/usr/local/psa/admin/plib/modules/sslit/scripts/keep-secured.php') > /dev/null

It produced this output:
[2023-06-14 13:07:09.838] 3803:64894af5590a4 ERR [extension/letsencrypt] Domain validation failed for www.blink.kapal-laut.com: Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/236655302957.
Details:
Type: urn:ietf:params:acme:error:dns
Status: 400
Detail: DNS problem: NXDOMAIN looking up A for www.blink.kapal-laut.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for www.blink.kapal-laut.com - check that a DNS record exists for this domain
[2023-06-14 13:07:09.854] 3803:64894af5590a4 ERR [extension/letsencrypt] Domain validation failed: Missed domain names failed to pass validation: www.blink.kapal-laut.com
[2023-06-14 13:07:09.880] 3803:64894af5590a4 ERR [extension/sslit] Unable to secure domain {domainName} automatically Missed domain names failed to pass validation: www.blink.kapal-laut.com

[2023-06-14 13:07:17.227] 3803:64894af5590a4 ERR [extension/letsencrypt] Domain validation failed for www.wholesale.kapal-laut.com: Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/236655341867.
Details:
Type: urn:ietf:params:acme:error:dns
Status: 400
Detail: DNS problem: NXDOMAIN looking up A for www.wholesale.kapal-laut.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for www.wholesale.kapal-laut.com - check that a DNS record exists for this domain
[2023-06-14 13:07:17.236] 3803:64894af5590a4 ERR [extension/letsencrypt] Domain validation failed: Missed domain names failed to pass validation: www.wholesale.kapal-laut.com
[2023-06-14 13:07:17.271] 3803:64894af5590a4 ERR [extension/sslit] Unable to secure domain {domainName} automatically Missed domain names failed to pass validation: www.wholesale.kapal-laut.com

[2023-06-14 13:07:24.651] 3803:64894af5590a4 ERR [extension/letsencrypt] Domain validation failed for www.mail.kapal-laut.com: Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/236655368787.
Details:
Type: urn:ietf:params:acme:error:dns
Status: 400
Detail: DNS problem: NXDOMAIN looking up A for www.mail.kapal-laut.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for www.mail.kapal-laut.com - check that a DNS record exists for this domain
[2023-06-14 13:07:24.659] 3803:64894af5590a4 ERR [extension/letsencrypt] Domain validation failed: Missed domain names failed to pass validation: www.mail.kapal-laut.com
[2023-06-14 13:07:24.678] 3803:64894af5590a4 ERR [extension/sslit] Unable to secure domain {domainName} automatically Missed domain names failed to pass validation: www.mail.kapal-laut.com

My web server is (include version): nginx 1.22.1-2.centos.7+p18.0.52.3+t230516.1220

The operating system my web server runs on is (include version): CentOS Linux 7.9.2009 (Core)

My hosting provider, if applicable, is: Exabytes

I can login to a root shell on my machine (yes or no, or I don't know): i dont know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk Obsidian 18.0.52

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.11.0

mcpherrinm · June 15, 2023, 1:11am

This domain name doesn't seem to exist. I've checked https://unboundtest.com/m/A/www.blink.kapal-laut.com/2LGYH7RZ and Query: www.wholesale.kapal-laut.com - Google Public DNS and none of the failing domains here seem to exist in DNS.

rg305 · June 15, 2023, 3:32am

It seems like all of the names resolve to some IP(s) when you remove the "www".
All you need to do is add the "www" A/AAAA records [OR CNAMEs] for them to resolve.

That said, not all the shorter names resolve to the same set of IP(s).
So, I don't see how using HTTP authentication can validate all the names [from the same system/IP].

Edit: On second thought...
Perhaps the CloudFlare IPs proxy to the other/different IP.
If so, then they may all end-up validating via the same system.
[hard to tell for sure from where I'm seated]

linkp · June 15, 2023, 10:16am

This appears to be a case of Cloudflare subdomain too deep. The superfluous www names at the fourth level need to be retired or a Cloudflare plan that provides a certificate for them is required.

system · July 15, 2023, 10:17am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.