Deleted old certificates without revoking them now I can't register new ones

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
Badbird5907.net
I ran this command:
sudo certbot --apache
It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter ‘c’ to cancel): badbird5907.net
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for badbird5907.net
Enabled Apache rewrite module
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. badbird5907.net (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up A for badbird5907.net - the domain’s nameservers may be malfunctioning

IMPORTANT NOTES:

    • The following errors were reported by the server:*
  • Domain: badbird5907.net*

  • Type: None*

  • Detail: DNS problem: SERVFAIL looking up A for badbird5907.net -*

  • the domain’s nameservers may be malfunctioning*

My web server is (include version):
Apache2
The operating system my web server runs on is (include version):
Ubuntu 18.04LTS
My hosting provider, if applicable, is:
Google Cloud
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

1 Like

Hi @Badbird-5907

checking your domain your DNSSEC is broken - https://check-your-website.server-daten.de/?q=badbird5907.net

2020-03-20.badbird5907.net

Looks like you have changed your DNS provider. Old with DNSSEC support, new without.

So there is a DS RR in the parent zone that says: You use DNSSEC.

But your zone doesn’t have a valid DNSKEY -> no chain of trust.

Update your DNSSEC: Remove it complete (so the DS in the parent zone is deleted) or update it, so it is consistent.

PS:

Deleted old certificates without revoking them now I can’t register new ones

That has nothing to do with your old certificate. And it’s not required (and normally wrong) to revoke a certificate if the private key isn’t stolen.

It’s a DNSSEC problem, your configuration is buggy. So it’s impossible to check your DNS / find an A/AAAA-record or check your CAA / TXT.

2 Likes

Ok thanks, I did find that DNSSEC is off on my NameCheap control panel. Thanks for the quick reply!

2 Likes


But now when I visit the site the certificate is marked as invalid.

Look carefully at the domain names in bold. One has www. before, the other doesn’t.

You need a certificate for both.

2 Likes

Please read the output of https://check-your-website.server-daten.de/?q=badbird5907.net

Host T IP-Address is auth. ∑ Queries ∑ Timeout
badbird5907.net A 162.255.119.155 Newark/New Jersey/United States (US) - Namecheap, Inc. No Hostname found yes 1 0
AAAA yes
www.badbird5907.net A 35.239.151.105 Ashburn/Virginia/United States (US) - Google LLC Hostname: 105.151.239.35.bc.googleusercontent.com yes 1 0
AAAA yes

Your non-www and your www have different ip addresses.

And

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2020-03-20 2020-06-18 badbird5907.net - 1 entries duplicate nr. 2
Let’s Encrypt Authority X3 2020-03-20 2020-06-18 badbird5907.net - 1 entries duplicate nr. 1

you have only created a certificate with the non-www version.

1 Like