Dns Certbot broke my DNS Can someone please help me fix it. I had no snapshot

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:chrislarivey.com

I ran this command:sudo certbot --apache

It produced this output: it worked the second time I tried it

My web server is (include version): latest apache

The operating system my web server runs on is (include version): latest ubuntu

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

Hi @cwl_is_me

Certbot can’t break your DNS, that’s not possible. And with certbot --apache your dns isn’t changed.

Checking your domain there is a simple error - https://check-your-website.server-daten.de/?q=chrislarivey.com

Domainname Http-Status redirect Sec. G
http://chrislarivey.com/
3.219.22.196 301 https://chrislarivey.com/ 0.230 A
http://www.chrislarivey.com/
3.219.22.196 200 0.240 H
https://chrislarivey.com/
3.219.22.196 200 1.400 B
https://www.chrislarivey.com/
3.219.22.196 200 1.147 N
Certificate error: RemoteCertificateNameMismatch

Your non-www works, your www not. Reason: Your certificate

CN=chrislarivey.com
	17.06.2019
	15.09.2019
expires in 90 days	chrislarivey.com - 1 entry

has only one domain name, the www version is missing.

So create one certificate with both domain names - chrislarivey.com and www.chrislarivey.com.

2 Likes

Hi,
Thanks for the help.
I tried to use sudo certbot --apache and it didn’t work. Is there a different command to add www.chris larivey or a command to delete what I have so I can start over.

Thanks again

Doesn’t Certbot show both domains?

If not, your vHost configuration may be wrong.

Has your vHost a

ServerName chrislarivey.com
ServerAlias www.chrislarivey.com
1 Like

note that you have a limit of 5 duplicate certificates in a week, so if you keep on trying again and again the same command hoping to get a different result you will get to this limit. Not that will block you to get a certificate for the 2 names since it’s counted as a different certificate.

I can’ t seem to find the httpd or conf.d in etc. It has to be there.

I have put the server name and alias in both the 443 and 80 configuration file. My site is still not up.

Did you restart certbot ? If yes and it did not work what was the output ?

Hi @cwl_is_me,

Is your webserver running? From my testing I don’t believe it is.

$ telnet chrislarivey.com 80
Trying 54.221.150.148...
^C
$ telnet chrislarivey.com 443
Trying 54.221.150.148...
^C

What is the output from the following commands?

systemctl status apache2
ps aux | grep apache
apache2ctl -S

If apache is NOT running, see if it will restart

sudo systemctl restart apache2

Hi,
It says that apache is running. I checked after I did restart.

How can I restart certbot?

I meant run it manually like you did last time, I think it was certbot --apache

I saw both there this time when I ran certbot --apache
I did get this though
The following errors were reported by the server:

Domain: www.chrislarivey.com
Type: connection
Detail: dns :: DNS problem: NXDOMAIN looking up A for
www.chrislarivey.com

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

Now you have removed your DNS www entry ( https://check-your-website.server-daten.de/?q=chrislarivey.com ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
chrislarivey.com A 54.221.150.148
Beaumont/Texas/US yes 1 0
AAAA yes
www.chrislarivey.com Name Error yes 1 0

So this domain name doesn’t have an ip address, so you can’t create a certificate via http-01 validation.

Add a DNS A entry.

I have this in route 53 for a static ip address 3.219.22.196
I also see records there for both an alias www.chrislarivey.com and an a record

These are not public visible.

So that can’t work.

as said by @JuergenAuer
dig @ns-1074.awsdns-06.org chrislarivey.com A +short
54.221.150.148
-> good
dig @ns-1074.awsdns-06.org www.chrislarivey.com A +short
-> bad (no IP address)
also on both addresses your should be able to do a wget
wget chrislarivey.com
and
wget www.chrislarivey.com

That’s my route 53 zone. If I understand correctly I have a problem in route 53, not my web server.

Your screenshot has nothing to do with your public visible values ( https://check-your-website.server-daten.de/?q=chrislarivey.com ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
chrislarivey.com A 54.221.150.148
Beaumont/Texas/US yes 1 0
AAAA yes
www.chrislarivey.com Name Error yes 1 0

There is no CNAME of the non-www version. And the www version doesn’t have an A (ipv4) or AAAA (ipv6) record.

Maybe a “private zone” or something else.

Your name servers are:

chrislarivey.com
	•  ns-1074.awsdns-06.org / d23e598e3a96b5ffe1b039cdfda72041 -
	205.251.196.50
Seattle/Washington/US	•

	• 
	2600:9000:5304:3200::1
Seattle/Washington/US	•

	•  ns-2008.awsdns-59.co.uk / a016776f7bbc82045b760fc896198650 -
	205.251.199.216
Seattle/Washington/US	•

	• 
	2600:9000:5307:d800::1
Seattle/Washington/US	•

	•  ns-235.awsdns-29.com / 8d11ee001268fdda1377c036589eb73b -
	205.251.192.235
Seattle/Washington/US	•

	• 
	2600:9000:5300:eb00::1
Seattle/Washington/US	•

	•  ns-744.awsdns-29.net / e69f46562e3217bfe5d667766445f4ca -
	205.251.194.232
Seattle/Washington/US	•

	• 
	2600:9000:5302:e800::1
Seattle/Washington/US	•

	•  ns-865.awsdns-44.net / a50c7c46d74217c10ed26284a8fbf9f5 -
	205.251.195.97
Seattle/Washington/US	•

	• 
	2600:9000:5303:6100::1
Seattle/Washington/US

There you have to change your settings.

54.221.150.148 is not my public IP address. Mine is 3.219.22.196