Dns Certbot broke my DNS Can someone please help me fix it. I had no snapshot

This is your public visible ip address.

Checked your 3.* ip ( https://check-your-website.server-daten.de/?q=3.219.22.196 ):

Domainname Http-Status redirect Sec. G
http://3.219.22.196/
3.219.22.196 200 0.226 H
https://3.219.22.196/
3.219.22.196 200 1.363 N
Certificate error: RemoteCertificateNameMismatch

There is an answer. And there is a new Letsencrypt certificate:

CN=chrislarivey.com
	17.06.2019
	15.09.2019
expires in 88 days	chrislarivey.com - 1 entry

So your dns A entries are wrong. And your certificate has only one domain name, not two.

I just fixed the records. It wasn’t route 53. The problem was my DNS in lightsail. I still have a certificate problem though. chrislarivey.com resolves to www.chrislarivey.com and there is no certificate. I had fixed that yesterday and I thought it worked.

I ran certbot again

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.


1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Failed redirect for chrislarivey.com
Unable to set enhancement redirect for chrislarivey.com
Unable to find corresponding HTTP vhost; Unable to create one as intended addresses conflic
t; Current configuration does not support automated redirection

IMPORTANT NOTES:

  • We were unable to set up enhancement redirect for your server,
    however, we successfully installed your certificate.
  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/chrislarivey.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/chrislarivey.com/privkey.pem
    Your cert will expire on 2019-09-17. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”
  • Some rewrite rules copied from
    /etc/apache2/sites-enabled/000-default.conf were disabled in the
    vhost for your HTTPS site located at
    /etc/apache2/sites-available/000-default-le-ssl.conf because they
    have the potential to create redirection loops.
    bitnami@ip-172-26-6-138:~$
1 Like

your site is secured :slight_smile:

It still says not secure but at least I got the DNS fixed

If you use Bitnami, there are additional steps required to install the certificate.

I clicked on the link and it shows the LE certificate...

That link is the only way I get https. Even the ones above in this thread are unsecured. Are you holding my certificate hostage for ransom gpatel-fr?
Thanks for all the help,
I guess I get to figure out what I need to do for Bitnami

| got this error now. I think it’s not the permission because I did sudo. I’m not sure about the services.
Error: There has been an error.
Cannot bind to port 80 and/or 443. These ports are used for Let’s Encrypt to
verify the domain DNS configuration. Please stop any services using those ports,
and ensure your system user has permissions to bind to them.
Press [Enter] to continue:

I was able to get this for running services and ports

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
dhclient 979 root 6u IPv4 13442 0t0 UDP *:68
sshd 1218 root 3u IPv4 15565 0t0 TCP *:22 (LISTEN)
sshd 1218 root 4u IPv6 15567 0t0 TCP *:22 (LISTEN)
apache2 1427 root 4u IPv6 17027 0t0 TCP *:80 (LISTEN)
apache2 1427 root 6u IPv6 17031 0t0 TCP *:443 (LISTEN)
apache2 2709 www-data 4u IPv6 17027 0t0 TCP *:80 (LISTEN)
apache2 2709 www-data 6u IPv6 17031 0t0 TCP *:443 (LISTEN)
apache2 2710 www-data 4u IPv6 17027 0t0 TCP *:80 (LISTEN)
apache2 2710 www-data 6u IPv6 17031 0t0 TCP *:443 (LISTEN)
sshd 3660 root 3u IPv4 24631 0t0 TCP 172.26.6.138:22->72.21.217.221:192
34 (ESTABLISHED)
sshd 3677 bitnami 3u IPv4 24631 0t0 TCP 172.26.6.138:22->72.21.217.221:192
34 (ESTABLISHED)
mysqld.bi 4757 mysql 25u IPv4 26565 0t0 TCP 127.0.0.1:3306 (LISTEN)
bitnami@ip-172-26-6-138:~$

it seems you are trying to restart certbot, without the -apache parameter this time since it is not stopping it. But you have your certificate, do not try to get another one ! if your virtual hosts are not working, try to fix them in the Apache configuration.

Hey,
I was using this documentation to make Bitnami happy

https://docs.bitnami.com/aws/how-to/understand-bncert/

2 Likes

Yep, Bitnami has it’s own rules. Happy to read you have found a solution :+1:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.