DNS challenges.... multiple IP records for "A/AAAA"

Help
1

Hi,
I am newbie with SSL and domain management, by the way I try to share my experience.

I tried to create several time a certificate for a "subdomain" --> wapp.urbedrive.com

The principal domain is under "GoDaddy.com", while the subdomain is outside....

the DNS records are:

> "A" DNS records for wapp.urbedrive.com [Google DNS servers]:
**> **
> wapp.urbedrive.com. 599 IN A 184.168.131.241
> wapp.urbedrive.com. 599 IN A 144.91.105.68

--> 184.168.131.241 ===> this is GoDaddy that make a forward to the other server
--> 144.91.105.68 ===> is the real server

What I think and would say to you, and what I guess, is that into the "challenge" function the certbot check only for one occurrences of DNS records and the result is a failure.

To achieve the certificate I create temporally this condition:

> "A" DNS records for wapp.urbedrive.com [Google DNS servers]:
**> **
> wapp.urbedrive.com. 599 IN A 144.91.105.68

that is wrong for me.

Regards Roberto T.

1 Like
2

Hi @RTagliento

your configuration is fatal wrong.

Remove the first line.

You can use multiple ipv4 / ipv6 addresses.

But then all ip addresses must send the same http result, not different results.

Your configuration - different answers - https://check-your-website.server-daten.de/?q=wapp.urbedrive.com

K   http://wapp.urbedrive.com/ 144.91.105.68, Status 302
	
	http://wapp.urbedrive.com/ 184.168.131.241, Status 200
	configuration problem - different ip addresses with different status
K	https://wapp.urbedrive.com/ 144.91.105.68, Status -2
	
	https://wapp.urbedrive.com/ 184.168.131.241, Status 200
	configuration problem - different ip addresses with different status

The second - you see the problem.

You can't install a certificate on that GoDaddy server:

Host Type IP-Address is auth. ∑ Queries ∑ Timeout
wapp.urbedrive.com A 144.91.105.68 Nuremberg/Bavaria/Germany (DE) - Contabo GmbH Hostname: vmi396739.contaboserver.net yes 1 0
A 184.168.131.241 Scottsdale/Arizona/United States (US) - GoDaddy.com, LLC Hostname: ip-184-168-131-241.ip.secureserver.net yes 1 0
AAAA yes

So such a configuration can't work.

1 Like
3

Hi @JuergenAuer thank you.

I have to figure out how resolve, probably I will go to use different DOMAIN and not a subdomain.

www.urbedrive.com is under GoDaddy

meanwhile the wapp subdomain it is a completely VPS.

I am thinking to use different domain.

Thank you about your fast response.

1 Like
4

Why would you point your subdomain to the GoDaddy IP address in the first place? You say for a "forward to the other server", but I don't understand that? What kind of forward? Which other server?

2 Likes
5

Why?

That's not required.

But if you use different ip addresses, all must send the same result.

Your contaboserver - ip address is enough, you can't use an own server and the GoDaddy "redirect" parallel.

So you have only one ip address.

2 Likes
6

Thanks to all, as I said I am newbie.

The situation is:
on GoDaddy I have a normal hosting server, no VPS I haven't a full control.... I could set only manually SSL from a panel configuration, or buy from them. Here another collaborator has installed a wordpress.

I wish a subdomain that point to an IP address that I have on Contabo.com, and here I have .NET core framework over Debian.

From GoDaddy panel I have the option to create a subdomain forward with URL masking, and this option create the double IP address.

unfortunately I need a quick and easy solution for my level, in the future I will find a solid, convenient and functional solution.

Thank you I am learning a lot of stuff.

1 Like
7

You have that already (1).

If you have (1), you don't need that "subdomain forward". It's a misunderstanding how the DNS works.

4 Likes
8

Just like @JuergenAuer said, you don't need that URL Forwarding from GoDaddy.

The url Forwarding is a feature primarily for people who don't have control over the host they are forwarding to (and it's becoming more and more useless in the past few years).

If you have control with the destination IP, you just need to point your subdomain to that IP with an A record, then at your destination server, setup a virtual host (configuration) for your subdomain.

3 Likes
9

In addition to the answers other people have given (which I fully agree with), it might be helpful to know more about how this part works. The challenges aren't performed by Certbot, but by the certificate authority, which tries to connect to your server to check that you really control the names for which you're requesting a certificate.

Certbot's role here is requesting the challenge from the certificate authority, then performing steps on the server to satisfy the challenge, then requesting the certificate when the certificate authority has verified that the challenge was satisfied. But the verification is not performed by Certbot or anything else on your server.

As other people's replies indicate, having both the DNS records for the server itself and the GoDaddy forwarding service does not provide any benefit, but does create a likelihood that the certificate authority will encounter a failure when checking the challenge.

5 Likes
10

Hello Friend
thank you very much for your explanation and patience.

1 Like
11

Welcome to the Let's Encrypt Community, Roberto :slightly_smiling_face:

As a GoDaddy user myself, I can fully understand your confusion with how things work. You're learning and that's what matters. :wink:

3 Likes
12

Yes Man.....

I Will program to move other stuff into Contabo.

I inherited GoDaddy.

1 Like
13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.