DNS nameserver propogation issue

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

aarongray.org @ ns1.hover.com

I ran this command:

sudo certbot --nginx -d aarongray.org,www.aarongray.org

It produced this output:

[sudo] password for aaronngray:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for aarongray.org and www.aarongray.org

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: aarongray.org
Type: dns
Detail: DNS problem: looking up A for aarongray.org: DNSSEC: DNSKEY Missing; DNS problem: looking up AAAA for aarongray.org: DNSSEC: DNSKEY Missing

Domain: www.aarongray.org
Type: dns
Detail: DNS problem: looking up A for www.aarongray.org: DNSSEC: DNSKEY Missing; DNS problem: looking up AAAA for www.aarongray.org: DNSSEC: DNSKEY Missing

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):

nginx/1.18.0

The operating system my web server runs on is (include version):

Armbian 22.11.0-trunk Bullseye with Linux 6.4.12-edge-sunxi

My hosting provider, if applicable, is:

homeserver @ 81.174.241.153

I can login to a root shell on my machine (yes or no, or I don't know):

yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

no, ssh/bash

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 2.8.0

I changed the IP to 212.159.110.144 temporarily to see how it was propagating, I have changed it back to 81.174.241.153.

This isn't related to "propogation" (that generally isn't a problem because Let's Encrypt queries your authoritative servers directly), but that your registrar claims that your domain is DNSSEC-signed but your DNS server isn't signing anything.

First you need to get your domain name working, before you worry about trying to get a certificate for it.

For those that like to see things drawn out:
aarongray.org | DNSViz

I have two other domains that work fine on HOVER, they don't have DNSSEC keys, so I have deleted the DNSSSEC key, but am getting the same result.

The same error message too? Because I don't see the DNSSEC error anymore on dnsviz or reported by Let's Debug. Please show the error message

All working now !

You need to figure out how to do DNSSEC correctly [and do that right].

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.