DNS problem: NXDOMAIN looking up MX - Again

Sokoban · April 4, 2017, 11:56am

Hi I have problem registry a certification, here is the way…

It stops with Email address, how I Solved that ?

Domain.local is of course something else

C:\LetsEncrypt>letsencrypt.exe --accepttos --manualhost remote.domain.local --webroot "C:\Program Files\Windows Server\Bin\WebApps\Site"
Let’s Encrypt (Simple Windows ACME Client)
Renewal Period: 60
Certificate Store: WebHosting

ACME Server: https://acme-v01.api.letsencrypt.org/
Config Folder: C:\Users\Sokoban\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org
Certificate Folder: C:\Users\Sokoban\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org

Getting AcmeServerDirectory
Enter an email address (not public, used for renewal fail notices): jonas@domain.local
Calling Register
Unexpected error
ACME Server Returned:
{
** “type”: “urn:acme:error:invalidEmail”,**
** “detail”: “DNS problem: NXDOMAIN looking up MX for domain.local”,**
** “status”: 400**
}
Press enter to continue.

pfg · April 4, 2017, 3:06pm

The domain in your email address needs a MX record, in other words it has to be able to receive email. You can verify this using dig domain.local mx or with nslookup.

The email address is optional, so leaving it empty would work as well. You won't be receiving any expiration notifications that way, meaning you'll need to monitor the renewal process yourself.

Just to make sure: does that only apply to the "domain" part, or to .local as well? You won't be able to get a certificate for a domain ending in .local from any publicly-trusted CA. It won't work as an email address either because it is (naturally) not resolvable in the public DNS.

Sokoban · April 4, 2017, 3:15pm

How I type to avoid question about E-Mail Address ?

I have type Before, letsencrypt.exe --accepttos --manualhost remote.domain.local --webroot "C:\Program Files\Windows Server\Bin\WebApps\Site"

and want to add , --register-unsafely-without-email

// Sokoban

pfg · April 4, 2017, 3:29pm

I don’t believe letsencrypt-win-simple has an option similar to --register-unsafely-without-email. Looking at the relevant code, the way to do it seems to be to simply leave the field empty when asked for it (i.e. press enter when the prompt appears).

Sokoban · April 4, 2017, 3:43pm

I have only press enter, and got same error messages…

Relevant code, how will I used that ?

pfg · April 4, 2017, 3:48pm

The link to the code was just a reference to show how things are implemented. There’s nothing to use there.

It’s possible that letsencrypt-win-simple has stored the email address you entered the first time and keeps reusing it if you leave the prompt empty. I’m not familiar enough with that client to say for sure, nor do I know where it would store that information or how whether it can easily be deleted.

Perhaps an alternative would be to simply provide some other (working) email address. It doesn’t have to match the domain on the certificate; something like gmail would work.

Sokoban · April 4, 2017, 6:43pm

gmail or prompt empty doesn’t work …

pfg · April 4, 2017, 6:49pm

What kind of error do you get with the gmail address? Do you still get the NXDOMAIN error with the domain of your original email address? In that case, there’s probably no way around figuring out how to edit the email address that letsencrypt-win-simple might have stored somewhere in a configuration file. I’m afraid I don’t know enough about this client to figure that one out. If you can’t find anything relevant in the documentation, I would suggest opening an issue on their GitHub to ask for assistance.

system · May 4, 2017, 6:49pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.