Hello
We’ve been using acme.sh for over a year and it has been working great.
I have 2 questions:
Is this true: CNAME dns records are only allowed as subdomains ?
I am trying to add nextcloud.ourdomain.com . acme.sh is runing on that virtual machine. not web server.
pfsense has NAT set to portforward 37080 to 80 on the target
/root/.acme.sh/acme.sh --httpport 37080 --log --issue --standalone -d nextcloud.ourdomain.com --force
Verify error:DNS problem: NXDOMAIN looking up A
So at godaddy I changed our nextcloud record to A and will try again
Also - I assume it is best to wait some time after adding the A record at godaddy ?
best regards. Roberto
As long as you don’t mention the real domain name, nobody can help you.
also the record i am trying to add is:
fbcadmin.fantinibakery.com
after I get that temporary/test done will add nextcloud.
Hi @roberto ,
Are you sure you add a CNAME or A record to this subdomain?. None of your ns servers have an answer fot this subdomain.
$ dig @ns27.domaincontrol.com fbcadmin.fantinibakery.com
; <<>> DiG 9.11.1 <<>> @ns27.domaincontrol.com fbcadmin.fantinibakery.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 32764
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;fbcadmin.fantinibakery.com. IN A
;; AUTHORITY SECTION:
fantinibakery.com. 600 IN SOA ns27.domaincontrol.com. dns.jomax.net. 2017101100 28800 7200 604800 600
;; Query time: 10 msec
;; SERVER: 216.69.185.14#53(216.69.185.14)
;; WHEN: Wed Oct 11 11:14:24 CEST 2017
;; MSG SIZE rcvd: 123
$ dig @ns28.domaincontrol.com fbcadmin.fantinibakery.com
; <<>> DiG 9.11.1 <<>> @ns28.domaincontrol.com fbcadmin.fantinibakery.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 16401
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;fbcadmin.fantinibakery.com. IN A
;; AUTHORITY SECTION:
fantinibakery.com. 600 IN SOA ns27.domaincontrol.com. dns.jomax.net. 2017101100 28800 7200 604800 600
;; Query time: 8 msec
;; SERVER: 208.109.255.14#53(208.109.255.14)
;; WHEN: Wed Oct 11 11:14:27 CEST 2017
;; MSG SIZE rcvd: 123
:
Cheers,
sahsanu
yes I am looking at the godaddy screen now.
fbcadmin was added as an A record this morning.
nextcloud, ldap were added yesterday as CNAME
owncloud, sogo and 10 others have been in use for a year.
roberto:
nextcloud, ldap were added yesterday as CNAME
owncloud, sogo and 10 others have been in use for a year.
Those all exist. fbcadmin doesn't.
Are you sure it's not misspelled? Added to the wrong domain? Or something like that?
Maybe GoDaddy is experiencing a problem with new DNS records?
I think there is a longer then expected delay between adding a record and having dig @ns28.domaincontrol.com work.
so my 2 questions:
1- can a cname record be used as the only -d record ?
2- after adding a record to [ a service like godaddy ] , how long does it it usually take for dig @ns28.domaincontrol.com to work?
I'm not sure what you mean. There should be no problem with making fbcadmin.fantinibakery.com
a CNAME, like your other records.
That's up to GoDaddy. I don't personally know how their systems usually work.
roberto
October 11, 2017, 9:58am
10
so godaddy has lags getting records to name servers.
once our test fbcadmin works as a dns A record with dig, I’ll test trying to use a CNAME record as the only --domain to be added. It probably works but the error message refers to ‘error:DNS problem: NXDOMAIN looking up A’ . I assume and could be wrong the the A means at least one A record needed.
thank you for the help , this is a responsive forum!
A and/or AAAA records are necessary for HTTP-01 or TLS-SNI-01 validation, but it's totally fine if you have a CNAME pointing to (a CNAME pointing to...) a name with A and/or AAAA records.
roberto
October 11, 2017, 10:36am
12
OK so I decided to try this instead of waiting for fbcadmin to be ready.
/root/.acme.sh/acme.sh --httpport 37080 --log --issue --standalone -d ldap.fantinibakery.com --force
i get
[Wed Oct 11 06:33:27 EDT 2017] Standalone mode.
[Wed Oct 11 06:33:27 EDT 2017] Single domain='ldap.fantinibakery.com'
[Wed Oct 11 06:33:27 EDT 2017] Getting domain auth token for each domain
[Wed Oct 11 06:33:27 EDT 2017] Getting webroot for domain='ldap.fantinibakery.com'
[Wed Oct 11 06:33:27 EDT 2017] Getting new-authz for domain='ldap.fantinibakery.com'
[Wed Oct 11 06:33:28 EDT 2017] The new-authz request is ok.
[Wed Oct 11 06:33:28 EDT 2017] Verifying:ldap.fantinibakery.com
[Wed Oct 11 06:33:28 EDT 2017] Standalone mode server
[Wed Oct 11 06:33:31 EDT 2017] ldap.fantinibakery.com:Verify error:Fetching http://ldap.fantinibakery.com/.well-known/acme-challenge/Tc75oFWF-FG-BuUrnO723sE3tpcqt8QCfRZQPC9vtqM:
Connection refused
[Wed Oct 11 06:33:31 EDT 2017] Please check log file for more details:
/root/.acme.sh/acme.sh.log
# grep error /root/.acme.sh/acme.sh.log
[Wed Oct 11 06:33:31 EDT 2017] ldap.fantinibakery.com:Verify error:Fetching http://ldap.fantinibakery.com/.well-known/acme-challenge/Tc75oFWF-FG-BuUrnO723sE3tpcqt8QCfRZQPC9vtqM: Connection refused
any hints to solve?
roberto
October 11, 2017, 11:03am
13
search forums. will try adding --tlsport port on cli and pfsense
roberto
October 11, 2017, 11:07am
14
/root/.acme.sh/acme.sh --tlsport 37443 --httpport 37080 --log --issue --standalone -d ldap.fantinibakery.com --force
same error
[Wed Oct 11 07:06:05 EDT 2017] ldap.fantinibakery.com :Verify error:Fetching http://ldap.fantinibakery.com/.well-known/acme-challenge/NS0GckCHKcQ73TMYeaZ3nI0BT5Dc-J6itSRnm2EjWt4: Connection refused
sahsanu
October 11, 2017, 11:09am
15
@roberto , keep in mind that doesn’t matter what is the port used, Let’s Encrypt will try to connect to your server using port 80 (http-01 challenge) or port 443 (tls-01 challenge) so double check that you are forwarding these ports from your router (pfsense ?) to the right ports on the machine.
1 Like
roberto
October 11, 2017, 11:35am
16
yes that was it - i had target port set to the custom port instead of 80. Thank you.
this probably means progress:
indent preformatted text by 4 spaces
new-authz error: {"type":"urn:acme:error:rateLimited","detail":"Error creating new authz :: Too many invalid authorizations recently.","status": 429}
I assume the connect tests work to get to that point.
sahsanu
October 11, 2017, 11:37am
17
You need to wait 1 hour before trying again.
roberto
October 11, 2017, 11:37am
18
OK will do! thanks again.
system
Closed
November 10, 2017, 11:38am
19
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.