I buy domain from another hosting provider, then i point it into hetzner dns zone,
My Nginx is all right,
but I have message when create certificate like below :
Requesting a certificate for mydomain.com and www.mydomain.com
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: www.mydomain.com
Type: dns
Detail: no valid A records found for www.mydomain.com; no valid AAAA records found for www.mydomain.com
Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
When you opened this thread in the Help section, you should have been provided with a questionnaire. Maybe you didn't get it somehow (which is weird), or you've decided to delete it. In any case, all the answers to this questionnaire are required:
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
I ran this command: sudo certbot --nginx -d shortly.my.id -d www.shortly.my.id
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for shortly.my.id and www.shortly.my.id
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: www.shortly.my.id
Type: dns
Detail: no valid A records found for www.shortly.my.id; no valid AAAA records found for www.shortly.my.id
Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
john@server:~# client_loop: send disconnect: Connection reset
My web server is (include version):
The operating system my web server runs on is (include version): Debian 12 on Hetzner VPS
My hosting provider, if applicable, is: Hetzner Cloud
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot) certbot 2.1.0
shortly.my.id. 86400 IN A 128.140.52.219
shortly.my.id. 86400 IN NS helium.ns.hetzner.de.shortly.my.id.
shortly.my.id. 86400 IN NS oxygen.ns.hetzner.com.shortly.my.id.
shortly.my.id. 86400 IN NS hydrogen.ns.hetzner.com.shortly.my.id.
;; Received 152 bytes from 213.133.100.98#53(hydrogen.ns.hetzner.com) in 18 ms
The "IN A" result is fine, but the "IN NS" RRs are incorrect: your own domain is appended to the values. Usually this is due to the lack of a final dot (.) in the value. I.e., you've entered hydrogen.ns.hetzner.com as value instead of the correct hydrogen.ns.hetzner.com. (notice the very subtle difference at the end).
The same thing is happening for the CNAME RRs for your www subdomain:
www.shortly.my.id. 86400 IN CNAME www.shortly.my.id.shortly.my.id.
www.shortly.my.id.shortly.my.id. 86400 IN CNAME shortly.my.id.shortly.my.id.
Notice your domain twice there. Most likely also due to a lacking dot (.) at the end of the value.
Yes, but also for the CNAME above the CNAME you've shown now. Frankly, you would only need a single CNAME, the CNAME you're showing now is not necessary. Only the CNAME www shortly.my.id. would be necessary. With the trailing dot in the value of course.
Please note that one of the .id nameservers (d.dns.id to be exact) is still misconfigured and is providing some Hostinger nameservers as a result instead of the proper Hetzner nameservers. You might want to talk to your domain registar about that.
If you changed to Hetzner very recently, it may simply take some more time. The d.dns.id nameserver hasn't updated its serial to the same value as the other nameservers.. So it simply might be lagging behind..
But if it doesn't change quite soon, you need to contact your DNS registar. This is what I currently see:
osiris@erazer ~ $ dig @d.dns.id. shortly.my.id NS
; <<>> DiG 9.16.42 <<>> @d.dns.id. shortly.my.id NS
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33661
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: xxx (good)
;; QUESTION SECTION:
;shortly.my.id. IN NS
;; AUTHORITY SECTION:
shortly.my.id. 3600 IN NS ns2.dns-parking.com.
shortly.my.id. 3600 IN NS ns1.dns-parking.com.
;; Query time: 377 msec
;; SERVER: 45.126.57.57#53(45.126.57.57)
;; WHEN: Sun Nov 10 11:47:28 CET 2024
;; MSG SIZE rcvd: 121
osiris@erazer ~ $
Notice the incorrect nameservers. (Should be Hetzner nameservers.)
Funny thing is: the Hostinger nameservers are still replying to the requests for your domain name, resolving to a parking server from Hostinger. I guess they haven't realised your moved your domain name to somewhere else.
I don't know what that has to do with Let's Encrypt?
As mentioned in the questionnaire, all issued certificates are made public in CT logs. Thus, getting a certificate puts your domain name out there. Although all public IP addresses will catch some random portscans anyway, even without CT logs (or mentioning the domain name on this forum).
You say you buy your domain on another place, as in your Domain Host is not Hetzner, well, so did I and the DNS entries were handled by the Domain Host, you should not need to do it at Hetzner. I can't really tell if you are doing that or not, but your wording suggest you do.
All (ALL) servers will always (ALWAYS) be subject to login attempts... most are automated. It is just the way it is. You can do things about it, like applying firewall rules and make sure you have strong passwords, but at the end of the day, they will still try. Nothing to do about it. As an example I set a firewall rule to only allow my IP address to login to the server via SSH. It can be done on the Hetzner control panel for VPS, which I have, but I do not know if possible on other services.
You can also create another account "called-something-difficult" and disable SSH access for root account. Be very careful doing that so you do not lock yourself out.
(wow I can edit my posts... )
But, again, it has nothing to do with LetsEncrypt. Just some very general advice.
)