Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com ), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: minlandmachine.com
I ran this command: Ran through cPanel
It produced this output: 9:10:46 AM WARN Local HTTP DCV error (minlandmachine.com ): The system queried for a temporary file at āhttp://minlandmachine.com/.well-known/acme-challenge/NXIYIZOGIQ1_1-A3F428LBI5XPGJ7_2Nā , but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain āminlandmachine.com ā resolved to an IP address ā174.127.110.198ā that does not exist on this server.
My web server is (include version): Apache 2.4
The operating system my web server runs on is (include version): CentOS Linux 7
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): cPanel v100.0.2
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot):
Looks like the domain is resolving incorrectly on the LetsEncrypt side. The server IP Address is not correct in the error message.
rg305
November 12, 2021, 2:52pm
2
Hi @DOJOCreative and welcome to the LE community forum
Although I'm pretty sure that the Apache
configuration may be to blame, we have to be careful what is changed outside of cPanel's control. All things should have been able to have been managed that way.
To that point, have any changes been made outside of cPanel (like in the last 60 days)?
Sorry, I just missed the obvious (TITTLE).
Is that IP ("174.127.110.198") incorrect?
EDIT: It seems like it is correct
echo | openssl s_client -connect minlandmachine.com:443 | head
depth=0 CN = minlandmachine.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = minlandmachine.com
verify return:1
CONNECTED(00000005)
DONE
---
Certificate chain
0 s:CN = minlandmachine.com
i:CN = minlandmachine.com
---
rg305
November 12, 2021, 3:11pm
6
OK I see the problem.
Global DNS is out of sync with your domain servers:
nslookup minlandmachine.com 8.8.8.8
Name: minlandmachine.com
Address: 23.238.35.10
nslookup minlandmachine.com dns1.midphase.com
Name: minlandmachine.com
Address: 174.127.110.198
It seems both IPs are somehow associated with your domain:
echo | openssl s_client -connect 23.238.35.10:443 -servername minlandmachine.com| head
depth=0 CN = minlandmachine.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = minlandmachine.com
verify return:1
DONE
CONNECTED(00000005)
---
Certificate chain
0 s:CN = minlandmachine.com
i:CN = minlandmachine.com
---
echo | openssl s_client -connect 174.127.110.198:443 -servername minlandmachine.com| head
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = webdisk.minlandmachine.com
verify return:1
DONE
CONNECTED(00000005)
---
Certificate chain
0 s:CN = webdisk.minlandmachine.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---
DNS takes time to sync.
What the "world" sees now:
nslookup -q=soa minlandmachine.com 8.8.8.8
minlandmachine.com
primary name server = dns1.midphase.com
serial = 2014071101
refresh = 14400 (4 hours)
retry = 7200 (2 hours)
What your DNS servers have now:
nslookup -q=soa minlandmachine.com dns1.midphase.com
minlandmachine.com
primary name server = dns1.midphase.com
serial = 2021100103
refresh = 14400 (4 hours)
retry = 7200 (2 hours)
You may have to wait until all systems are at version 2021100103 .
2 Likes
rg305
November 12, 2021, 3:25pm
7
And the plot thickens!
Global DNS shows:
nslookup -q=ns minlandmachine.com a.gtld-servers.net.
minlandmachine.com nameserver = ns14.midphase.com
minlandmachine.com nameserver = ns15.midphase.com
minlandmachine.com nameserver = ns16.midphase.com
But somehow parts of the Internet see:
nslookup -q=ns minlandmachine.com 8.8.8.8
minlandmachine.com nameserver = dns1.midphase.com
minlandmachine.com nameserver = dns2.midphase.com
Talk with your DNS Service Provider (DSP) about this problem - they should be able to help or direct you with it.
2 Likes
Osiris
November 12, 2021, 4:31pm
8
It's also interesting to note that 23.238.35.10
as wel as 174.127.110.198
serve a certificate for minlandmachine.com
, but the former uses a self-signed certificate and the latter uses a Let's Encrypt certificate.
Might be useful to know which IP address is actually correct.
3 Likes
rg305
November 12, 2021, 5:35pm
9
That depends on who you ask.
ns14, ns15, ns16
say one thing (timestamped 2021).
dns1, dns2
say another thing (timestamped 2014).
Osiris
November 12, 2021, 6:01pm
10
My suggestion is to ask OP instead of the DNS servers. I'm sure OP knows what IP address the server has
2 Likes
Correct IP should be 23.238.35.10. The dns1 and dns2 servers should no longer be active on the domain. They aren't showing on the whois record and are not part of the registrar listed servers either. I'll put in a ticket at the registrar.
2 Likes
system
Closed
December 12, 2021, 7:39pm
12
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.