I am new to Nginx w/ LetsEncrypt and used it to initial setup the cert 90 days ago but the time has come to renew. Right now all of the taborcompany.com traffic just gets blanketly forwarded using my DNS. I don’t have an A/AAA records setup for it other than www. (@?) going to my host IP. Was reading other posts like mine and saw some information about IPv6 configs for Nginx but I didn’t see a good solution. I already broke my Nginx instance once trying to troubleshoot and had to restore a backup.
Yes, you do. You have A records for taborcompany.com pointing to four different IPs: 216.239.{32|34|36|38}.21.
No, it doesn't. It gives much more information than that, which would be critical to determining exactly what happened. Admittedly, whenever validation fails, certbot suggests a DNS failure, which is (IMO) pretty misleading--but it always gives more detail.
There are a bunch of ways to do redirects; some play better with LE than others. A HTTP 301 works fine. A CNAME record works fine. Most other methods, not so much.
I am using the domain forwarding option using the Google Domains DNS synthetic records. The four A/AAA records you are referring to are apart of that domain forwarding that Google does for analytics and what-not, I guess I didn’t actually know those were there without looking at the DNS records again, my bad.
Do you think I should get rid of this “forwarding” option using the Google DNS and set up another method to redirect so LE plays nice?
The actual error in full says:
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: taborcompany.com 1
Type: connection
Detail: Error getting validation data
To fix these errors, please make sure that your domain name was entered correctly and the dns A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you’re using webroot plugin, you should also verify that you are serving files from the webroot path you provided.
As mentioned in my other response to Dan, I assume my problem is that I am trying to use the Google DNS manager to forward everything to my other domain. Do you have any alternatives or references to documentation for other methods?
I have two domains and I want all of the traffic from the .com to forward to the other one.
As Dan and I said, the domain redirection on register will not forward the path to your destination.
For example, http://taborcompany.com/disndj/help will not forward to tabor.company/disndj/help, instead it will forward only to Tabor.company, hense you would need an 301 redirect that seted up on your server to do the trick.
Wanted to post an update even though I haven’t had success yet. I made too many requests trying different things but I expect once I’ve waited for my cooldown to finish I will have it fixed.
The Google DNS forwarding option was disabled, after enabling it I was able to have success with a dry run. The dry run ran the HTTP-01 challenge and succeeded, I proceeded to run the renew challenge and it failed, but it used the tls-sni-01 challenge.
When I can test again I will try adding --preferred-challenges http-01 to my renew command to see if that works. It may just be a timing thing after making the change with the DNS forwarding option.
After trying to run the renewal again it was successful.
The problem was initially because I had the forwarding option disabled (which is the default for Google DNS). After enabling it I had issues passing the tls-sni-01 challenge, to get around this I used the following command: