ERROR TLS Status: Defective

Hi

In short, autoSSL in WHM(cPanel) is throwing this in error log:
Analyzing “nethr.chat” (website) …
8:34:43 AM ERROR TLS Status: Defective
ERROR Certificate expiry: 10/14/24, 2:04 PM UTC (2.69 days ago)
ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (0:10:CERT_HAS_EXPIRED).

8:34:43 AM WARN Local HTTP DCV error (nethr.chat): “nethr.chat” does not resolve to any IP addresses on the internet.
WARN Local HTTP DCV error (www.nethr.chat): “www.nethr.chat” does not resolve to any IP addresses on the internet.

But domain is registered regulary for over a year now and pointing to my server:

Everything was ok until renuvation of certificat.

I am sorry if duplicate post or I did not red something. I searched the forum, find one issue similar but not related to mine, and I am not expert/advanced user.

The warning “nethr.chat” does not resolve to any IP addresses on the internet. sounds important and DNSViz is unhappy with your DNSSEC configuration: nethr.chat | DNSViz

Looks like those erroneous dnsowl.com nameservers are gone now, only wpsetups.com nameservers left. I can see the expired certificate being presented currently.

OP simply needs to renew it now

Edit: weird, DNSViz still sees those dnsowl nameservers somehow. Not sure where it's getting those from, I can't see them myself..

Ah, found it, maybe! I think it's coming from the SOA RR for nethr.chat. itself. It mentions ns1.dnsowl.com. Still not sure where ns2 is coming from though.. Nor where robotns3.second-ns.com comes from at all..

OK, figured it out..

The current nameservers ns1.wpsetups.com and ns2.wpsetups.com are actually configured properly in the recursive path from the root zone . down to the domain ("delegation NS RRset"), BUT if you ask those wpsetups nameservers THEMSELVES who are the correct nameservers of nethr.chat ("authorative NS RRset"), they don't respond with: "Well, that's myself and my neighbour", no, they respond with those erroneous dnsowl.com and second-ns.com nameservers!:

osiris@erazer ~ $ dig @ns1.wpsetups.com. +norecurse nethr.chat NS

; <<>> DiG 9.16.42 <<>> @ns1.wpsetups.com. +norecurse nethr.chat NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57476
;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;nethr.chat.			IN	NS

;; ANSWER SECTION:
nethr.chat.		86400	IN	NS	robotns3.second-ns.com.
nethr.chat.		86400	IN	NS	ns2.dnsowl.com.
nethr.chat.		86400	IN	NS	ns1.dnsowl.com.

;; Query time: 19 msec
;; SERVER: 94.130.15.46#53(94.130.15.46)
;; WHEN: Thu Oct 17 09:40:56 CEST 2024
;; MSG SIZE  rcvd: 118

osiris@erazer ~ $

Which is..Well.. Weird and completely incorrect obviously.

Yeah, that third entry doesn't know anything about "nethr.chat":

nslookup -q=ns nethr.chat robotns3.second-ns.com
Server:  robotns3.second-ns.com
Address: 193.47.99.3
*** robotns3.second-ns.com can't find nethr.chat: Query refused

nslookup -q=ns nethr.chat robotns3.second-ns.com
Server:  robotns3.second-ns.com
Address: 2001:67c:192c::add:a3#53
** server can't find nethr.chat: REFUSED

From the TLD nameservers:

nslookup -q=ns nethr.chat v0n0.nic.chat
Server:         v0n0.nic.chat
Address:        2a01:8840:22::42#53

Non-authoritative answer:
*** Can't find nethr.chat: No answer

Authoritative answers can be found from:
nethr.chat      nameserver = ns2.wpsetups.com.
nethr.chat      nameserver = ns1.wpsetups.com.

No, I meant the ns2.dnsowl.com NS with that ns2, as only ns1 was mentioned in the SOA RR.

But it wasn't the SOA RR in the end, see my edit below the "OK, figured it out" stuff: it's simply the authorative NS RRset from nethr.chats own nameservers that are not referring to themselves.

Thank you all very much for info, I didn't understand it all but it lead me to solution. So before I used my registars default nameservers. Now I am using my webservers ns1 and 2.wpsetups.com. And registars default nameservers left listed in zone in NS record on my nameserver which i host on my dedicated server. I still can not run autssl even though I made changes in the zone, i probably have to wait 24-48hours for propagation.

DNSViz seems to be happy now indeed: nethr.chat | DNSViz.

If you run into new/other issues, let us know!

LE doesn't use global (caching) DNS systems.
They seem correct now:

nslookup -q=ns nethr.chat ns1.wpsetups.com
nethr.chat     nameserver = ns1.wpsetups.com
nethr.chat     nameserver = ns2.wpsetups.com

nslookup -q=ns nethr.chat ns2.wpsetups.com
nethr.chat     nameserver = ns1.wpsetups.com
nethr.chat     nameserver = ns2.wpsetups.com

You can try it again now.

The problem wasn't with LE to begin with looking at the error messages, but some AutoSSL pre-check.

Unboundtest also did not give any issue. Not sure why that local check did though.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.