Error when trying to create ssl cert

jackhendo · May 9, 2022, 9:30pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: cat.hollingermetaledge.com

I ran this command: sudo certbot --nginx

It produced this output: https://pastebin.com/raw/B31HrQMN

My web server is (include version): nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: BUYVM

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.27.0

_az · May 9, 2022, 10:13pm

Detail: DNS problem: SERVFAIL looking up CAA for cat.hollingermetaledge.com - the domain's nameservers may be malfunctioning

Unfortunately problems with Network Solutions' DNS hosting come up quite often on this forum. I don't think there has been a straightforward solution other than contacting their support and trying again.

With the specific issue you're having, you could try one of two things to avoid the bogus response coming from NetSol's servers:

Add a CAA record for cat.hollingermetaledge.com, or
Disable DNSSEC on your domain entirely

jackhendo · May 9, 2022, 10:49pm

You're a legend. Disabling DNSSEC then running the lets encrypt commands works perfectly. Then you can re-enable DNSSEC. Thank you so much

rg305 · May 9, 2022, 10:57pm

I wonder how that will go during the renewal [in 60 days].

Be prepared to turn that off and on again.
OR
To add some authoritative DNS servers that can handle the lack of CAA record query properly.
OR
Switch DNS Service Provider [DSP] to one that can...

system · June 8, 2022, 10:58pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.