Error with using bncert on AWS Lightsail

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: tampabayintlschool.org

I ran this command: sudo /opt/bitnami/bncert-tool

It produced this output:
An error occurred creating certificates with Let's Encrypt:

error: one or more domains had a problem:
[www.tampabayintlschool.org] acme: error: 400 :: urn:ietf:params:
acme:error:dns
:: During secondary validation: DNS problem: SERVFAIL looking up
CAA for
www.tampabayintlschool.org - the domain's nameservers may be malf
unctioning,
url:

Please check our documentation and support forums, we'll be happy
to help!

• Bitnami Documentation: https://docs.bitnami.com
• Bitnami Community: https://community.bitnami.com

Press [Enter] to continue:

Error

An error occurred when applying configurations.

The web server configuration was left unchanged. There was an err
or in the new or in the new
configuration, so it was reverted.

Failed steps:

• Running Let's Encrypt: Error creating certificates

Find more details in the log file:

/tmp/bncert-202012090251.log

If you find any issues, please check Bitnami Support forums at:

Press [Enter] to continue:

My web server is (include version): Apache/2.4.43

The operating system my web server runs on is (include version): Debian 4.19.118

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

There are DNS problems.
See: tampabayintlschool.org | DNSViz

When you ask a root DNS server, is says (four nameservers):

nslookup -q=ns tampabayintlschool.org a0.org.afilias-nst.info
nslookup -q=ns tampabayintlschool.org b0.org.afilias-nst.org
tampabayintlschool.org  nameserver = ns-1397.awsdns-46.org
tampabayintlschool.org  nameserver = ns-925.awsdns-51.net
tampabayintlschool.org  nameserver = ns-1689.awsdns-19.co.uk
tampabayintlschool.org  nameserver = ns-430.awsdns-53.com

When you ask one of those servers, it says (four different nameservers):

nslookup -q=ns tampabayintlschool.org ns-1397.awsdns-46.org
nslookup -q=ns tampabayintlschool.org ns-925.awsdns-51.net
tampabayintlschool.org  nameserver = ns-1439.awsdns-51.org
tampabayintlschool.org  nameserver = ns-1560.awsdns-03.co.uk
tampabayintlschool.org  nameserver = ns-594.awsdns-10.net
tampabayintlschool.org  nameserver = ns-82.awsdns-10.com

The first set of NS records (from the .com. nameservers) actually function properly. But it seems the Let's Encrypt DNS resolvers apparently resolve the authorative nameservers from the would be authorative name servers first and then continue resolving again, trying the wrong set of nameservers..

The mismatched names alone is enough to break it.

If you're strict, yes. I agree this is an issue. But if you just query the NS servers provided by the .com servers, you'll get a proper NXDOMAIN as result.

Here are the records that have set up with Amazon Route 53:

Records (4)

||tampabayintlschool.org|NS|Simple|-|No|
ns-1439.awsdns-51.org
ns-594.awsdns-10.net
ns-1560.awsdns-03.co.uk
ns-82.awsdns-10.com|172800|-|-|-|

||tampabayintlschool.org|SOA|Simple|-|No|ns-925.awsdns-51.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400|900|-|-|-|

||www.tampabayintlschool.org|A|Simple|-|No|18.213.25.0|300|-|-|-|

Do I need to do anything on the Debian instance where I ran the command :

sudo /opt/bitnami/bncert-tool

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.