I’m running letsencrypt-proxy-compainon docker image, it works for all my domains, but the dns for a client’s domain is borked up.
My domain is: eagle-research.com (and www.eagle-research.com)
Please see
https://unboundtest.com/m/CAA/www.eagle-research.com/75OQN2ET
Can you advise?
Hi @jrichet
where do you see a problem? Unboundtest reports "Noerror". And
Verified that unsigned response is INSECURE
is ok.
Your nameservers are ( https://check-your-website.server-daten.de/?q=eagle-research.com ):
Domain Nameserver NS-IP
www.eagle-research.com
• ns1.ideoz.biz
•
eagle-research.com
• ns1.ideoz.biz
162.144.153.139 •
• ns2.ideoz.biz
162.144.198.45 •
And checking DNSSEC:
| eagle-research.com | 0 DS RR in the parent zone found |
|---|---|
| DS-Query in the parent zone has a valid NSEC3 RR as result with the hashed domain name between the hashed NSEC3-owner and the hashed NextOwner. So the parent zone confirmes the non-existence of a DS RR. |
That's (effective) the same result like Unboundtest reports: A NSEC3 in the parent zone confirms that your zone is not signed, so the result "No CAA" is not signed.
And your CAA result is empty:
| Domainname | flag | Name | Value | ∑ Queries | ∑ Timeout |
|---|---|---|---|---|---|
| www.eagle-research.com | 0 | no CAA entry found | 1 | 0 | |
| eagle-research.com | 0 | no CAA entry found | 1 | 0 | |
| com | 0 | no CAA entry found | 1 | 0 |
Is there an error message creating a new certificate?
Thanks for getting back to me so fast! Yes, the error is:
Creating/renewal eagle-research.com certificates... (eagle-research.com)
2019-04-26 17:47:29,211:INFO:simp_le:1479: Generating new certificate private key
2019-04-26 17:47:30,241:ERROR:simp_le:1446: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see https://letsencrypt.org/docs/caa/). Failing authorizations: https://acme-v01.api.letsencrypt.org/acme/authz/Le84OilLFPKQX75NIR8tEDLdci-CTgypVWur0Ph9Gew
omg my splash page is hiding it… duh
Now I’m just waiting for the rate limit to reset, then i’ll hide the landing page for a minute while I run certbot.
how long should i wait before trying again?
I’m hitting the rate limit as this domain tries to update it’s cert everytime i launch a new domain… ugh.
That means only, that the challenge is wrong.
DNS errors may be a problem, but your domain looks ok ( https://check-your-website.server-daten.de/?q=eagle-research.com ):
| Domainname | Http-Status | redirect | Sec. | G |
|---|---|---|---|---|
| • http://www.eagle-research.com/ | ||||
| 75.157.236.10 | 302 | http://eagle-research.com | 0.357 | D |
| • http://eagle-research.com | 200 | 0.490 | H | |
| • http://eagle-research.com/ | ||||
| 75.157.236.10 | 200 | 0.560 | H | |
| • https://eagle-research.com/ | ||||
| 75.157.236.10 | 200 | 3.457 | N | |
| Certificate error: RemoteCertificateNameMismatch | ||||
| • https://www.eagle-research.com/ | ||||
| 75.157.236.10 | 200 | 2.167 | N | |
| Certificate error: RemoteCertificateNameMismatch | ||||
| • http://eagle-research.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de | ||||
| 75.157.236.10 | 404 | 0.513 | A | |
| Not Found | ||||
| Visible Content: We are in the process of launching a new site Please bear with us as we work out all the kinks. You can still call us to order ALL CUSTOMERS DIAL 1-716-507-4427 Name * Email * Comment or Message * Message Submit | ||||
| • http://www.eagle-research.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de | ||||
| 75.157.236.10 | 404 | 0.380 | A | |
| Not Found | ||||
| Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server. Apache/2.4.18 (Ubuntu) Server at www.eagle-research.com Port 80 |
Port 80 is open and answers with the expected http status 404 - not found checking an unknown file in /.well-known/acme-challenge.
So: What’s your complete command?
The standard template of #help
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
PS: You can use the test system. That has own, higher limits. So you can test your config to find your correct webroot (if you use webroot).
I really just need the rate limit reset now that i know what the problem is
Did you create a test certificate?
Please read
Got it. the test completed. but after i timed out the rate limit again.
/app
/etc/nginx/certs/_test_eagle-research.com /app
Creating/renewal eagle-research.com certificates... (eagle-research.com)
2019-04-27 04:00:19,343:INFO:simp_le:1479: Generating new certificate private key
2019-04-27 04:00:20,332:INFO:simp_le:360: Saving key.pem
2019-04-27 04:00:20,333:INFO:simp_le:360: Saving chain.pem
2019-04-27 04:00:20,334:INFO:simp_le:360: Saving fullchain.pem
2019-04-27 04:00:20,335:INFO:simp_le:360: Saving cert.pem
It was my docker setup. working now. thank you.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.