Generate wildcard certificate failed

I tried my domain in letsdebug many times, and got different errors , I can’t figure out what’s wrong. Any help please

My domain is: sig4pg.com

I ran this command: certbot run -a manual -i nginx -d *.sig4pg.com --preferred-challenges dns

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for sig4pg.com


NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.

Are you OK with your IP being logged?


(Y)es/(N)o: Y


Please deploy a DNS TXT record under the name
_acme-challenge.sig4pg.com with the following value:

IyjyGQw-_vgJGoM6TM1UrALoPENHpcPhqTCyoH54TVg

Before continuing, verify the record is deployed.


Press Enter to Continue
Waiting for verification…
Resetting dropped connection: acme-v02.api.letsencrypt.org
Challenge failed for domain sig4pg.com
dns-01 challenge for sig4pg.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: sig4pg.com
    Type: dns
    Detail: During secondary validation: DNS problem: SERVFAIL looking
    up CAA for sig4pg.com - the domain’s nameservers may be
    malfunctioning

My web server is (include version): nginx version: nginx/1.16.1

The operating system my web server runs on is (include version): CentOS Linux release 7.8.2003 (Core)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes):

I’m using a control panel to manage my site (no):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.5.0

1 Like

Hi @xp_xm

checking your domain via https://check-your-website.server-daten.de/?q=sig4pg.com - you see:

Your name servers are terrible buggy.

A lot of error messages:

X Fatal error: Nameserver doesn’t support echo capitalization. That’s critical if you want to create Letsencrypt certificates. Read https://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00 (2008). If a dns client asks “ExAmPlE.cOm”, the name server must answer with the same name, not with “example.com”. Creating Letsencrypt certificates isn’t possible. Your name server provider must update the software.: ns1.huaweicloud-dns.cn / 122.112.208.53

These huaweicloud servers are known as buggy.

Your error message says: The primary servers of Letsencrypt are able to check your dns. But the secondary are not, so the validation fails.

–> switch to another dns provider or ask there.

PS: You are not the first user with these problems. See

3 Likes

Thanks!
Is there any solution for now ?

2 Likes

You can try to create a CAA entry.

13. CAA - Entries

Domainname flag Name Value ∑ Queries ∑ Timeout
www.sig4pg.com 2 2
sig4pg.com 2 2
com 0 no CAA entry found 1 0

Letsencrypt must check if there exists a blocking CAA entry. So a timeout -> may be the connection is hacked -> Letsencrypt isn’t allowed to create a certificate.

But if Letsencrypt finds a RR, it may work.

3 Likes

I tried to add CAA entry in huaweicloud dns control panel, but it still couldn’t pass the challenge. So I switch domain DNS server to alidns,Then everything is working fine! I have reported those bugs to huawei , hope them can fix it up.

4 Likes

Yep, I saw the CAA entry. But the echo capitalization problem blocks that.

Most dns providers have working systems. So changing the dns provider allows creating LE-certificates.

3 Likes