Get "Invalid domain" error when trying to create a certificate

My domain is: boboworld.com

I ran this command: Control Panel>Security>Certificate>Add from within DSM 7.1.1-42962 Update 1

It produced this output: "Invalid domain. Please make sure this domain can be resolved into a public IP address."

My web server is (include version): Apache HTTP Server 2.4

The operating system my web server runs on is (include version): DSM 7.1.1-42962 Update 1

My hosting provider, if applicable, is: Self

I can login to a root shell on my machine (yes or no, or I don't know): No

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Yes. See above.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): n/a

See attached for clipped screenshots of useful info.

Useful_Screenshots1300×3200 162 KB

Welcome to the community @kenhumphries

I see all your domain names in your authoritative name server. And, that's all that Let's Encrypt (and Let's Debug) look at.

But, I think DSM is checking your names with a DNS resolver and your names have not yet propagated. Is that possible? If so, just wait a bit.

Tests from my own server (on AWS) don't see your subdomains yet either. But, if I check your authoritative they are fine.

Using Let's Debug with boboserverw.boboworld.com as the input with HTTP-01 Challenge get these results https://letsdebug.net/boboserverw.boboworld.com/1322322
There are 2 DNSLookupFailed FATAL results.

You have a DNS configuration issue.

Using https://dnsspy.io/ you can check on the domain boboworld.com : DNS Spy report for boboworld.com

Additional supplemental information, some of them show DNSSEC Errors:

• boboworld.com | DNSViz
• Hardenize Report: boboworld.com
• Zonemaster

Yes, I see that now when Let's Encrypt looks up the (not required) CAA and AAAA it gets a SERVFAIL instead of a 'Not found'. That is certainly a problem.

And, it only affects the subdomains and not boboworld.com itself. Odd.

I don't see anything in the dnsspy.io report that would explain that. But, there are some warnings about DNSSEC which might (link here)

That said, I think we recently had a couple reports of this same problem (with subdomain lookups for optional DNS records). I don't recall enough of those details to find them though.

I would set AAAA, but for some reason, my AT&T Arris NVG599 Gateway blocks incoming traffic. The IPV6 port is: 2600:1700:5450:6150:9209:d0ff:fe17:f1bf

If I use DNSChecker with my IPV6 address:

all ports are blocked, but when I use the IPV4 for the same ethernet port:

everything is fine.

I checked the DNSSEC warnings, but nothing there would lead me to believe that this is causing the problem that I am having.

I realize you want multiple SANs for the Certificate; however for debugging purposes maybe start with just one to get it working and then add to it.

And please use the Staging Environment as the Rate Limits during testing and debugging.

To me it still looks like there are DNS issues.

DNS Spy report for boboworld.com does not show boboserverw.boboworld.com

This tool DNS Lookup - Check DNS Records cannot find an Authoritative DNS Name Server for boboserverw.boboworld.com

This tool Hardenize Report: boboserverw.boboworld.com is showing DNSSEC invalid for boboserverw.boboworld.com and NO DNS Zone; and DNS Records grey also.

Using nslookup I cannot find an Authoritative DNS Name Server for boboserverw.boboworld.com
Yet boboworld.com has Authoritative DNS Name Servers.

$ nslookup -q=ns boboserverw.boboworld.com ns85.worldnic.com.
Server:         ns85.worldnic.com.
Address:        162.159.26.131#53

*** Can't find boboserverw.boboworld.com: No answer

$ nslookup -q=ns boboserverw.boboworld.com ns86.worldnic.com.
Server:         ns86.worldnic.com.
Address:        162.159.27.117#53

*** Can't find boboserverw.boboworld.com: No answer

$ nslookup -q=ns boboworld.com ns85.worldnic.com.
Server:         ns85.worldnic.com.
Address:        162.159.26.131#53

boboworld.com   nameserver = ns85.worldnic.com.
boboworld.com   nameserver = ns86.worldnic.com.

$ nslookup -q=ns boboworld.com ns86.worldnic.com.
Server:         ns86.worldnic.com.
Address:        162.159.27.117#53

boboworld.com   nameserver = ns85.worldnic.com.
boboworld.com   nameserver = ns86.worldnic.com.

@kenhumphries I couldn't find any other thread with your DNS provider in past couple weeks. But, there is clearly something wrong and you should take it up with them. Perhaps the results below will help convince them of the problem. Also, see the Let's Encrypt docs about DNS errors (link here)

The summary is that for your subdomains the DNS lookup for records that are not present (CAA, AAAA) return a SERVFAIL. But, DNS lookups for your apex domain work fine (even CAA, AAAA that are not present)

I think if you disable DNSSEC it will work but that's a guess and if it helps then points to that as cause in your DNS config.

If you can't use dig use unboundtest.com to reproduce these results

dig CAA mail.boboworld.com
(fails w/SERVFAIL and so will AAAA as not present)

; <<>> DiG 9.18.1-1ubuntu1.2-Ubuntu <<>> CAA mail.boboworld.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29423
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

============================
dig A mail.boboworld.com
(works fine)

; <<>> DiG 9.18.1-1ubuntu1.2-Ubuntu <<>> A mail.boboworld.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61511
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; ANSWER SECTION:
mail.boboworld.com.     300     IN      A       108.215.19.66

==========================
dig CAA boboworld.com
(works correctly by responding NOERROR with no ANSWER since no CAA)

; <<>> DiG 9.18.1-1ubuntu1.2-Ubuntu <<>> CAA boboworld.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2573
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

Not sure how this happens...

In Windows:

nslookup -q=ns boboserverw.boboworld.com ns86.worldnic.com.
Server:  UnKnown
Address:  162.159.27.117

boboworld.com
        primary name server = NS85.WORLDNIC.com
        responsible mail addr = namehost.WORLDNIC.com
        serial  = 123010217
        refresh = 10800 (3 hours)
        retry   = 3600 (1 hour)
        expire  = 604800 (7 days)
        default TTL = 3600 (1 hour)

In Linux:

nslookup -q=ns boboserverw.boboworld.com ns86.worldnic.com.
Server:         ns86.worldnic.com.
Address:        162.159.27.117#53

*** Can't find boboserverw.boboworld.com: No answer

Same request, two different responses.

Maybe Windows doesn't pay attention to the Server?

Remote FreeBSD 13.1-RELEASE-p3 FreeBSD 13.1-RELEASE-p3 GENERIC amd64

>nslookup -q=ns boboserverw.boboworld.com ns86.worldnic.com.
Server:         ns86.worldnic.com.
Address:        162.159.27.117#53

*** Can't find boboserverw.boboworld.com: No answer

Local OpenBSD 7.2 GENERIC.MP#4 amd64

$ nslookup -q=ns boboserverw.boboworld.com ns86.worldnic.com.
Server:         ns86.worldnic.com.
Address:        162.159.27.117#53

*** Can't find boboserverw.boboworld.com: No answer

Local Linux 5.15.0-56-generic #62-Ubuntu SMP 22.04.1 LTS (Jammy Jellyfish)

$ nslookup -q=ns boboserverw.boboworld.com ns86.worldnic.com.
Server:         ns86.worldnic.com.
Address:        162.159.27.117#53

*** Can't find boboserverw.boboworld.com: No answer

Local Microsoft Windows [Version 10.0.19045.2364] 64-bit

>nslookup -q=ns boboserverw.boboworld.com ns86.worldnic.com.
Server:  UnKnown
Address:  162.159.27.117

boboworld.com
        primary name server = NS85.WORLDNIC.com
        responsible mail addr = namehost.WORLDNIC.com
        serial  = 123010217
        refresh = 10800 (3 hours)
        retry   = 3600 (1 hour)
        expire  = 604800 (7 days)
        default TTL = 3600 (1 hour)

Local 64-bit Windows 7 Microsoft Windows [Version 6.1.7601]

>nslookup -q=ns boboserverw.boboworld.com ns86.worldnic.com.
Server:  UnKnown
Address:  162.159.27.117

boboworld.com
        primary name server = NS85.WORLDNIC.com
        responsible mail addr = namehost.WORLDNIC.com
        serial  = 123010217
        refresh = 10800 (3 hours)
        retry   = 3600 (1 hour)
        expire  = 604800 (7 days)
        default TTL = 3600 (1 hour)

I think that's just Windows doing rDNS on that IP.

So confusing. I'm just using the NetSol Nameservers. Not even doing anything complex.

Do they have an option for you to download the Zone file?
If yes, would you be willing to share it (feel free to hide "secret fields")?

Unfortunately, no. Turning off DNSSEC now.

Can you look on their DNS interface and lookup boboserverw.boboworld.com?
Possibly capture a screenshot and share it?

Looks promising. unboundtest.com now showing proper responses for mail subdomain

UPDATE:
Let's Debug test showing OK now too for your apex and the 3 subdomains that previously failed

I just do not get why nslookup will get the Authoritative Name Servers for boboworld.com but not for boboserverw.boboworld.com, yet the A Record is no problem.

$ nslookup -q=ns boboworld.com ns85.worldnic.com.
Server:         ns85.worldnic.com.
Address:        162.159.26.131#53

boboworld.com   nameserver = ns86.worldnic.com.
boboworld.com   nameserver = ns85.worldnic.com.

$ nslookup -q=ns boboserverw.boboworld.com ns85.worldnic.com.
Server:         ns85.worldnic.com.
Address:        162.159.26.131#53

*** Can't find boboserverw.boboworld.com: No answer

$ nslookup boboworld.com ns85.worldnic.com.
Server:         ns85.worldnic.com.
Address:        162.159.26.131#53

Name:   boboworld.com
Address: 108.215.19.66

$ nslookup boboserverw.boboworld.com ns85.worldnic.com.
Server:         ns85.worldnic.com.
Address:        162.159.26.131#53

Name:   boboserverw.boboworld.com
Address: 108.215.19.66

This is not too strange.
It doesn't need to return nameservers for non-delegated [sub]domains, but it should have returned the SOA record in its' place.