Hi,
I’m trying to generate a cert for my sub domain but it appears to be giving me some trouble. I have the A record for blog.coughlan.io pointing to the IP of my virtual machine running on digital ocean, and the CNAME record is catching *.blog.coughlan.io and redirecting to blog.coughlan.io . Any queries using host and dig appear to be resolving correctly.
Is there something I’m missing?
Thanks!
My domain is:
blog.coughlan.io
I ran this command:
letsencrypt certonly
It produced this output:
Failed authorization procedure. blog.coughlan.io (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for blog.coughlan.io
My operating system is (include version):
Ubuntu 16.04
My web server is (include version):
NA
My hosting provider, if applicable, is:
Digital Ocean
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No
Hi @coughlanio ,
coughlanio:
I'm trying to generate a cert for my sub domain but it appears to be giving me some trouble. I have the A record for blog.coughlan.io pointing to the IP of my virtual machine running on digital ocean, and the CNAME record is catching *.blog.coughlan.io and redirecting to blog.coughlan.io . Any queries using host and dig appear to be resolving correctly.
Is there something I'm missing?
Well, right now, none of your servers have a valid A record neither for coughlan.io nor blog.coughlan.io.
$ dig coughlan.io ns +short
dns1.registrar-servers.com.
dns2.registrar-servers.com.
$ dig @dns1.registrar-servers.com coughlan.io +short
$ dig @dns2.registrar-servers.com coughlan.io +short
$ dig @dns1.registrar-servers.com blog.coughlan.io +short
$ dig @dns2.registrar-servers.com blog.coughlan.io +short
Seems you should fix your DNS conf
Cheers,
Looks like they’re moving DNS providers and now it ‘works’, if you don’t have the old values cached:
$ dig blog.coughlan.io
; <<>> DiG 9.10.3-P4-Ubuntu <<>> blog.coughlan.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34293
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;blog.coughlan.io. IN A
;; ANSWER SECTION:
blog.coughlan.io. 1477 IN A 139.59.103.17
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Mar 20 15:33:45 UTC 2017
;; MSG SIZE rcvd: 61
$ dig $(uuidgen).blog.coughlan.io
; <<>> DiG 9.10.3-P4-Ubuntu <<>> a045da07-ac33-4b95-8f86-8724f0ff074d.blog.coughlan.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18918
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;a045da07-ac33-4b95-8f86-8724f0ff074d.blog.coughlan.io. IN A
;; ANSWER SECTION:
a045da07-ac33-4b95-8f86-8724f0ff074d.blog.coughlan.io. 1799 IN CNAME blog.coughlan.io.
blog.coughlan.io. 1799 IN A 139.59.103.17
;; Query time: 327 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Mar 20 15:28:23 UTC 2017
;; MSG SIZE rcvd: 112
$ dig coughlan.io ns
; <<>> DiG 9.10.3-P4-Ubuntu <<>> coughlan.io ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50038
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;coughlan.io. IN NS
;; ANSWER SECTION:
coughlan.io. 1409 IN NS ns3.digitalocean.com.
coughlan.io. 1409 IN NS ns1.digitalocean.com.
coughlan.io. 1409 IN NS ns2.digitalocean.com.
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Mar 20 15:35:29 UTC 2017
;; MSG SIZE rcvd: 110
Although part of the setup is a little odd – there appear to be two zones where one will do – but i guess it’s harmless:
$ dig blog.coughlan.io ns
; <<>> DiG 9.10.3-P4-Ubuntu <<>> blog.coughlan.io ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43608
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;blog.coughlan.io. IN NS
;; ANSWER SECTION:
blog.coughlan.io. 1166 IN NS ns1.digitalocean.com.
blog.coughlan.io. 1166 IN NS ns3.digitalocean.com.
blog.coughlan.io. 1166 IN NS ns2.digitalocean.com.
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Mar 20 15:39:35 UTC 2017
;; MSG SIZE rcvd: 115
Indeed , seems @coughlanio already got its cert
CRT ID DOMAIN (CN) VALID FROM VALID TO EXPIRES IN SANs
106719305 blog.coughlan.io 2017-Mar-20 13:21 CET 2017-Jun-18 14:21 CEST 89 days blog.coughlan.io
1 Like
Yes, thanks for the help guys.
My issue was that I had added the Digital Ocean nameservers to my Namecheap DNS management, but my domain was still using the default nameservers for the host.
Once I handed over DNS management to Digital Ocean completely, it appears to have resolved my issue.
Misunderstanding of DNS on my part
Thanks again!
Chris
1 Like
system
April 20, 2017, 1:02am
6
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
