Having issues generating cert for my domain

coughlanio · March 20, 2017, 7:23am

Hi,

I’m trying to generate a cert for my sub domain but it appears to be giving me some trouble. I have the A record for blog.coughlan.io pointing to the IP of my virtual machine running on digital ocean, and the CNAME record is catching *.blog.coughlan.io and redirecting to blog.coughlan.io. Any queries using host and dig appear to be resolving correctly.

Is there something I’m missing?

Thanks!

My domain is:

blog.coughlan.io

I ran this command:

letsencrypt certonly

It produced this output:

Failed authorization procedure. blog.coughlan.io (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for blog.coughlan.io

My operating system is (include version):

Ubuntu 16.04

My web server is (include version):

NA

My hosting provider, if applicable, is:

Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know):

Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

No

sahsanu · March 20, 2017, 12:59pm

Hi @coughlanio,

Well, right now, none of your servers have a valid A record neither for coughlan.io nor blog.coughlan.io.

$ dig coughlan.io ns +short
dns1.registrar-servers.com.
dns2.registrar-servers.com.
$ dig @dns1.registrar-servers.com coughlan.io +short
$ dig @dns2.registrar-servers.com coughlan.io +short
$ dig @dns1.registrar-servers.com blog.coughlan.io +short
$ dig @dns2.registrar-servers.com blog.coughlan.io +short

Seems you should fix your DNS conf

Cheers,
sahsanu

mnordhoff · March 20, 2017, 3:40pm

Looks like they’re moving DNS providers and now it ‘works’, if you don’t have the old values cached:

$ dig blog.coughlan.io

; <<>> DiG 9.10.3-P4-Ubuntu <<>> blog.coughlan.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34293
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;blog.coughlan.io.              IN      A

;; ANSWER SECTION:
blog.coughlan.io.       1477    IN      A       139.59.103.17

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Mar 20 15:33:45 UTC 2017
;; MSG SIZE  rcvd: 61

$ dig $(uuidgen).blog.coughlan.io

; <<>> DiG 9.10.3-P4-Ubuntu <<>> a045da07-ac33-4b95-8f86-8724f0ff074d.blog.coughlan.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18918
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;a045da07-ac33-4b95-8f86-8724f0ff074d.blog.coughlan.io. IN A

;; ANSWER SECTION:
a045da07-ac33-4b95-8f86-8724f0ff074d.blog.coughlan.io. 1799 IN CNAME blog.coughlan.io.
blog.coughlan.io.       1799    IN      A       139.59.103.17

;; Query time: 327 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Mar 20 15:28:23 UTC 2017
;; MSG SIZE  rcvd: 112

$ dig coughlan.io ns

; <<>> DiG 9.10.3-P4-Ubuntu <<>> coughlan.io ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50038
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;coughlan.io.                   IN      NS

;; ANSWER SECTION:
coughlan.io.            1409    IN      NS      ns3.digitalocean.com.
coughlan.io.            1409    IN      NS      ns1.digitalocean.com.
coughlan.io.            1409    IN      NS      ns2.digitalocean.com.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Mar 20 15:35:29 UTC 2017
;; MSG SIZE  rcvd: 110

Although part of the setup is a little odd – there appear to be two zones where one will do – but i guess it’s harmless:

$ dig blog.coughlan.io ns

; <<>> DiG 9.10.3-P4-Ubuntu <<>> blog.coughlan.io ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43608
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;blog.coughlan.io.              IN      NS

;; ANSWER SECTION:
blog.coughlan.io.       1166    IN      NS      ns1.digitalocean.com.
blog.coughlan.io.       1166    IN      NS      ns3.digitalocean.com.
blog.coughlan.io.       1166    IN      NS      ns2.digitalocean.com.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Mar 20 15:39:35 UTC 2017
;; MSG SIZE  rcvd: 115

sahsanu · March 20, 2017, 4:14pm

Indeed , seems @coughlanio already got its cert

CRT ID     DOMAIN (CN)       VALID FROM             VALID TO                EXPIRES IN  SANs
106719305  blog.coughlan.io  2017-Mar-20 13:21 CET  2017-Jun-18 14:21 CEST  89 days     blog.coughlan.io

coughlanio · March 21, 2017, 1:02am

Yes, thanks for the help guys.

My issue was that I had added the Digital Ocean nameservers to my Namecheap DNS management, but my domain was still using the default nameservers for the host.

Once I handed over DNS management to Digital Ocean completely, it appears to have resolved my issue.

Misunderstanding of DNS on my part

Thanks again!

Chris

system · April 20, 2017, 1:02am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.