Having issues getting certificates with cname records


#1

I’m using the webroot method to retrieve the certificates. It showed the following error:

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: c0209.com
   Type:   connection
   Detail: DNS problem: query timed out looking up A for c0209.com

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
 - The following errors were reported by the server:

   Domain: www.c0209.com
   Type:   unknownHost
   Detail: No valid IP addresses found for www.c0209.com

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

The following is the DNS setup for c0209.com

[root@c02-web1 sites-enabled]# dig c0209.com +short
c02web1.kosuncname.com.
47.52.23.13
[root@c02-web1 sites-enabled]# dig www.c0209.com +short
c02web1.kosuncname.com.
47.52.23.13

Do I need to change the CNAME records to A records for certbot to work ?


#2

Hi @RainFlying,

CNAMES are totally permitted, but it looks like there are some other problems with your DNS records. For example, some IP addresses of your nameservers ns1.dns.com and ns2.dns.com often time out and return no answer to queries, and they may also be missing a SOA record. Maybe you could use some online DNS testing tools to try to understand what the problem is, or switch the domain to use a different nameserver?


#3

I don’t know if this is specifically why it’s not working for you, but in general you can’t (or shouldn’t) use a CNAME record for a domain apex (such as c0209.com). This isn’t a Let’s Encrypt restriction; it’s a limitation of DNS in general. You can however use a CNAME for the www subdomain and it should work just fine with Let’s Encrypt (assuming your DNS isn’t otherwise broken, of course).


#4

Hi, I checked with a few DNS checker. Seems there are no issues found. Can you please be a little more specific ?


#5

This worked quite well for now. Are domain cnames not supported by letsencrypt ?


#7

According to my knowledge, DNS-01 challenge needs to create some txt records in the zone. However, those zones are not in our control, that’s why we used domain cnames.


#8

Your second authoritative name server is ns2.dns.com, which appears not to respond to requests at all.


#9

Hi, I tried dig’ing on a few servers. Seems ns2.dns.com responded in a reasonable time.
The servers I tried are located in Asia. Is it possible that there are some issues with the cache servers in the north America ?

Cambodia

rainflying@rainflying-mac ~ % dig @ns2.dns.com c0209.com +short
c02web1.kosuncname.com

Hongkong

[root@cp899-web1 ~]# dig @ns2.dns.com c0209.com +short
c02web1.kosuncname.com.

China mainland

[root@codepush ~]# dig @ns2.dns.com c0209.com +short
c02web1.kosuncname.com.

Malaysia

[root@gitlab ~]# dig @ns2.dns.com c0209.com +short
c02web1.kosuncname.com.


#10

@cpu @jsha, what do you think? It seems to me that ns2.dns.com is physically located in China (at three different IP addresses) and requests to any from the U.S. seem to time out (which is kind of odd because it’s possible to ping it).


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.