I apologize in advance for this lengthy, unorganized request for assistance.
I'm new to all this certificate stuff and received an email from Let's Encrypt saying that my certificate for rizzoassoc.com is going to expire in 19 days. I've been here for four years now and have not received an email from Let's Encrypt about this domain to my knowledge. The IT staff abandoned ship before I was hired and there was no knowledge transfer about anything. I've had to figure things out on my own. Security Certificates is an area that I have not had to deal with before.
Rizzoassoc.com is our primary domain, however, our active domain is a sub-domain named rizzointl.com. Our website is www.rizzointl.com and is managed by Wix. I have no current concerns about rizzointl.com.
Rizzoassoc.com is still the domain we use for our Extranet, FTP, and Help Desk. It would be very bad if access to these stopped working in 19 days. This domain is registered with Network Solutions but the name servers are with Media Temple that was recently acquired by GoDaddy. Quite a mess, huh?
Can someone help guide me through this process of renewal through LetsEncrypt? I've looked at many of the solutions on here, but with my limited knowledge and experience with security certificates, much of the terminology used makes no sense to me.
I greatly appreciate your help!
Getting a cert from Let's Encrypt requires using a program called an ACME Client. There are many of these so you must find out which one your system was using.
A popular one is Certbot. Look for a folder named
/etc/letsencrypt Let us know if that exists and what the result of
sudo certbot certificates is. I am assuming some linux system but also please let us know which o/s you use.
If no such folder, look at your services (extranet, ftp, help desk) SSL (or TLS) configuration. They will name a folder where your certs exist. Let us know what that is and we could probably identify the ACME Client.
Generally, this all happens automatically so that you don't need to worry about. So the fact that you haven't needed to touch it in years means that things have been mostly going the way they're supposed to!
The main thing to look at is whether your name is still accessible from the Internet. If people can't get to your domain, then the Let's Encrypt validation servers can't confirm that you still own it. And it looks to me like it isn't working as you have a broken DNSSEC setup:
Once you fix that and people can get to your site again, then whatever software is running on your server should be able to renew the certificate again.
Thanks for the reply, PCjr.
There is no external facing site for rizzoassoc.com. It's all internal now.
Does "internal now" mean that it used to be publicly available, but now (as of some point within the last couple months) isn't?
If so, it's a bit harder than a public site. You probably need to change whatever software (the ACME client) that is running your renewals to use the "DNS-01 challenge" instead. That requires your DNS provider to have some kind of API that you configure your client to use in order to update the TXT record every couple months when renewing the certificate. And regardless, if you want a publicly-trusted Let's Encrypt certificate you would need to fix the DNSSEC issue which is making your domain name not work at all night now. (Even if you're not going to have public A/AAAA records, you would need a public TXT record to complete the challenge.)
The other option, if you wanted to keep everything entirely private, would be to create your own private CA, and configure your internal systems to trust it, and leave Let's Encrypt (and the rest of the public Web PKI) entirely out of it. That's probably a more involved project, though.
Unfortunately, you're talking way over my head. Is there a service that can manage these certificates for me?
Well, yes. If you had been getting certificates, then there is a service installed somewhere on your network which is managing all those certificates for you.
But your current problem with
rizzoassoc.com has nothing to do with certificates. The domain name is just entirely broken (Your registrar is claiming that the domain should be DNSSEC signed, but it in fact isn't). You need to fix that in order to have anything relating to that domain name work. You might need to contact your DNS provider or domain registrar. Once you fix that, it may be that the service you have running will be able to figure out how to renew your certificates.
I concur: for my point of view, your website results in a "ERR_NAME_NOT_RESOLVED" error due to my ISP (apparently) having DNSSEC enabled and thus running into troubles with the faulty DNSSEC of your domain.
While not every DNS resolver even checks DNSSEC, in one example about 8 % of the DNS resolvers is actually checking DNSSEC and thus failing when resolving your site (source: statistics for the
Peter, greatly appreciate your help with this.
So wouldn't the DNSSEC problem be related to the fact that rizzoassoc.com is NOT a public-facing website? We only use rizzoassoc.com internally.
In order to get a publicly trusted certificate, what matters is what's in the public DNS (since you're trying to prove that you own that name). So if that name isn't resolvable, then you can't get a public certificate.
It may be possible to use a private CA for your purposes, as I was alluding to earlier. But it may be easier for you to figure out what broke with the name a couple months ago and fix it.
Since my nameservers are with GoDaddy, would it help to transfer the domain from Network Solutions to GoDaddy?
If your nameservers are run by GoDaddy, and the registrar is Network Solutions, what you need to do in order to get your domain working again is either tell Network Solutions to disable DNSSEC, or tell GoDaddy to enable DNSSEC (either using the same key as Network Solutions already has if you have access to that, or with a new DNSSEC key that you also tell Network Solutions to use).
Here is what ICANN has for the domain name
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.