Lets debug said that i have active domain but certbot said its broken

Jirka135 · May 28, 2023, 7:56pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: web.pelant.pl

I ran this command: cerbot tutorial

It produced this output: root@server--mc:/home/jirka# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.

1: web.pelant.pl

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Requesting a certificate for web.pelant.pl

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: web.pelant.pl
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for web.pelant.pl - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for web.pelant.pl - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache/2.4.52

The operating system my web server runs on is (include version): Ubuntu 22.04.2 LTS

My hosting provider, if applicable, is: me

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.6.0

Osiris · May 28, 2023, 8:12pm

For me it says:

NoRecords FATAL

No valid A or AAAA records could be ultimately resolved for web.pelant.pl. This means that Let's Encrypt would not be able to connect to your domain to perform HTTP validation, since it would not know where to connect to.

No A or AAAA records found.

Which is corroborated by other services like DNSViz: web.pelant.pl | DNSViz

From the whois info I see your domain has just been created yesterday, maybe it needs more time to propogate to the .pl nameservers? Although it has been more than 24 hours now.. One would think it should have propogated by now.

Jirka135 · May 29, 2023, 8:41am

if you select DNS-01 it said its ok

Osiris · May 29, 2023, 8:42am

That's because the dns-01 challenge doesn't require an A or AAAA RR to be present.

Currently it seems the nameservers of the .pl TLD are aware of your domain and are pointing to Cloudflares nameservers, where I assume you have your domain zone set up. However, the web subdomain is still not known.

schoen · May 30, 2023, 4:44am

@Osiris didn't explicitly mention a fact which is well-known to experienced Certbot users on this forum, but might not immediately be obvious to newer users:

The --apache method in Certbot always uses the http-01 challenge method and no other method. (It never uses dns-01.)

This is described in

https://eff-certbot.readthedocs.io/en/stable/using.html#getting-certificates-and-choosing-plugins

system · June 29, 2023, 4:45am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.