[root@localhost tmp]# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter ‘c’ to cancel): graphs.abc.net.pk
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for graphs.abc.net.pk
We were unable to find a vhost with a ServerName or Address of graphs.abc.net.pk
Which virtual host would you like to choose?
(note: conf files with multiple vhosts are not yet supported)
1: ssl.conf | | HTTPS | Enabled
Press 1 [enter] to confirm the selection (press ‘c’ to cancel): 1
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. graphs.cubexs.net.pk (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for graphs.abc.net.pk
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
Looks like you haven’t set up DNS for that domain name. That needs to be configured in some form for Let’s Encrypt to work, and for anyone to reach your domain in the first place.
# dig @8.8.8.8 graphs.abc.net.pk A
; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> @8.8.8.8 graphs.abc.net.pk A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 56168
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;graphs.abc.net.pk. IN A
;; AUTHORITY SECTION:
pk. 1792 IN SOA pknic.pk. ashar.pknic.net.pk. 2017120550 10700 900 1209600 14400
;; Query time: 3 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Dec 05 02:44:49 EST 2017
;; MSG SIZE rcvd: 100
I’m still getting NXDOMAIN, and I’m also unable to resolve the nameservers (cubexs.net.pk, root.cubexs.net.pk) as well. Is it possible something else on your network is intercepting and replying to DNS queries instead of 8.8.8.8?
I see DNS errors here, too.
Have a look into the NS records:
$ dig cubexs.net.pk NS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32229
;; QUESTION SECTION:
;cubexs.net.pk. IN NS
;; ANSWER SECTION:
cubexs.net.pk. 86237 IN NS ns3.weatherlycloud.com.
cubexs.net.pk. 86237 IN NS dns2.cubexs.net.pk.
cubexs.net.pk. 86237 IN NS ns4.weatherlycloud.com.
cubexs.net.pk. 86237 IN NS dns1.cubexs.net.pk.
Each of these nameserver has to answer queries for cubexs.net.pk.
dns1.cubexs.net.pk answers correctly (if at all).
dns2.cubexs.net.pk resolves to two ip addresses, one of them does not answer queries at all.
There are multiple issues with your DNS. Firstly, there are four authorative name servers listed for cubexs.net.pk:
;; AUTHORITY SECTION:
cubexs.net.PK. 38400 IN NS dns3.cubexs.net.pk.
cubexs.net.PK. 38400 IN NS ns1.ispc.org.
cubexs.net.PK. 38400 IN NS dns4.cubexs.net.pk.
cubexs.net.PK. 38400 IN NS dns1.cubexs.net.pk.
;; ADDITIONAL SECTION:
dns1.cubexs.net.PK. 38400 IN A 202.63.192.12
dns3.cubexs.net.PK. 38400 IN A 202.63.200.5
dns4.cubexs.net.PK. 38400 IN A 202.63.200.6
For three of them, there are IP addresses “glued” as you can see above in the additional section. When I try to get the IP address of dns1.cubexs.net.pk, I get the following result:
cubexs.net.PK. 38400 IN NS dns4.cubexs.net.pk.
cubexs.net.PK. 38400 IN NS dns3.cubexs.net.pk.
cubexs.net.PK. 38400 IN NS ns1.ispc.org.
cubexs.net.PK. 38400 IN NS dns1.cubexs.net.pk.
couldn't get address for 'dns4.cubexs.net.pk': not found
couldn't get address for 'dns3.cubexs.net.pk': not found
;; Received 201 bytes from 162.252.84.2#53(n1.pknic.net.pk) in 118 ms
dns1.cubexs.net.pk. 86400 IN A 202.63.197.6
cubexs.net.pk. 86400 IN NS dns2.cubexs.net.pk.
cubexs.net.pk. 86400 IN NS dns1.cubexs.net.pk.
cubexs.net.pk. 86400 IN NS ns3.weatherlycloud.com.
cubexs.net.pk. 86400 IN NS dns3.cubexs.net.pk.
cubexs.net.pk. 86400 IN NS ns4.weatherlycloud.com.
;; Received 185 bytes from 202.63.192.12#53(dns1.cubexs.net.pk) in 142 ms
Here you can see TWO issues:
You can see the two errors about dns3 and dns4 not being found with DNS lookups.
The IP address of dns1.cubexs.net.pk resolved from itself is different than the IP address “glued”. Both seem to work, but 202.63.197.6 lists a whole different number of DNS servers:
;; ANSWER SECTION:
dns1.cubexs.net.pk. 86400 IN A 202.63.197.6
;; AUTHORITY SECTION:
cubexs.net.pk. 86400 IN NS dns3.cubexs.net.pk.
cubexs.net.pk. 86400 IN NS dns2.cubexs.net.pk.
cubexs.net.pk. 86400 IN NS dns1.cubexs.net.pk.
cubexs.net.pk. 86400 IN NS ns3.weatherlycloud.com.
cubexs.net.pk. 86400 IN NS ns4.weatherlycloud.com.
;; ADDITIONAL SECTION:
dns2.cubexs.net.pk. 86400 IN A 202.63.192.13
dns2.cubexs.net.pk. 86400 IN A 202.63.192.12
dns3.cubexs.net.pk. 86400 IN A 202.63.197.7
ns3.weatherlycloud.com. 86400 IN A 38.108.7.246
ns4.weatherlycloud.com. 86400 IN A 38.108.7.247
This is the moment I’m going to stop debugging this DNS mess… It’s just… A mess.