Need to SSL CERT for new domain

fayaz · December 5, 2017, 7:13am

[root@localhost tmp]# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter ‘c’ to cancel): graphs.abc.net.pk
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for graphs.abc.net.pk

We were unable to find a vhost with a ServerName or Address of graphs.abc.net.pk
Which virtual host would you like to choose?
(note: conf files with multiple vhosts are not yet supported)

1: ssl.conf | | HTTPS | Enabled

Press 1 [enter] to confirm the selection (press ‘c’ to cancel): 1
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. graphs.cubexs.net.pk (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for graphs.abc.net.pk

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: graphs.abc.net.pk
Type: connection
Detail: DNS problem: NXDOMAIN looking up A for graphs.abc.net.pk

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

jared.m · December 5, 2017, 7:46am

Looks like you haven’t set up DNS for that domain name. That needs to be configured in some form for Let’s Encrypt to work, and for anyone to reach your domain in the first place.

# dig @8.8.8.8 graphs.abc.net.pk A

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> @8.8.8.8 graphs.abc.net.pk A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 56168
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;graphs.abc.net.pk.             IN      A

;; AUTHORITY SECTION:
pk.                     1792    IN      SOA     pknic.pk. ashar.pknic.net.pk. 2017120550 10700 900 1209600 14400

;; Query time: 3 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Dec 05 02:44:49 EST 2017
;; MSG SIZE  rcvd: 100

fayaz · December 5, 2017, 7:53am

hi
thanks for quick response.
domain is working fine check it please

<<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> @8.8.8.8 graphs.cubexs.net.pk
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45796
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;graphs.cubexs.net.pk. IN A

;; ANSWER SECTION:
graphs.cubexs.net.pk. 21599 IN A 202.63.197.66

;; Query time: 443 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Dec 5 12:30:27 2017
;; MSG SIZE rcvd: 54

jared.m · December 5, 2017, 8:40am

I’m still getting NXDOMAIN, and I’m also unable to resolve the nameservers (cubexs.net.pk, root.cubexs.net.pk) as well. Is it possible something else on your network is intercepting and replying to DNS queries instead of 8.8.8.8?

bytecamp · December 5, 2017, 9:41am

I see DNS errors here, too.
Have a look into the NS records:

$ dig cubexs.net.pk NS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32229
;; QUESTION SECTION:
;cubexs.net.pk. IN NS
;; ANSWER SECTION:
cubexs.net.pk. 86237 IN NS ns3.weatherlycloud.com.
cubexs.net.pk. 86237 IN NS dns2.cubexs.net.pk.
cubexs.net.pk. 86237 IN NS ns4.weatherlycloud.com.
cubexs.net.pk. 86237 IN NS dns1.cubexs.net.pk.

Each of these nameserver has to answer queries for cubexs.net.pk.
dns1.cubexs.net.pk answers correctly (if at all).
dns2.cubexs.net.pk resolves to two ip addresses, one of them does not answer queries at all.

fayaz · December 5, 2017, 9:43am

what i have to do it to fix this issue. ?

fayaz · December 5, 2017, 9:53am

couldn’t catch you … can you please share me detail so i wll fix it ?

bytecamp · December 5, 2017, 10:06am

You should speak to the person who runs the nameserver for your domain.

fayaz · December 5, 2017, 10:10am

i am runing these DNS …what i have to change in that ?

Osiris · December 5, 2017, 1:04pm

I’m confused.

Your OP states graphs.abc.net.pk multiple time, but the error message also mentions graphs.cubexs.net.pk once?

Which domain is it?

fayaz · December 5, 2017, 1:05pm

hi
i have graphs.cubexs.net.pk

Osiris · December 5, 2017, 1:12pm

There are multiple issues with your DNS. Firstly, there are four authorative name servers listed for cubexs.net.pk:

;; AUTHORITY SECTION:
cubexs.net.PK.		38400	IN	NS	dns3.cubexs.net.pk.
cubexs.net.PK.		38400	IN	NS	ns1.ispc.org.
cubexs.net.PK.		38400	IN	NS	dns4.cubexs.net.pk.
cubexs.net.PK.		38400	IN	NS	dns1.cubexs.net.pk.

;; ADDITIONAL SECTION:
dns1.cubexs.net.PK.	38400	IN	A	202.63.192.12
dns3.cubexs.net.PK.	38400	IN	A	202.63.200.5
dns4.cubexs.net.PK.	38400	IN	A	202.63.200.6

For three of them, there are IP addresses “glued” as you can see above in the additional section. When I try to get the IP address of dns1.cubexs.net.pk, I get the following result:

cubexs.net.PK.		38400	IN	NS	dns4.cubexs.net.pk.
cubexs.net.PK.		38400	IN	NS	dns3.cubexs.net.pk.
cubexs.net.PK.		38400	IN	NS	ns1.ispc.org.
cubexs.net.PK.		38400	IN	NS	dns1.cubexs.net.pk.
couldn't get address for 'dns4.cubexs.net.pk': not found
couldn't get address for 'dns3.cubexs.net.pk': not found
;; Received 201 bytes from 162.252.84.2#53(n1.pknic.net.pk) in 118 ms

dns1.cubexs.net.pk.	86400	IN	A	202.63.197.6
cubexs.net.pk.		86400	IN	NS	dns2.cubexs.net.pk.
cubexs.net.pk.		86400	IN	NS	dns1.cubexs.net.pk.
cubexs.net.pk.		86400	IN	NS	ns3.weatherlycloud.com.
cubexs.net.pk.		86400	IN	NS	dns3.cubexs.net.pk.
cubexs.net.pk.		86400	IN	NS	ns4.weatherlycloud.com.
;; Received 185 bytes from 202.63.192.12#53(dns1.cubexs.net.pk) in 142 ms

Here you can see TWO issues:

You can see the two errors about dns3 and dns4 not being found with DNS lookups.
The IP address of dns1.cubexs.net.pk resolved from itself is different than the IP address “glued”. Both seem to work, but 202.63.197.6 lists a whole different number of DNS servers:

;; ANSWER SECTION:
dns1.cubexs.net.pk.	86400	IN	A	202.63.197.6

;; AUTHORITY SECTION:
cubexs.net.pk.		86400	IN	NS	dns3.cubexs.net.pk.
cubexs.net.pk.		86400	IN	NS	dns2.cubexs.net.pk.
cubexs.net.pk.		86400	IN	NS	dns1.cubexs.net.pk.
cubexs.net.pk.		86400	IN	NS	ns3.weatherlycloud.com.
cubexs.net.pk.		86400	IN	NS	ns4.weatherlycloud.com.

;; ADDITIONAL SECTION:
dns2.cubexs.net.pk.	86400	IN	A	202.63.192.13
dns2.cubexs.net.pk.	86400	IN	A	202.63.192.12
dns3.cubexs.net.pk.	86400	IN	A	202.63.197.7
ns3.weatherlycloud.com.	86400	IN	A	38.108.7.246
ns4.weatherlycloud.com.	86400	IN	A	38.108.7.247

This is the moment I’m going to stop debugging this DNS mess… It’s just… A mess.

fayaz · December 5, 2017, 1:22pm

what can i do can you suggest me so i will change accordingly .

system · January 4, 2018, 1:35pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Need to SSL CERT for new domain

We were unable to find a vhost with a ServerName or Address of graphs.abc.net.pk Which virtual host would you like to choose? (note: conf files with multiple vhosts are not yet supported)

1: ssl.conf | | HTTPS | Enabled

We were unable to find a vhost with a ServerName or Address of graphs.abc.net.pk
Which virtual host would you like to choose?
(note: conf files with multiple vhosts are not yet supported)