New certificate fails

vfvandijk · April 30, 2018, 11:26am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:projetnudite.victorvandijk.nl

I ran this command: I ran the ‘new certificate’ procedure from within my ISP

It produced this output:
Could not validate the choosen hostname for the certificate. No certificate issued.

My web server is (include version): I don’t know

The operating system my web server runs on is (include version): I think it’s Windows, but I’m not sure…

My hosting provider, if applicable, is: mijnhostingpartner.nl

I can login to a root shell on my machine (yes or no, or I don’t know): I don’t know

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): MSP - I think??

_az · April 30, 2018, 11:52am

I think something is wrong with your nameservers, possibly involving your DNSSEC setup.

unboundtest.com shows a timeout and another test shows related timeouts and errors, so it may be worth rehashing DNSSEC on your nameservers.

mnordhoff · April 30, 2018, 11:58am

The Let's Encrypt API returns an error message that's usually detailed enough to pinpoint exactly what's wrong.

Try to find if the control panel displays or logs it somewhere. If not, contact the hosting company.

That said, it's probably the DNSSEC problem.

Additionally, 2 of the 3 DNS servers are inaccessible, and the zones are only using 512-bit RSA, so they're not even secure anyway.

@vfvandijk, you might as well disable DNSSEC on the domain. And contact the hosting company.

vfvandijk · April 30, 2018, 12:31pm

Thank you very much for your quick reply!

I don’t know much about technical things, just at an end-user level.

I will look into the DNSSEC part.

My ISP is not very helpful as to Let’s Encrypt, it states something like ‘we provide Let’s Encrypt but for the rest, use at your own risk’.

That’s probably because they also sell paid SSL certificates…

I’ll keep you posted.

Thanks again!

mnordhoff · April 30, 2018, 12:37pm

They’re also hosting your DNS, right?

It’s one thing to provide the bare minimum with Let’s Encrypt and refuse to help with issues.

But if Let’s Encrypt is failing because of the DNS issues, it’s their responsibility to fix them anyway.

I’m using a validating resolver, so I can’t open https://projetnudite.victorvandijk.nl/ in a web browser. It needs to be fixed whether or not Let’s Encrypt is involved.

vfvandijk · April 30, 2018, 1:47pm

Thanks, Matt, I just opened a ticket on my Hosting Provider’s system and shared as many details as possible.

It’s beyond me now.

vfvandijk · May 1, 2018, 9:18am

Dear Let’s Encrypt forum,

I received a message this morning from my hosting provider, and they confirmed that it was a DNSSEC problem.

They fixed it and after two tries, I was able to get my projetnudite.victorvandijk.nl Let’s Encrypt certificate.

Thank you very much for your fast and kind assistance!

Best,

Victor van Dijk.

mnordhoff · May 1, 2018, 9:25am

Fantastic!

As my tone showed, I wasn’t optimistic. Hosting companies really neglect DNS sometimes, and I was expecting the worst.

_az · May 1, 2018, 9:53am

Curiously, victorvandijk.nl response appears to (at least partially, in the authority section) be bogus. Both Google and Cloudflare public resolvers SERVFAIL for the CAA record, and Unbound thinks the authority section/SOA RR is bogus.

I wonder if Let’s Encrypt should be checking for any of the RRs to be bogus, not just the answer RRs.

Two of the nameservers are still inaccessible even after the host (partially) fixed the other DNSSEC issues, heh. I’d move my domain somewhere else if I was OP.

mnordhoff · May 1, 2018, 10:04am

Oh no.

I wrote my last post after confirming that projetnudite.victorvandijk.nl was working, including the SOA and the CAA negative response, and ignoring those 2 nameservers being down, but I just assumed victorvandijk.nl was also still working.

http://dnsviz.net/d/projetnudite.victorvandijk.nl/Wug1Xw/dnssec/

http://dnsviz.net/d/victorvandijk.nl/Wug14A/dnssec/

This isn’t good.

system · May 31, 2018, 10:04am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.