New certificate for subdomain only is not working

webmutation · October 20, 2017, 2:26pm

Hi,

I already have a certificate for my TLD thru a commercial certificate vendor, but this does not cover subdomains. I want to use certbot to create certificate for the subdomain but I get the following error

sudo ./letsencrypt-auto --apache -d sonar.example.com

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: sonar.example.com
Type: connection
Detail: DNS problem: SERVFAIL looking up CAA for sonar.example.com

The domain is accessible, I can access using both http and https, i have a CNAME DNS record pointing to my EC2 AWS instance that hosts the Apache as a reverse proxy to my sonarqube installation.

I only have as DNS record types NS, A, AAAA, CNAME, MX, TXT, SRV no CAA, how can i fix this issue?

I have 2 server running: example.com is on server A and sonar.example.com is on server B

bytecamp · October 20, 2017, 2:28pm

Nobody can help you if you don’t specify the right domain name.

webmutation · October 20, 2017, 3:38pm

Why do you need the domain? Its a generic error, there should a generic fix no?

I have used dig and the server is returning the proper DNS settings

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> sonar.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48484
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;sonar.example.com. IN A

;; ANSWER SECTION:
sonar.example.com. 60 IN CNAME ec2-35-127-6-215.eu-central-1.compute.amazonaws.com.
ec2-35-127-6-215.eu-central-1.compute.amazonaws.com. 20 IN A 172.31.22.235

;; Query time: 52 msec
;; SERVER: 172.31.0.2#53(172.31.0.2)
;; WHEN: Fri Oct 20 15:36:45 UTC 2017
;; MSG SIZE rcvd: 127

rg305 · October 20, 2017, 4:48pm

That is a huge overstatement.
There are a great deal of reasons why things can go wrong.
Without actual names we can only guess...and guess... and guess again...
A waste of time for everyone involved.

In the meantime...
Try some DYI recon:
http://dnsviz.net/

mnordhoff · October 20, 2017, 8:44pm

There are a number of DNS configuration issues or software bugs that can cause CAA query failures. It's useful to know the real domain so we can take a look.

Let's Encrypt has a general document on CAA:

As it says when posts are created in the help forum:

Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

webmutation · October 23, 2017, 7:43am

The problem is not secrecy, its that the server is still not hardened so it would be easy for someone to take over the machine and I would have to kill it and start over. That is the only reason.

bytecamp · October 23, 2017, 9:29am

You could even power off the machine since checking the dns configuration of a domain does (in most cases) not reach the host.

system · November 22, 2017, 9:29am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.