New certificate for subdomain only is not working


I already have a certificate for my TLD thru a commercial certificate vendor, but this does not cover subdomains. I want to use certbot to create certificate for the subdomain but I get the following error

sudo ./letsencrypt-auto --apache -d


The domain is accessible, I can access using both http and https, i have a CNAME DNS record pointing to my EC2 AWS instance that hosts the Apache as a reverse proxy to my sonarqube installation.

I only have as DNS record types NS, A, AAAA, CNAME, MX, TXT, SRV no CAA, how can i fix this issue?

I have 2 server running: is on server A and is on server B

Nobody can help you if you don’t specify the right domain name.

Why do you need the domain? Its a generic error, there should a generic fix no?

I have used dig and the server is returning the proper DNS settings

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48484
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096
; IN A


;; Query time: 52 msec
;; WHEN: Fri Oct 20 15:36:45 UTC 2017
;; MSG SIZE rcvd: 127

That is a huge overstatement.
There are a great deal of reasons why things can go wrong.
Without actual names we can only guess…and guess… and guess again…
A waste of time for everyone involved.

In the meantime…
Try some DYI recon:

1 Like

There are a number of DNS configuration issues or software bugs that can cause CAA query failures. It’s useful to know the real domain so we can take a look.

Let’s Encrypt has a general document on CAA:

As it says when posts are created in the help forum:

Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.


The problem is not secrecy, its that the server is still not hardened so it would be easy for someone to take over the machine and I would have to kill it and start over. That is the only reason.

You could even power off the machine since checking the dns configuration of a domain does (in most cases) not reach the host.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.