No Email x.509 Certs?

Help
41

So the problem isn’t /etc/hostname nor the env variable HOSTNAME. I’ve deleted /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/ and that’s gotten me farther than before, but I still flunk with “certificate had names ‘quantum.darkmatter.org’”.

I have never seen this verification pass. Has anyone made this work?

42

You have a self-signed certificate for quantum.darkmatter.org that’s referenced in your Apache configuration; that’s where the name is coming from. Ordinarily it shouldn’t matter, but for some reason it’s taking precedence over the temporary VirtualHost that certbot creates to pass the TLS-SNI-01 challenge. If you post the relevant Apache configuration, that might help us figure out why that is.

1 Like
43

Indeed, thank you J. I’d commented out all the SSL settings in my /etc/httpd/conf.d/ virtual hosts file, and so the system was relying on the local certs pointed to by ssl.conf.

When I uncommented the SSL entries in my virt hosts file it still failed, but I stopped Apache and used the certonly and #2 option. With this I was able to get certs for two domains.

But the third still fails:

certbot certonly -d delphi-real-estate.com,www.delphi-real-estate.com,mail.delphi-real-estate.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running apachectl configtest.

AH00526: Syntax error on line 64 of /etc/httpd/conf.d/bills-vhosts.conf:
SSLCertificateFile: file ‘/etc/letsencrypt/live/delphi-real-estate.com/cert.pem’ does not exist or is empty

How would you like to authenticate with the ACME CA?

1: Apache Web Server plugin - Beta (apache) [Misconfigured]
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)

Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 2
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for delphi-real-estate.com
tls-sni-01 challenge for www.delphi-real-estate.com
tls-sni-01 challenge for mail.delphi-real-estate.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. mail.delphi-real-estate.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for mail.delphi-real-estate.com, www.delphi-real-estate.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for www.delphi-real-estate.com, delphi-real-estate.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for delphi-real-estate.com

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: mail.delphi-real-estate.com
    Type: connection
    Detail: DNS problem: SERVFAIL looking up A for
    mail.delphi-real-estate.com

    Domain: www.delphi-real-estate.com
    Type: connection
    Detail: DNS problem: SERVFAIL looking up A for
    www.delphi-real-estate.com

    Domain: delphi-real-estate.com
    Type: connection
    Detail: DNS problem: SERVFAIL looking up A for
    delphi-real-estate.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

I can get nameservice on all 3 domains just fine, and the virt hosts settings are no different than the others. And it’s set up the same as the others at the registrar.

<VirtualHost *>
ServerAdmin postmaster@delphi-real-estate.com
DocumentRoot “/srv/www/DRE”
<Directory “/srv/www/DRE”>
Options Indexes FollowSymLinks
AllowOverride None
# Allow open access:
Require all granted

ServerName delphi-real-estate.com
ServerAlias www.delphi-real-estate.com
ServerAlias mail.delphi-real-estate.com
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/delphi-real-estate.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/delphi-real-estate.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/delphi-real-estate.com/chain.pem
SSLProtocol All -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:+MD5
ErrorLog logs/DRE-ssl_error_log
TransferLog logs/DRE-ssl_access_log
LogLevel warn
ErrorLog "/var/log/httpd/delphi-real-estate-error_log"
CustomLog “/var/log/httpd/delphi-real-estate-access_log” common

The debug log is no help since it’s wrong:
Detail: DNS problem: SERVFAIL looking up A for mail.delphi-real-estate.com

44

I think it might be a DNSSEC problem (which is not something I know much about, but others here may know more)

45

Hmm, I have DNSSEC turned off for all domains at the registrar. I have put some preliminaries in place on the server to use the certs but nothing that should be activating DNSSEC.

46

Well… like I said, I know very little about DNSSEC. But one obvious difference is that delphi-real-estate.com has a DS record and quantum-equities.com does not.

I won’t pretend to understand what it means, but http://dnsviz.net/d/delphi-real-estate.com/dnssec/ seems unhappy…

47

DNSSEC happens…
http://dnsviz.net/d/mail.delphi-real-estate.com/dnssec/

This is something that needs to be taken care of.
For instance, Google DNS will not resolve your IP:
Server: google-public-dns-b.google.com
Address: 8.8.4.4
*** google-public-dns-b.google.com can’t find mail.delphi-real-estate.com: Server failed

While other global DNS systems will:
Server: [4.2.2.2]
Address: 4.2.2.2
Name: mail.delphi-real-estate.com
Address: 50.35.109.212

48

Well that’s awfully queer… I definitely have DNSSEC turned off for all domains so no DS record should be set. Here’s a screenie:

j2G7IoQ.jpg1103×641 65.7 KB

To enable DNSSEC you must create the proper DS record, then it must be signed on the bind server by the admin – that’s automated through my registrar’s interface here.

mail. and www. are set in the IPv4 tab, as an equivalence to the IP, just like delphi-real-estate.com. So nothing different there. mail. is also set under MX, but nothing is set in CNAME, TXT, SRV, SSHFP, TLSA, nor CAA.

Here’s the raw zone file. (Green Download button)

delphi-real-estate.com. 86400 IN SOA ( ns3.gkg.net.
1510933952 ;serial
28800 ;refresh
7200 ;retry
604800 ;expire
7200 ;minimum
)
delphi-real-estate.com. 86400 IN A 50.35.109.212
delphi-real-estate.com. 86400 IN MX 0 mail.delphi-real-estate.com.
delphi-real-estate.com. 86400 IN NS ns3.gkg.net.
delphi-real-estate.com. 86400 IN NS ns4.gkg.net.
mail.delphi-real-estate.com. 86400 IN A 50.35.109.212
www.delphi-real-estate.com. 86400 IN A 50.35.109.212

No DS record. I’m not surprised that DNSSEC is showing busted. But the successful domains were identical.

49

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.