No valid A/AAAA records, despite having both

When trying to start caddy, each time it says that no A/AAAA records exist. If I use LetsDebug.net, HTTP-01 and TLS-ALPN-01 fails due to the same reason. When I look at NameCheap, these are my DNS records.

My domain is: fivepixels.me

I ran this command:
caddy start

It produced this output:
2022/03/11 19:53:13.247 ERROR tls.issuance.acme.acme_client challenge failed {"identifier": "www.git.fivepixels.me", "challenge_type": "tls-alpn-01", "problem": {"type": "urn:ietf:params:acme:error:dns", "title": "", "detail": "DNS problem: NXDOMAIN looking up A for www.git.fivepixels.me - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for www.git.fivepixels.me - check that a DNS record exists for this domain", "instance": "", "subproblems": }}

My web server is (include version):
caddy v2.4.6

The operating system my web server runs on is (include version):
Ubuntu 1.18

My hosting provider, if applicable, is:
Domain Host: NameCheap
Server host: Central.so

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Your dns records and the error message agree. There is no A/AAAA record for www.git.fivepixels.me -- you only have one for git.fivepixels.me (they are different domain names)

2 Likes

I added these two records:

And it looks like it may be working now. I think it took some time for the DNS to update becuase I was getting the same error for a little bit longer. The lack of A/AAA records error went away, but I'm now authorization limited for the next hour or so.

I'll update once I know if this fixes this.

www.git is still missing.

2 Likes

Actually I have it added - I wasn't keeping track of how many I added, I just guesstimated.

Still getting these:

Mar 11 22:00:20 fivepixels.me caddy[52885]: {"level":"error","ts":1647032420.3322716,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"www.git.fivepixels.me","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for www.git.fivepixels.me; no valid AAAA records found for www.git.fivepixels.me","instance":"","subproblems":},"order":"https://acme-v02.api.letsencrypt.org/acme/order/433908690/70681968770","attempt":1,"max_attempts":3}

Mar 11 22:00:20 fivepixels.me caddy[52885]: {"level":"error","ts":1647032420.734154,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"www.fivepixels.me","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for www.fivepixels.me; no valid AAAA records found for www.fivepixels.me","instance":"","subproblems":}}

Mar 11 22:00:24 fivepixels.me caddy[52885]: {"level":"error","ts":1647032424.0842578,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"www.vault.fivepixels.me","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for www.vault.fivepixels.me; no valid AAAA records found for www.vault.fivepixels.me","instance":"","subproblems":}}

Looking back now, I set the records to CNAMEs rather than A/AAAA - do they need to be A records? When I provide a A record, it asks for the target to be an IP - which I would need to set to the same as my A record for the first record in the last screenshot right?

Also - just running a letsdebug.net test on fivepixels.me (which clearly has an A/AAAA record on the screenshot) is also returning that there are no A records.

Your domain doesn't look like it has an A record on @ (the apex).

Your A record is for fivepixels.me.fivepixels.me :smiley:

Edit your A/AAAA record and put @ instead of "fivepixels.me"

% dig a fivepixels.me

; <<>> DiG 9.18.0-2-Debian <<>> a fivepixels.me
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15929
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;fivepixels.me.                 IN      A

;; AUTHORITY SECTION:
fivepixels.me.          1798    IN      SOA     dns1.registrar-servers.com. hostmaster.registrar-servers.com. 1647032637 43200 3600 604800 3601

;; Query time: 2070 msec
;; SERVER: 172.25.128.1#53(172.25.128.1) (UDP)
;; WHEN: Fri Mar 11 22:07:44 CET 2022
;; MSG SIZE  rcvd: 115

% dig a fivepixels.me.fivepixels.me

; <<>> DiG 9.18.0-2-Debian <<>> a fivepixels.me.fivepixels.me
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50625
;; flags: qr rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;fivepixels.me.fivepixels.me.   IN      A

;; ANSWER SECTION:
fivepixels.me.fivepixels.me. 0  IN      A       104.128.232.25

;; Query time: 2050 msec
;; SERVER: 172.25.128.1#53(172.25.128.1) (UDP)
;; WHEN: Fri Mar 11 22:09:17 CET 2022
;; MSG SIZE  rcvd: 88
4 Likes

Alright, that was definitely what was causing the A record on fivepixels.me to fail. After restarting my docker server and my caddy instance - we've got results! The website is resolving correctly now. Thanks for all your help!

2 Likes

I do have another question. bearblog.dev seems to already have an SSL certificate, so when I try to enter blog.fivepixels.me, the certificate isn't valid. bearblog is responsible for the entire blog. Is there a way to provide my own SSL on it?

Probably. But it's better if bearblog gets a certificate automatically.

No, there isn't

Note: We don't currently provide SSL cetificates, so .dev and .app domains will only work if set up through a CDN like Cloudflare with proxy enabled and set to Flexible.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.