NXDOMAIN error unable to get certificate

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: cloud03.lstmed.ac.uk

I ran this command: sudo ./certbot-auto --apache --agree-tos --rsa-key-size 4096 --email user@domain.org --redirect -d nc.domain.org

My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version): Ubuntu 16.04

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cloud03.lstmed.ac.uk
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. cloud03.lstmed.ac.uk (http-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for cloud03.lstmed.ac.uk

IMPORTANT NOTES:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

2

You need to setup a DNS record to point your domain to your web server.

3

I have this on my DNS server - I have this issue a few times, all affected servers have a DNS A record.

4

Well, you may have it on a non-authoritative nameserver, or perhaps one only presented to your local network.

The DNS record needs to be resolveable on the wide internet, which it isn’t currently.

5

After some config, we moved onto this:

Failed authorization procedure. cloud03.lstmed.ac.uk (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://cloud03.lstmed.ac.uk/.well-known/acme-challenge/PpjJfmh-saiazkw7JLSoDPljrPze8nTIm_ww6zU5j88: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: cloud03.lstmed.ac.uk
    Type: connection
    Detail: Fetching
    http://cloud03.lstmed.ac.uk/.well-known/acme-challenge/PpjJfmh-saiazkw7JLSoDPljrPze8nTIm_ww6zU5j88:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

6

I can connect to https://cloud03.lstmed.ac.uk/, but http://cloud03.lstmed.ac.uk/ times out.

Is a firewall on the computer or network blocking port 80?

7

Port 80 is open, but the apache\site config has a re-direct to https…

I’ll disable that temporarily, and try once more…

8

Redirecting is fine. Port 80 isn't open.

1 Like
9

A redirect from 80 to 443 is just fine, but LE must be able to connect on port 80 initially. The error you’re seeing says it can’t.

10

Ok - Port is enabled.

sudo ufw status confirms this…

Too many attempts today…

Can anyone help with a guide on how to do this? Please bear in mind I’m relatively new to Linux (Base server builds are fine, SSL certificates always tend to fail with me though)

11

http://cloud03.lstmed.ac.uk/ still times out.

ufw might be configured to allow port 80, but it seems something isn’t.

12

Any such guide would have to be based on all the details of your configuration, thus no such guide is possible. Something is blocking connections to port 80 from the Internet at large. Until you resolve that, you won't be able to get a cert using the HTTP validator. If that something happens to be your ISP (as isn't unusual for residential ISPs, for example), you may be out of luck.

13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.