NXDOMAIN for A record of www version of site url

To preface, valhala.io has all certificates issued properly, even for the www version.
Issuing certificates to the www versions of electrolysissa.net and electrolysissa.com fail with NXDOMAIN A record. In my DNS Zone I have an A record pointing to the non www version with the site IP and then a CNAME for the www version. All 3 are setup this way and yet only valhala.io succeeds on both.
Using a DNS lookup on the www versions shows no errors.

My domain is: electrolyssisa.net electrolysissa.com valhala.io

I ran this command: sudo certbot --apache -> 3,4 (for the www versions of electrolysissa)

It produced this output:

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 3,4
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.electrolyssisa.com
http-01 challenge for www.electrolyssisa.net
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.electrolyssisa.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: dns :: DNS problem: NXDOMAIN looking up A for www.electrolyssisa.com, www.electrolyssisa.net (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: dns :: DNS problem: NXDOMAIN looking up A for www.electrolyssisa.net

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.electrolyssisa.com
   Type:   connection
   Detail: dns :: DNS problem: NXDOMAIN looking up A for
   www.electrolyssisa.com

   Domain: www.electrolyssisa.net
   Type:   connection
   Detail: dns :: DNS problem: NXDOMAIN looking up A for
   www.electrolyssisa.net

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

My web server is (include version): Apache HTTPD 2.4.6

The operating system my web server runs on is (include version): CentOS 7, 3.10.0-957.10.1.el7.x86_64

My hosting provider, if applicable, is: https://ramnode.com

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): I am using cPanel DNS only FROM ramnode and not self hosted. The DNS entries are weird and I don’t know if they are right, but I haven’t changed them since I got it working the first time.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Certbot 0.31.0

I can provide screenshots of all my DNS zones/configs as well as full ouput of letsencrypt.log if needed.
Thank you!

Hi @mlizbeth

there is no ip address defined ( https://check-your-website.server-daten.de/?q=electrolyssisa.com ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
electrolyssisa.com Name Error yes 1 0
www.electrolyssisa.com Name Error yes 1 0

So your domain is invisible -> Letsencrypt can’t check your domain.

Share a screenshot.

I should also mention that I had wiped the server yesterday but kept my DNS zones the same. The only difference is I had WHM and was using BIND on top of the DNS addon so im guessing that’s why it’s wonky, but why does valhala.io work?

Each domain also has it’s own DNS zone too. I don’t know why but that’s the only way I was able to get DNS resolutions when I set this up a few years ago :frowning:

Your valhala.io is visible.

There is a new check

Host T IP-Address is auth. ∑ Queries ∑ Timeout
valhala.io A 107.191.104.208 yes 2 0
AAAA yes
www.valhala.io C valhala.io yes 1 0
A 107.191.104.208 yes

And the nameservers:

Domain Nameserver NS-IP
valhala.io
ns3.ramnode.com
107.161.23.210 •

•  ns4.ramnode.com
192.249.56.18	•

•  ns5.ramnode.com
192.249.60.11	•

•  ns6.ramnode.com
192.249.60.67	•

io
a0.nic.io / ns087a.app2.mia2.afilias-nst.info

The io zone must have an NS entry that your domain uses the nameservers of ramnode.com.

Then the ramnode-com-Nameservers are able to manage your dns entries.

Same is with your other domains required.

I have the DNS servers set to

ramnode’s DNS servers from my registrar’s site if that’s what you mean?
Also have it the same way for the other 2 sites.

Or does this need to be done in the DNS Zone Editor?

Yes, that looks good.

I don’t know the details of your menus, but you must have public visible ip addresses. valhala.io is ok, but “Name Error” means: No public ip address visible.

So my zone records for valhala.io as well as the massive picture that has all of them listed, look like this.

But I am more worried about www.electrolysissa.com and www.electrolysissa.net not being able to get certificates issued.

@mlizbeth wait. you mistyped your own domain name
www.electrolysissa.com (from link) vs
www.electrolyssisa.com (what you typed in certbot)

no wonder why it ways nxdomain

1 Like

LOL, wow, great catch!
How do I fix this? Certbot is auto generating these choices

maybe your apache vhost is misspelled too?

1 Like

You are correct!

I will change this and report back

Thanks for the good eye, the certificates have been installed successfully, though the www versions still say insecure.

Edit: nvm, the RewriteCond still has the misspells. brb.
Additionally how can i remove these extra entries from certbot?

enter /etc/letsencrypt/renewal and remove wrong dormain?

Would just like to thank you again @orangepizza we did it.
yay

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.