Problems domain gov.co for gubernamental use

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: rtvc.gov.co

I ran this command: ./certbot-auto --apache -d misenal-dev-d8.rtvc.gov.co

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for misenal-dev-d8.rtvc.gov.co
Waiting for verification…
Challenge failed for domain misenal-dev-d8.rtvc.gov.co
http-01 challenge for misenal-dev-d8.rtvc.gov.co
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version): httpd -version
Server version: Apache/2.4.33 (Amazon)
Server built: Jul 11 2018 22:19:58

The operating system my web server runs on is (include version): NAME=“Amazon Linux AMI”
VERSION=“2018.03”
ID=“amzn”
ID_LIKE=“rhel fedora”
VERSION_ID=“2018.03”
PRETTY_NAME=“Amazon Linux AMI 2018.03”
ANSI_COLOR=“0;33”
CPE_NAME=“cpe:/o:amazon:linux:2018.03:ga”
HOME_URL=“http://aws.amazon.com/amazon-linux-ami/
Amazon Linux AMI release 2018.03
cpe:/o:amazon:linux:2018.03:ga

My hosting provider, if applicable, is: Amazon WS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.40.1

1 Like

Hi @ccetina

if you want to create a certificate, CAA entries are checked.

First misenal-dev-d8.rtvc.gov.co, then rtvc.gov.co, then gov.co.

But checking the last domain there is a timeout. My own output https://check-your-website.server-daten.de/?q=misenal-dev-d8.rtvc.gov.co#caa

co

looks incomplete.

Unboundtest

https://unboundtest.com/m/CAA/gov.co/R7Y64IRB

reports a ServFail:

Response:
;; opcode: QUERY, status: SERVFAIL, id: 59245

Are you able to create a CAA entry with misenal-dev-d8.rtvc.gov.co or rtvc.gov.co?

That would block checking gov.co.

1 Like

Oh, there is a great misconfiguration.

Domain: www.gov.co
Primary: acadcpr30.mcdmintic.local
Mail: hostmaster.mcdmintic.local
Serial: 119
Refresh: 900
Retry: 600
Expire: 86400
TTL: 300
num Entries: 2

A not public domain acadcpr30.mcdmintic.local as primary name server. That can’t work.

Executed one dns check manual, then with nslookup. Always the same:

D:\temp>nslookup -type=SOA www.gov.co.

www.gov.co
primary name server = acadcpr30.mcdmintic.local
responsible mail addr = hostmaster.mcdmintic.local
serial = 119
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 300 (5 mins)

A .local address as top level domain of the name server.

So it’s impossible to ask that name server.

3 Likes

rigth! www.gov.co It belongs to the Ministry of Government of my country and was created about 30 days ago, It belongs to the Ministry of Government of my country and was created about 30 days ago, RTVC is a government entity too, but it is necessary then to migrate my web development services from the entity to which we work in a domain that does not have to be by hierarchy under the domain gov.co.

Thank you very much

1 Like

Thank you very much, as follows complete all information in next topic.

1 Like

That's

not required.

Domain rtvc.gov.co - Name server ns-1113.awsdns-11.org.

Add there a CAA entry, then gov.co isn't checked.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.