Problems domain gov.co for gubernamental use

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: rtvc.gov.co

I ran this command: ./certbot-auto --apache -d misenal-dev-d8.rtvc.gov.co

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for misenal-dev-d8.rtvc.gov.co
Waiting for verification…
Challenge failed for domain misenal-dev-d8.rtvc.gov.co
http-01 challenge for misenal-dev-d8.rtvc.gov.co
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: misenal-dev-d8.rtvc.gov.co
  Type: dns
  Detail: DNS problem: query timed out looking up CAA for gov.co

My web server is (include version): httpd -version
Server version: Apache/2.4.33 (Amazon)
Server built: Jul 11 2018 22:19:58

The operating system my web server runs on is (include version): NAME=“Amazon Linux AMI”
VERSION=“2018.03”
ID=“amzn”
ID_LIKE=“rhel fedora”
VERSION_ID=“2018.03”
PRETTY_NAME=“Amazon Linux AMI 2018.03”
ANSI_COLOR=“0;33”
CPE_NAME=“cpe:/o:amazon:linux:2018.03:ga”
HOME_URL=“http://aws.amazon.com/amazon-linux-ami/”
Amazon Linux AMI release 2018.03
cpe:/o:amazon:linux:2018.03:ga

My hosting provider, if applicable, is: Amazon WS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.40.1

Hi @ccetina

if you want to create a certificate, CAA entries are checked.

First misenal-dev-d8.rtvc.gov.co, then rtvc.gov.co, then gov.co.

But checking the last domain there is a timeout. My own output https://check-your-website.server-daten.de/?q=misenal-dev-d8.rtvc.gov.co#caa

looks incomplete.

Unboundtest

https://unboundtest.com/m/CAA/gov.co/R7Y64IRB

reports a ServFail:

Response:
;; opcode: QUERY, status: SERVFAIL, id: 59245

Are you able to create a CAA entry with misenal-dev-d8.rtvc.gov.co or rtvc.gov.co?

That would block checking gov.co.

Oh, there is a great misconfiguration.

A not public domain acadcpr30.mcdmintic.local as primary name server. That can't work.

Executed one dns check manual, then with nslookup. Always the same:

D:\temp>nslookup -type=SOA www.gov.co.
...
...

www.gov.co
primary name server = acadcpr30.mcdmintic.local
responsible mail addr = hostmaster.mcdmintic.local
serial = 119
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 300 (5 mins)

A .local address as top level domain of the name server.

So it's impossible to ask that name server.

rigth! www.gov.co It belongs to the Ministry of Government of my country and was created about 30 days ago, It belongs to the Ministry of Government of my country and was created about 30 days ago, RTVC is a government entity too, but it is necessary then to migrate my web development services from the entity to which we work in a domain that does not have to be by hierarchy under the domain gov.co.

Thank you very much

Thank you very much, as follows complete all information in next topic.

That's

not required.

Domain rtvc.gov.co - Name server ns-1113.awsdns-11.org.

Add there a CAA entry, then gov.co isn't checked.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.