Renewal issue with DNS

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: who-analytics.net whn-analytics.net

I ran this command: sudo certbot -n -d whn-analytics.net --nginx --agree-tos --email olha@necsi.edu certonly --force-renew

It produced this output:
sudo certbot -n -d whn-analytics.net --nginx --agree-tos --email olha@necsi.edu certonly --force-renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for whn-analytics.net

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: whn-analytics.net
Type: dns
Detail: DNS problem: looking up A for whn-analytics.net: DNSSEC: Bogus: validation failure <whn-analytics.net. A IN>: signature crypto failed from 2600:9000:5307:9900::1; DNS problem: looking up AAAA for whn-analytics.net: DNSSEC: RRSIGs Missing: validation failure <whn-analytics.net. AAAA IN>: no signatures from 2600:9000:5300:f600::1

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):

The operating system my web server runs on is (include version): AWS Linux

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.10.0

2

There seems to be an issue with a missing glue record:
[see: whn-analytics.net | DNSViz]
image

3 Likes
3

Furthermore, no major DNS provider can determine who the authoritative servers are for your domain:
nslookup -q=ns who-analytics.net 1.1.1.1
nslookup -q=ns who-analytics.net 8.8.8.8
nslookup -q=ns who-analytics.net 9.9.9.9
All return:
can't find who-analytics.net: Non-existent domain

Even worse...
The root servers for .net [TLD] aren't showing any authoritative nameservers for your domain:
nslookup -q=ns who-analytics.net a.gtld-servers.net
Returns:
can't find who-analytics.net: Non-existent domain

So...
It seems that your domain may have been de-registered recently.

4 Likes
4

Not sure which was the typo. The who as the domain name or the whn in all the command examples :person_shrugging:

2 Likes
5

yes, it should be
whn-analytics.net

1 Like
7

Do you think it is problem with AWS Route 53? Or is it something I can fix on my ec2 server?

8

Screenshot 2024-08-02 at 2.17.50 PM
Screenshot 2024-08-02 at 2.17.50 PM1046×648 113 KB

9

I see this https://www.ssllabs.com/ssltest/analyze.html?d=whn-analytics.net

image
image1220×791 28.6 KB

Edit
And this https://dnsspy.io/scan/whn-analytics.net

image
image1153×737 12.2 KB

Edit
and https://lookup.icann.org/en/lookup shows

image
image990×485 4.7 KB

1 Like
10

Screenshot 2024-08-02 at 2.28.24 PM
Screenshot 2024-08-02 at 2.28.24 PM1646×960 100 KB

I have these records set up in Route 53.
Do I have to add a DS record?

11

There is no option to add DNSKEY. But it shows that there is one...

12

Could it be a problem with www.conf?

13

Try deleting the IPv6 DNS AAAA records.
and delete the IPv4 DNS A records except for the only keep the DNS A record containing the IPv4 Address of 52.91.16.99
As LE prefers IPv6 over IPv4.

1 Like
14

Hi @olha,

The online tool Let's Debug yields these results for the HTTP-01 challenge https://letsdebug.net/whn-analytics.net/2150258

ReservedAddress
Fatal
A private, inaccessible, IANA/IETF-reserved IP address was found for whn-analytics.net. Let's Encrypt will always fail HTTP validation for any domain that is pointing to an address that is not routable on the internet. You should either remove this address and replace it with a public one or use the DNS validation method instead.
127.0.0.1

ReservedAddress
Fatal
A private, inaccessible, IANA/IETF-reserved IP address was found for whn-analytics.net. Let's Encrypt will always fail HTTP validation for any domain that is pointing to an address that is not routable on the internet. You should either remove this address and replace it with a public one or use the DNS validation method instead.
172.31.18.205

eservedAddress
Fatal
A private, inaccessible, IANA/IETF-reserved IP address was found for whn-analytics.net. Let's Encrypt will always fail HTTP validation for any domain that is pointing to an address that is not routable on the internet. You should either remove this address and replace it with a public one or use the DNS validation method instead.
2001:db8:85a3::8a2e:370:7334
2 Likes
15

Thanks a lot! The certifacate was renewed! I removed 127.0.0.1 and 172.31.18.205.
As to 2001:db8:85a3::8a2e:370:7334, I am not sure what to replace it with.

2 Likes
16

Ok. There are suggestions at Route 53 for how to fix 2001:db8:85a3::8a2e:370:7334 line. I will do it.

17

Nothing.

1 Like
18

It did not allow me to have an empty field. I removed the AAAA record and now it is fine. AAAA required iPv6 address which was for a private cloud. I did not have one.

2 Likes
19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.