Requesting certificate for xxxx.xxx

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: xxxxx

I ran this command: applied the script, I am using docker-compose

It produced this output: "### Deleting dummy certificate for xxxx.xxx ...

Requesting Let's Encrypt certificate for xxxx.xxx ...

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for xxxx.xxx and www.xxxx.xxx

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: xxxx.xxx
Type: dns
Detail: no valid A records found for xxxx.xxx; no valid AAAA records found for xxxx.xxx

Domain: www.xxxx.xxx
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for www.xxxxxx.xxx - check that a DNS record exists for this domain; DNS problem: SERVFAIL looking up AAAA for www.xxxx.xxx - the domain's nameservers may be malfunctioning

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details."

My web server is (include version): Ubuntu 20.04

The operating system my web server runs on is (include version): Focal Fossa

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Running certbot in a container.

Let's Encrypt can only issue certificates for real domains and it has to be one you control.

2 Likes

I am trying with the real domain.

I was waiting for this reply :smiley: The hostname resolves perfectly.

@James007 While I do see a lot of errors and warnings when checking your hostname using DNSViz, it seems https://unboundtest.com/ does not have any issue resolving your hostnames. Could you perhaps try again?

3 Likes

One day the example.com or test.com folks are going to ask a question here and really catch us all out..

8 Likes

Tried again, Could you check and confirm ?

Euh, what's there for me to confirm? You're the one getting a certificate or an error :wink:

2 Likes

I am getting an error, When I hit on the URL https://unboundtest.com/ to DNS resolver with A record query got the results over here https://unboundtest.com/m/A/pki.atlasqa.co.uk/L7BGLADD.

So your domain is NOT actually xxxx.xxx? Guess I owe @webprofusion an apology :rofl:

3 Likes

Yea! any catch for the error ?

The subdomain pki does not have an A nor AAAA resource record in the DNS zone. The hostname should resolve to a working public IP address for the webroot plugin (which uses the http-01 challenge) to work.

In the future, please don't redact your hostname, as the actual domain name/hostname is mandatory, as specified in the first paragraph of the questionnaire. And if you redact anything, NEVER EVER use an actual working domain as a replacement, unless it's specifically meant for documentation/testing (such as example.com)!

3 Likes

Got it but there is already A record created for subdomain.

Your unboundtest a few posts back showed that no A record existed. And, your first post showed a SERVFAIL looking for an AAAA. You don't need an AAAA but your DNS server should say it is not found rather than fail.

The good news is that the A record now appears and no more SERVFAIL for the AAAA. What does your certbot request do now? Ideally you would add --dry-run to the command until it works. That uses the Let's Encrypt test system and will avoid you hitting Rate Limits if problems persist.

2 Likes

Two questions:

Are you using bitnami?

What tutorial are you following?

1 Like

5 x's

4 x's

6 x's

3 Likes

:rofl: I haven't counted all the x-es :blush:

3 Likes

And most of those are actually valid (and probably registered) domains.

1 Like

I am following this Nginx and Let’s Encrypt with Docker in Less Than 5 Minutes | by Philipp | Medium

I have actually tried this dry run with the cmd docker-compose run --rm certbot certonly --webroot --webroot-path /var/www/certbot/ --dry-run -d xxxx.xxx but the result I am getting is

-----------------------------------------------------
No renewals were attempted.
----------------------------------------------------

The cmd hangs up there.

That might be due to one of the certs recently issued is still available and doesn't require renewal:
crt.sh | pki.atlasqa.co.uk

That could be a number of things.
Try adding -q and -vv then review the LE logs file.

1 Like