Setting up New Cert Gives DNS Error

Hello everyone,

I’m working on setting up a new ticketing system and the last step is to set up the certificate. This site DOES NOT face the outside and is only accessible on the inside network. When using CertBot to set up the cert, I get the below error:

My domain is: FMR.BIZJET.COM

I ran this command: sudo certbot --apache

It produced this output:
Challenge failed for domain fmr.bizjet.com
http-01 challenge for fmr.bizjet.com
cleaning up challenges
Some challenges have failed
IMPORTANT NOTES

  • The following errors were reported by the server:
    Domain: fmr.bizjet.com
    Type: connection
    Detail: dns :: DNS problem: NXDOMAIN looking up A for fmr.bizjet.com

My web server is (include version): Apache httpd-2.4.6-89.el7.centos.1.x86_64

The operating system my web server runs on is (include version):CentOS 7 centos-release-7-6.1810.2.el7.centos.x86_64

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): VMWare to remote in to server

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): CertBot 0.36.0

Any help is appreciated! Thanks everyone!

Hi @JustinLTNA

checking your domain there is no A-record defined ( https://check-your-website.server-daten.de/?q=fmr.bizjet.com ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
fmr.bizjet.com Name Error yes 1 0
www.fmr.bizjet.com Name Error yes 1 0

So it's not possible to use http-01 validation to create a certificate.

Add an A- or AAAA (ipv4 or ipv6) record, then a running webserver is required.

Or switch to dns-01 validation.

Some basics:

Hello @JuergenAuer! Thank you for the quick response.

This particular site does not face externally at all so any site on the internet, unless it is hosted here locally, should not be able to see it. I have the DNS A record set up on our 2016 server, which resolves correctly internally.

I will try switching to dns-01 validation and let you know!

Thank you!

@JuergenAuer I did a dry run with it and kept getting the following error:

DNS Problem: NXDOMAIN looking up TXT for _acme-challenge.fmr.bizjet.com

You have to create a TXT entry in your dns settings.

There - https://check-your-website.server-daten.de/?q=fmr.bizjet.com#txt - is no TXT entry visible.

I did. I copied the name that it requested, _acme-challenge.fmr.bizjet.com, and gave it the value it requested at the time. When creating this, should I wait a few minutes before pressing Enter to continue on with the test?

Now let me just state that none of our onsite DNS records are open to the public, to the best of my knowledge.

Where did you create that TXT entry?

ns3.level3.net is one of your name servers, there you have to create that TXT entry.

Check

such a name and value is required.

Create the entry, then recheck your domain.

Ah that makes sense. I won’t be able to continue on then as the request has to go through management and they can take a couple weeks to complete.

Thanks for you help @JuergenAuer!

2 Likes

Letsencrypt certificates are only 90 days valid. So you have to do that every 60 - 85 days.

Is dns-01 validation really a good idea? Or is it easier if you create an A-record and use http-01 validation?

1 Like

The A record would have to be created the same way wouldn’t it? If that’s the case then I would run into the same issue of having to wait.

That's correct. But the ip address is static, so you don't need to update your dns setup in 60 - 85 days.

If you use dns-01 validation, you must update your TXT entry. And if you have a certificate that expires - and that needs 20 days -> your certificate is dead.

1 Like

There is a further option where you can create a CNAME entry for the _acme-challenge subdomain, pointed at a resource in a different DNS zone. That CNAME entry only has to be created once (although it has to continue to exist indefinitely), and then you can use records in the other DNS zone to prove your control over the original name.

So for example, you could create a DNS record

_acme-challenge.fmr.bizjet.com. IN CNAME _acme-challenge.someotherdomain.example.com.

and

_acme-challenge.www.fmr.bizjet.com. IN CNAME _acme-challenge.someotherdomain.example.com.

Once these are in place, you can obtain certificates for fmr.bizjet.com and www.fmr.bizjet.com on an ongoing basis by updating DNS records in someotherdomain.example.com. Several Let’s Encrypt clients have support for this mode.

The only consequence of creating this CNAME record is allowing whoever controls the other domain to obtain certificates for the original domain. If your company wants to have control of that, they could register something like bizjetcom-acmevalidation.net themselves but host it some on external infrastructure for which they can allow you to have a DNS API key, and then they can refrain from using that other domain for any other purpose. In that case, they still have control but they can let you issue your certificates whenever you want without actively involving them every time.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.