SSL error: DNS record exists for this domain

sannusmus · August 11, 2020, 6:57am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: nlclass.nl

I ran this command:
sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d nlclass.nl

I forgot to add *.nlclass.nl, so when I tried this command again I get an error:
sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d nlclass.nl -d *.nlclass.nl

It produced this output:
Existing certificate that contains a portion of the domains you requested (ref: /etc/letsencrypt/renewal/nlclass.nl.conf). It contains: nlclass.nl

Domain: nlclass.nl
Type: none
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.nlclass.nl -check that a DNS record exists for this domain

My web server is (include version):
https://wp2.nlclass.nl (as you see, it has no SSL)

The operating system my web server runs on is (include version):
Ubuntu 18.04.3 (LTS) x64

My hosting provider, if applicable, is:
Domain name from namecheap.
Domain server (droplet) from DigitalOcean

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
digital ocean control panel
command line (ubuntu)
and
virtualmin

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
0.31.0

9peppe · August 11, 2020, 7:04am

It's right, you know...

% dig txt _acme-challenge.nlclass.nl

; <<>> DiG 9.16.1-Ubuntu <<>> txt _acme-challenge.nlclass.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 27963
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;_acme-challenge.nlclass.nl.	IN	TXT

;; Query time: 224 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: mar ago 11 09:02:59 CEST 2020
;; MSG SIZE  rcvd: 55

(Anyhow, you should use single quotes around wildcards -d '*.nlclass.nl' otherwise your shell might get in the way)

9peppe · August 11, 2020, 7:12am

I also think those in the screenshot aren’t your actual dns records: are you configuring the right nameservers?

And even if they were, you can’t set a TXT record where you already have a CNAME, the TXT record will (should) get ignored

# dig ns nlclass.nl 

; <<>> DiG 9.16.1-Ubuntu <<>> ns nlclass.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60660
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;nlclass.nl.                    IN      NS

;; ANSWER SECTION:
nlclass.nl.             1800    IN      NS      ns1.digitalocean.com.
nlclass.nl.             1800    IN      NS      ns3.digitalocean.com.
nlclass.nl.             1800    IN      NS      ns2.digitalocean.com.

;; Query time: 15 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Tue Aug 11 09:10:42 CEST 2020
;; MSG SIZE  rcvd: 109

# dig ns nl.   
                    
; <<>> DiG 9.16.1-Ubuntu <<>> ns nl. 
;; global options: +cmd 
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23297
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;nl.                            IN      NS

;; ANSWER SECTION:
nl.                     3600    IN      NS      ns3.dns.nl.
nl.                     3600    IN      NS      ns2.dns.nl.
nl.                     3600    IN      NS      ns1.dns.nl.

;; Query time: 19 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Tue Aug 11 09:12:48 CEST 2020
;; MSG SIZE  rcvd: 89

# dig @ns2.dns.nl ns nlclass.nl 

; <<>> DiG 9.16.1-Ubuntu <<>> @ns2.dns.nl ns nlclass.nl
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57486
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: eecbbce7544fab7722a0f0255f32450903e333427c55e2fa (good)
;; QUESTION SECTION:
;nlclass.nl.                    IN      NS

;; AUTHORITY SECTION:
nlclass.nl.             3600    IN      NS      ns3.digitalocean.com.
nlclass.nl.             3600    IN      NS      ns1.digitalocean.com.
nlclass.nl.             3600    IN      NS      ns2.digitalocean.com.

;; Query time: 3 msec
;; SERVER: 2001:67c:1010:10::53#53(2001:67c:1010:10::53)
;; WHEN: Tue Aug 11 09:13:13 CEST 2020
;; MSG SIZE  rcvd: 137

sannusmus · August 11, 2020, 7:22am

Thank you.
"I also think those in the screenshot aren’t your actual dns records: are you configuring the right nameservers?"
--> Yes, I set those exact DNS records from the printscreen.

" (Anyhow, you should use single quotes around wildcards -d '*.nlclass.nl' otherwise your shell might get in the way)"
--> I used Backslash*.nlclass.nl but this forum automatically removes the backslash.

You posted a file:

% dig txt _acme-challenge.nlclass.nl

; <<>> DiG 9.16.1-Ubuntu <<>> txt _acme-challenge.nlclass.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 27963
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;_acme-challenge.nlclass.nl. IN TXT

;; Query time: 224 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: mar ago 11 09:02:59 CEST 2020
;; MSG SIZE rcvd: 55

Question:
I'm new. In order to solve the SSL problem,

Should I create a file with your posted text?
Should I delete the /etc/letsencrypt folder?
What should I change in my DNS settings from the printscreen?

9peppe · August 11, 2020, 7:26am

No, that's not a file, that's the output of a tool that queries dns servers.

ABSOLUTELY NOT.

If you're using acme-dns, you should only have a CNAME record like this:

_acme-challenge 3600 in CNAME somethingsomething.auth.acme-dns.io

If you're going to use your provider's API (digitalocean should be supported by most clients, and by certbot in particular) you should have nothing on _acme-challenge, because the client will create and destroy the records when it needs to do so.

But you should really make sure that those are your actual dns records, because they look really different to me. Where are you editing them from?

sannusmus · August 11, 2020, 7:38am

"where are you editing them from"
--> From VirtualMin, an app in the Digitalocean control panel. URL: https://host.nlclass.nl:10000/virtual-server/list_records.cgi?dom=159710724121633&xnavigation=1

"If you’re using acme-dns, you should only have a CNAME record"
Yes, in the printscreen there is only 1 CNAME record. After I got the error message which says:

NXdomain looking up TXT for _acme-challenge.nlclass.nl - check that a DNS record exists for this domain

I then added a TXT record, which didn't help. I will remove the TXT record now.

Question:
Should I change something in the letsencrypt renewal conf file?

renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/nlclass.nl
cert = /etc/letsencrypt/live/nlclass.nl/cert.pem
privkey = /etc/letsencrypt/live/nlclass.nl/privkey.pem
chain = /etc/letsencrypt/live/nlclass.nl/chain.pem
fullchain = /etc/letsencrypt/live/nlclass.nl/fullchain.pem

Options used in the renewal process

[renewalparams]
account = 611ec28d8b4da9f6c3fe62a2cb8c667b
rsa_key_size = 2048
authenticator = webroot
manual_public_ip_logging_ok = True
webroot_path = /home/nlclass/public_html,
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
nlclass.nl = /home/nlclass/public_html

sannusmus · August 11, 2020, 7:43am

Also:
SSL works on my domain: nlclass.nl
SSL does not work on my subdomain: wp2.nlclass.nl
What is the best way to renew it so that the subdomain also works?

9peppe · August 11, 2020, 7:48am

Yeah, and that's still unresolved.

Now you need to follow me carefully: I can see your CNAME/TXT record, but only if I query host.nlclass.nl directly.

# dig @host.nlclass.nl txt _acme-challenge.nlclass.nl 

; <<>> DiG 9.16.1-Ubuntu <<>> @host.nlclass.nl txt _acme-challenge.nlclass.nl
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25611
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: cf011098da4d8f78996846625f324bf4f95ec637de063f8d (good)
;; QUESTION SECTION:
;_acme-challenge.nlclass.nl.    IN      TXT

;; ANSWER SECTION:
_acme-challenge.nlclass.nl. 3600 IN     CNAME   cae0c757-6268-45db-b8d2-061af219d161.auth.acme-dns.io.

;; Query time: 11 msec
;; SERVER: 178.128.244.70#53(178.128.244.70)
;; WHEN: Tue Aug 11 09:42:44 CEST 2020
;; MSG SIZE  rcvd: 150

But the issue is that host.nlclass.nl is not an authoritative name server for nlclass.nl, whose authoritative nameservers are ns1.digitalocean.com, ns2.digitalocean.com, ns3.digitalocean.com.

My advice would be to use those. (find the right control panel in digitalocean's website -- webmin is not it.)

But if you want to use host.nlclass.nl, you need to login in your registrar's panel (whoever you bought your domain from) and set it as a nameserver (also: it's really unadvisable to use a single nameserver, find backup ), without forgetting to add a glue record -- and keeping it up to date, which is a totally avoidable pain in the ass: use digitalocean's nameservers

# dig @ns2.dns.nl ns nlclass.nl 

; <<>> DiG 9.16.1-Ubuntu <<>> @ns2.dns.nl ns nlclass.nl
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11435
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 0812dbde428f533255572bd65f324c8680c2a681a65b01fc (good)
;; QUESTION SECTION:
;nlclass.nl.                    IN      NS

;; AUTHORITY SECTION:
nlclass.nl.             3600    IN      NS      ns1.digitalocean.com.
nlclass.nl.             3600    IN      NS      ns2.digitalocean.com.
nlclass.nl.             3600    IN      NS      ns3.digitalocean.com.

;; Query time: 3 msec
;; SERVER: 2001:67c:1010:10::53#53(2001:67c:1010:10::53)
;; WHEN: Tue Aug 11 09:45:10 CEST 2020
;; MSG SIZE  rcvd: 137

sannusmus · August 11, 2020, 8:12am

“Now you need to follow me carefully”
–> ok. I just now set the following DNS records. See printscreen.

Is this correct?

9peppe · August 11, 2020, 8:14am

This looks better, but I’m not sure what you’re trying to do.

That looks like you’re trying to get a wildcard for *.wp2.nlclass.nl

remmel · August 11, 2020, 11:44am

I created amazon lightsail instance and trying to make it secure with lets encrypt ssl.

I get following error when i run this command

/home/bitnami/letsencrypt/letsencrypt-auto certonly -w /home/bitnami/apps/wordpress/htdocs -d yourdomain.com.au -d www.yourdomain.com.au

how to fix ?

9peppe · August 11, 2020, 12:12pm

Are you the same person?

If you’re using bitnami you should not have installed certbot, and should have read their documentation.

https://docs.bitnami.com/general/faq/administration/generate-configure-certificate-letsencrypt/

It also looks like you don’t have an A record for www.whateveryourdomainis.com

sannusmus · August 12, 2020, 12:17am

“Are you the same person?”
–> the username Remmel is not me. It’s someone that I don’t know.

sannusmus · August 12, 2020, 12:26am

" This looks better, but I’m not sure what you’re trying to do. That looks like you’re trying to get a wildcard for *.wp2.nlclass.nl"
–> yes, I am trying to set *.nlclass.nl. But it gives me an error (in any of the 3 windows for setting up DNS records, see printscreen) and I have no idea where to look how to fix SSL for wp2.nlclass.nl.

Question: Where should I look?
Question: Why does SSL work for nlclass.nl and not for wp2.nlclass.nl?

sannusmus · August 12, 2020, 12:38am

“I also think those in the screenshot aren’t your actual dns records: are you configuring the right nameservers?”
–> You are right, I posted the DNS records from VirtualMin/WebMin.
Below are the DNS records from the control panel (of DigitalOcean). Are the DNS records set correctly?

9peppe · August 12, 2020, 7:28am

That CNAME does not look ok, it has two nlclass.nl, remove one. (Maybe you should just put _acme-challenge as host and let DO fill in the domain)

(But I think you should use digitalocean’s api, not acme-dns)

sannusmus · August 14, 2020, 3:01pm

thank you for your answer. After I added this dns record *.nlclass.nl it worked because now https://wp2.nlclass.nl has SSL. This thread is solved. Thanks have a nice day

system · September 13, 2020, 3:01pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.