SSL İnstall Problem

Help
1

I have been unable to install SSL certificates on my servers since 10 days. While doing SSL certificate setup (tried on 10-15 different servers)

I am getting many errors. I investigated these errors on the community page but nobody knows the clear solution. The general opinion is that this issue is related to a firewall blocking and letsencrypt servers.

Errors during setup:

one-

Verify error: During secondary validation: No valid IP addresses found for millenniamag.com [Sun Jan 24 11:43:59 +03 2021] Please check log file for more details: /root/.acme.sh/acme.sh.log

2nd-

millenniamag.com:Verify error: During secondary validation: DNS problem: query timed out looking up CAA for millenniamag.com [Sun Jan 24 11:48:40 +03 2021] Please check log file for more details: /root/.acme .sh / acme.sh.log

3-

Verify error: During secondary validation: No valid IP addresses found for millenniamag.com [Sun Jan 24 11:49:57 +03 2021] Please check log file for more details: /root/.acme.sh/acme.sh.log

4-

Verify error: During secondary validation: DNS problem: query timed out looking up A for millenniamag.com [Sun Jan 24 11:58:41 +03 2021] Please check log file for more details: /root/.acme.sh/acme .sh.log

When I try it for the 5th time, the RATE LIMIT drops directly, so the limit is stuck. My opinion is that the above 4 errors occur sequentially, why can't install SSL certificate?

2

Hi and welcome to the LE community forum :slight_smile:

The first thing you should have done after a couple of this type of failures should have been:
Switching to --staging to test things out
Before you hit any rate limits.
But what is done is done.

Now you are forced to use --staging for all tests and wait until the limit clears to issue a new cert.

That said, we can test and try to get to the bottom of what is going wrong...

1 Like
3

Problem #1: Your entire DNS hinges on one single IP (185.171.24.51).

millenniamag.com        nameserver = tr1.narinhosting.com
millenniamag.com        nameserver = tr2.narinhosting.com

Name:    tr1.narinhosting.com
Address: 185.171.24.51

Name:    tr2.narinhosting.com
Address: 185.171.24.51

Which is a very poor design:
DNS Spy report for millenniamag.com

4

Active server for 1 year, 500 sites running in it. There have been certificate problems for the last 10 days only. I am having the same problems not only on 1 server but on my 15-20 servers.

5

Redundancy can cover these types of "unknown" issues.
While you find them and work them out.
That is an "all-eggs-in-one-basket" approach that will eventually leave you without any eggs at all.

6

millenniamag is just one example. I cannot install SSL on any site that does not have a certificate on the server. Respectively, 1-2-3-4. We get errors in domains.

And this problem has been experienced a lot lately, especially at the end of 2020.

7

Q1. Are the problems all the same?:

Q2. Do all the problematic domains use this same single DNS server?

8

Yes, all sites use the same DNS.

1 Like
9

There is your common problem area.

10

Sites on different servers have their own DNS.

11

One DNS server only?
Or one DNS server per site - but you do have multiple DNS servers?

12

All errors are from secondary validation attempts it seems. Are you running some kind of firewall which is blocking certain IP ranges from parts of the world? Perhaps your service provider(s) do?

1 Like
13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.