Subdomain - DNS problem: NXDOMAIN looking up A

sergnio · August 18, 2020, 2:02pm

I ran this command:
/opt/letsencrypt/letsencrypt-auto certonly --debug --webroot -w /var/www/api.sergionajera.com -d api.sergionajera.com -d www.api.sergionajera.com --config /etc/letsencrypt/config.ini --agree-tos

It produced this output:
IMPORTANT NOTES:

The following errors were reported by the server:

Domain: api.sergionajera.com
Type: unauthorized
Detail: Invalid response from
http://api.sergionajera.com/.well-known/acme-challenge/CAguyx7MeOEb4ReMCHWQT39qok1K6UpaX-PewaTqff4
[18.217.175.207]: 404

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
The following errors were reported by the server:

Domain: www.api.sergionajera.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for
www.api.sergionajera.com - check that a DNS record exists for this
domain

My web server is (include version):
nginx/1.14.2

The operating system my web server runs on is (include version):
Linux/unix EC2 instance

uname -r

4.19.0-9-amd64

My hosting provider, if applicable, is:
AWS

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
/opt/letsencrypt/letsencrypt-auto --version
certbot 1.7.0

Hi all, I have a peculiar situation, and maybe it can’t even be done. I’m loosely following this guide (https://medium.com/@gnowland/deploying-lets-encrypt-on-an-amazon-linux-ami-ec2-instance-f8e2e8f4fc1f)

But here’s the problem:
I have a digital ocean bucket I’m using for my client
I have an AWS EC2 instance for my backend
I have only one domain name (sergionajera.com)

I’m using the networking tab in Digital Ocean to point a subdomain to my EC2 instance, so I can create a cert for it and not have to buy another domain name.

I’m not even sure if this is possible, but since it’s a backend API, I don’t really care what the name is, therefore I don’t want to spend more money on it, but I want the benefits of TLS.

I’m getting the error above, even thought I have an A record pointing to that IP address. Any ideas?

tl;dr; I want SSL/TLS on my backend service, but I don’t want to pay for another domain name, so I created a subdomain and am pointing to AWS from Digital Ocean. Not sure if this is even possible.

JuergenAuer · August 18, 2020, 2:54pm

Hi @sergnio

now there is no ip address defined - https://check-your-website.server-daten.de/?q=api.sergionajera.com

Host	Type	is auth.	∑ Queries	∑ Timeout
api.sergionajera.com	A	yes	11	0
	AAAA	yes
www.api.sergionajera.com	A	yes	11	0
	AAAA	yes

Not non-www, not www. Your check - there you had an A record with your non-www, but not with your www, so the NXDomain-result is expected.

If you want to create a certificate via http validation, an A record is required.

sergnio · August 19, 2020, 7:44pm

@JuergenAuer , thank you for the quick reply.
So again, I’m changing these DNS records on digital ocean to point to an AWS EC2 instance.
Not sure if this is even allowed.

But I added an A record for api.sergionajera.com and an A record for www.api.sergionajera.com per your suggestion.

Now I’m getting this error, even though both addresses have an IP associated with them

Domain: api.sergionajera.com
Type:   unauthorized
Detail: Invalid response from
http://api.sergionajera.com/.well-known/acme-challenge/q3LKxQYjIWM6CTOSrTzezNPeGtm3SUx_YwVZIwBgI30
[18.217.175.207]: 404
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- The following errors were reported by the server:

Domain: www.api.sergionajera.com
Type:   dns
Detail: No valid IP addresses found for www.api.sergionajera.com

When I go to http://www.api.sergionajera.com/, in my web browser I go directly to my instance, which is contradicting the Detailed error message

JuergenAuer · August 19, 2020, 9:03pm

Looks like some of your name servers are very slow.

Try it one time again. Your last check - https://check-your-website.server-daten.de/?q=api.sergionajera.com - looks ok.

sergnio · August 21, 2020, 1:40pm

@JuergenAuer really, thank you so much for all your help. It turns out all I had to do was wait.
This tool is fantastic! Does your tool force the DNS servers to look for new DNS assignments? Or how does that work?

JuergenAuer · August 21, 2020, 4:15pm

The tool checks always first the root servers to find the authoritative name servers of the domain.

Then these name servers are checked, so the results are not cached.

It's an own dns client.

system · September 20, 2020, 4:15pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.