Unable to activate ssl to my subdomain

I run certbot --apache then encode some of the details however failed to register

Which names would you like to activate HTTPS for?


1: login.woogedu.com
2: www.login.woogedu.com


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for login.woogedu.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: login.woogedu.com
Type: dns
Detail: DNS problem: looking up CAA for login.woogedu.com: DNSSEC: Bogus

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

my domain provider is bluehost

Jan 10 08:14:32 unbound1.19[296400:0] debug: Validating a nodata response
Jan 10 08:14:32 unbound1.19[296400:0] debug: NODATA response failed to prove NODATA status with NSEC/NSEC3\

NSEC given says there 'should' be a a CAA record there: but there isn't.
your nameserver fails nonexsit subdomain name or type, so I think bluehost has broken implementation for dnssec

2 Likes

No, the issue is when queried for a CAA RR, the nameserver responds with a NSEC RR. If that was all, it wasn't a problem. BUT: there are A and AAAA RRs for that hostname! Thus a NSEC RR should not be present for CAA , as NSEC means: "There is no such hostname". But there is! NSEC isn't specific for just CAA RRs, NSEC says something about the presence (or not) of an entire hostname.

See login.woogedu.com | DNSViz for more info.

4 Likes

looks like wildcard subdomain config and dnssec setting crashes : server doesn't have specific record for that domain do nsec made to cover that, but reply with what wildcard had too anyway

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.