Unable to create certificates

hugdx · April 24, 2024, 6:05pm

Dear all,
I am going to renew my SSL, but it failed. So, I reinstalled Certbot, tried again, and then it failed again. Could you please help me? Thank you!

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
virtualgrads.com

I ran this command:
certbot certonly --dns-route53 -d "virtualgrads.com" -d "*.virtualgrads.com" -i nginx

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for virtualgrads.com and *.virtualgrads.com

Certbot failed to authenticate some domains (authenticator: dns-route53). The Certificate Authority reported these problems:
  Domain: virtualgrads.com
  Type:   dns
  Detail: During secondary validation: DNS problem: SERVFAIL looking up CAA for virtualgrads.com - the domain's nameservers may be malfunctioning

  Domain: virtualgrads.com
  Type:   dns
  Detail: During secondary validation: DNS problem: SERVFAIL looking up CAA for virtualgrads.com - the domain's nameservers may be malfunctioning

Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-route53. Ensure the above domains have their DNS hosted by AWS Route53.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 20.04.3 LTS

My hosting provider, if applicable, is:
amazone

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.10.0

petercooperjr · April 24, 2024, 6:29pm

Just like this says. Your DNS server is very misconfigured. You need to have a working domain name before you can get a certificate for it. This lists a bunch of errors:

https://dnsviz.net/d/virtualgrads.com/dnssec/

You need to ensure that the DNS servers listed at your registrar match up with the DNS servers configured in your zone. AWS Route 53 uses a lot of different name servers, and will give different ones for each zone you create, and you need to make sure that the ones it gives you for your zone are the ones you use with your registrar.

You can look at this for instructions on getting the nameservers being used for your zone to give to your registrar:

If you also use AWS as your registrar, look at:

rg305 · April 24, 2024, 6:42pm

This may be indicative of some sort of GeoLocation policy that prevents certain locations from reaching your authoritative DNS servers.
You should speak with the DSP about their policies.

petercooperjr · April 24, 2024, 7:00pm

Yeah, there might be something else going on too, but I think fixing the delegation to the domain has to happen first in order to meaningfully dig in further.

rg305 · April 24, 2024, 7:05pm

Agreed: There is more than meets the eye here.

hugdx · April 24, 2024, 8:37pm

@petercooperjr you are right. the dns zone was wrong. Many thank to everybody!