Unable to get certificate via certbot nginx

Hi, I have been trying for a few days but still can't get a certificate for my domain name. I have tried to modify /etc/nginx/sites-available/default and /etc/nginx/sites-enabled/default to add my domain name to the server_name, but it still doesn't work. Let me know what can I provide. Any help is deeply appreciated. Thanks a lot.

My domain is:

I ran this command:
sudo certbot --nginx -d www.pinepenguins.space -v

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Requesting a certificate for www.pinepenguins.space
Performing the following challenges:
http-01 challenge for www.pinepenguins.space
Waiting for verification...
Challenge failed for domain www.pinepenguins.space
http-01 challenge for www.pinepenguins.space

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: www.pinepenguins.space
  Type:   dns
  Detail: DNS problem: looking up CAA for www.pinepenguins.space: DNSSEC: Bogus

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:
Amazon (ec2)

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.21.0

That failure is caused by a faulty DNS configuration.

There are numerous problems with it. You might start with either of the below tools. Or, even start by turning off DNSSEC and see if the https://unboundtest.com site succeeds. If that works try re-enabling DNSSEC and check unboundtest again.


Picture of DNS tree showing many errors


I managed to get the certificate after closing DNSSEC on Bluehost! Thank you so much for the help. I think the DNSSEC errors are caused by my ec2 instances only allowing TCP protocol inbound. Thanks again for the help.


No. DNS lookups are not related to your EC2, its Security Group, or its VPC.

If your EC2 security groups were blocking valid traffic you would see timeouts or connection failures for HTTP or HTTPS requests. The default is that EC2 Security groups allow all outbound traffic. Allowing TCP inbound is normal.

We know in your case your outbound HTTP(S) traffic (TCP) was okay because you made many requests to the Let's Encrypt API before it failed with the DNS lookup error. That is, we would have seen a completely different error much before the DNS lookup was even attempted.

Glad you got a cert for your www subdomain. Normally you would have also gotten a cert for the root domain pinepenguins.space too but that is not required.


I see. So you are saying it might be a problem on the Bluehost side? (the DNSSEC) Since the DNS service is provided by them.

Well, your DNS was changed and you got a cert so you have at least worked around any DNS config issues for that. Looks like Bluehost disabled DNSSEC at your domain level. You no longer get a SERVFAIL when Let's Encrypt looks up your CAA record.

Although, your DNS config still does not look great but a different volunteer with better DNS insight than me will have to comment. Given you got a cert and your server is using it that's what we focus on. Further assistance on best DNS is just us being friendly :slight_smile:


What does "closing DNSSEC" mean?
Did you turn it off / disable it?


yes. there's an option on bluehost that let you turn it off.

I see. Thank you so much for the help

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.