Error when installing SSL


#1

Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Performing the following challenges: http-01 challenge for box.hollywood-ent.com http-01 challenge for hollywood-ent.com http-01 challenge for www.hollywood-ent.com Using the webroot path /home/user-data/ssl/lets_encrypt/webroot for all unmatched domains. Waiting for verification… Cleaning up challenges Failed authorization procedure. box.hollywood-ent.com (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up A for box.hollywood-ent.com, www.hollywood-ent.com (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up A for www.hollywood-ent.com, hollywood-ent.com (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up A for hollywood-ent.com IMPORTANT NOTES: - The following errors were reported by the server: Domain: box.hollywood-ent.com Type: None Detail: DNS problem: SERVFAIL looking up A for box.hollywood-ent.com Domain: www.hollywood-ent.com Type: None Detail: DNS problem: SERVFAIL looking up A for www.hollywood-ent.com Domain: hollywood-ent.com Type: None Detail: DNS problem: SERVFAIL looking up A for hollywood-ent.com


#2

The OP and I resolved this in PM.

OP, you should now be able to obtain your certificates. Please attempt to provision the certificate again in the admin area.


#3

Just curious as to what the underlying issue was, and how it was resolved (personal details aside of course)


#4

Improperly configured DNS. Basically a typo in the name server at the registrar.

The fact that there was a DNS issue was evident by the error message:

Detail: DNS problem: SERVFAIL looking up A for box.hollywood-ent.com


#5

I seem to be having the same sort of issues but I don’t really understand where I went wrong with the dns. Initally I had setup on 0.28 and got certs installed fine. I then noticed they weren’t auto renewing so I upgraded to 0.29 but still nada. One thing I did was utilise external dns but as I can resolve fine and I initially got certs I don’t get what could be wrong. here is my log

Log:

Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Performing the following challenges: http-01 challenge for mail.molsberry.info http-01 challenge for molsberry.info http-01 challenge for www.molsberry.info Using the webroot path /home/user-data/ssl/lets_encrypt/webroot for all unmatched domains. Waiting for verification… Cleaning up challenges Failed authorization procedure. www.molsberry.info (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up A for www.molsberry.info, molsberry.info (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up A for molsberry.info, mail.molsberry.info (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up A for mail.molsberry.info IMPORTANT NOTES: - The following errors were reported by the server: Domain: www.molsberry.info Type: None Detail: DNS problem: SERVFAIL looking up A for www.molsberry.info Domain: molsberry.info Type: None Detail: DNS problem: SERVFAIL looking up A for molsberry.info Domain: mail.molsberry.info Type: None Detail: DNS problem: SERVFAIL looking up A for mail.molsberry.info


#6

Check that the A records for mail.molsberry.info and www.molsberry.info are correct at Digital Ocean.
My checks and the error messages are all showing that DO is not answering requests for that domain.


#7

It looks like you just set up the MiaB … at least the unsigned cert there is less than 30 minutes old. You may simply be having a dns propagation issue. Wait a few hours and try again.


#8

I had my backed up but blew it up to try and re-create it, I’ve now reverted to old certs that expire in 2 days :frowning:


#9

Here is the zone fine I have set at DO

$ORIGIN molsberry.info.
$TTL 1800
molsberry.info. IN SOA ns1.digitalocean.com. hostmaster.molsberry.info. 1541894451 10800 3600 604800 1800
molsberry.info. 1800 IN NS ns1.digitalocean.com.
molsberry.info. 1800 IN NS ns2.digitalocean.com.
molsberry.info. 1800 IN NS ns3.digitalocean.com.
mail.molsberry.info. 14400 IN MX 10 mail.molsberry.info.
molsberry.info. 14400 IN MX 10 mail.molsberry.info.
molsberry.info. 3600 IN TXT v=spf1 mx -all
_dmarc.molsberry.info. 3600 IN TXT v=DMARC1; p=quarantine
mail._domainkey.molsberry.info. 3600 IN TXT v=DKIM1; k=rsa; s=email; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl3c86Wp5nvyhSVVV0cF5/zwqxGgtIzelAhk4ckomYTOMqIZmipB+8RrVhj9/CLH4Uv2vzaY1EDzhuVp8oNH4j5f+BQQCUzcAoT7smaZBI99e8RXyrt3cRf4xRVsf8PTyjPDiTiOn7SmeDz9Rzxe6WMpjEI/Qn/2pC2WaM1sT2vnPAyn4FcVA1rJj8i6a5YBNAD6xdcuUlJsIcoIevC4kQig+rMrV08wHxxwwOnCjnossgivUcmsSDPZ6YKGQeAkobndx9SxgfXcGGvUpQ7NQdT7CccSSR8hmPtQGHZLTEA4s80m8bx2dEjQUrF7mhGgWSADuACRgYVUFvTvLsci8HQIDAQAB
_caldavs._tcp.molsberry.info. 43200 IN SRV 0 0 443 mail.molsberry.info.
_carddavs._tcp.molsberry.info. 43200 IN SRV 0 0 443 mail.molsberry.info.
mail.molsberry.info. 3600 IN TXT v=spf1 mx -all
_dmarc.mail.molsberry.info. 3600 IN TXT v=DMARC1; p=quarantine
mail._domainkey.molsberry.info. 3600 IN TXT v=DKIM1; k=rsa; s=email; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl3c86Wp5nvyhSVVV0cF5/zwqxGgtIzelAhk4ckomYTOMqIZmipB+8RrVhj9/CLH4Uv2vzaY1EDzhuVp8oNH4j5f+BQQCUzcAoT7smaZBI99e8RXyrt3cRf4xRVsf8PTyjPDiTiOn7SmeDz9Rzxe6WMpjEI/Qn/2pC2WaM1sT2vnPAyn4FcVA1rJj8i6a5YBNAD6xdcuUlJsIcoIevC4kQig+rMrV08wHxxwwOnCjnossgivUcmsSDPZ6YKGQeAkobndx9SxgfXcGGvUpQ7NQdT7CccSSR8hmPtQGHZLTEA4s80m8bx2dEjQUrF7mhGgWSADuACRgYVUFvTvLsci8HQIDAQAB
ns1.mail.molsberry.info. 3600 IN TXT v=spf1 -all
_dmarc.ns1.molsberry.info. 3600 IN TXT v=DMARC1; p=reject
ns2.mail.molsberry.info. 3600 IN TXT v=spf1 -all
_dmarc.ns2.molsberry.info. 3600 IN TXT v=DMARC1; p=reject
www.molsberry.info. 3600 IN TXT v=spf1 -all
_dmarc.www.molsberry.info. 3600 IN TXT v=DMARC1; p=reject
molsberry.info. 3600 IN A 178.128.236.83
mail.molsberry.info. 3600 IN A 178.128.236.83
ns1.mail.molsberry.info. 3600 IN A 178.128.236.83
ns2.mail.molsberry.info. 3600 IN A 178.128.236.83
www.molsberry.info. 3600 IN A 178.128.236.83

I compared it the custom page (and based it off it )


#10

They look ok to me … but dns is being flakey for some reason. I can get a lookup ok from my VPN in Ireland, but not my server in Czechia.


#11

I did recently add the 2 records:

ns1.mail.molsberry.info. 3600 IN A 178.128.236.83
ns2.mail.molsberry.info. 3600 IN A 178.128.236.83

as I was getting a error about my name server glue records from the console

but still strange I was initially able to initially provision a cert but not any more


#12

Remove those from DO and ignore the error. Not ideal, but correct.
I was so focused on the www and mail subdomains that those did not even register.


#13

ok pulled them :smile:


#14

You could try again in the admin area to issue the certificate … it may work now, or it may not. In either case, MiaB will try again at 3AM, so if you are in the US in a little while.
If by this time tomorrow it doesn’t work …


#15

it still isn’t looking good, I’ve spun up a new box and migrated the data

I’m hoping once dns clears up I can pull certs again


#16

Just an FYI - Propagating NAMESERVERS and DNS records are slightly different, where both have a TTL, NAMESERVERS usually have a higher one with max of 48 hours. You might just need to set the NAMESERVER ip’s / hostnames to ns1.box.domain.local (whatever your domain for MIAB is) and then wait at least 48 before deeming it broken.

If that fails, contact your registrar (Where you have to set the NAMESERVERS) and troubleshoot with them


#17

DNS looks fine on the new box now but in all this messing around looks like I now have 2 lets encrypt accounts:

Log:

Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Missing command line flag or config entry for this setting: Please choose an account Choices: [‘mail.molsberry.info@2018-08-16T07:02:57Z (17f3)’, ‘mail.molsberry.info@2018-11-12T18:01:47Z (9276)’]

Can anyone tell me how to kill one or both of these ?


#18

MIAB will favor one over the other, and the certs / account used that is older will just deactivate / expire on their own


#19

my certs have now expired after provisioning still on duplicate accounts I backed up and blew away “/home/user-data/ssl” and re-ran the setup script now it’s back to telling me dns errors:

Log:

Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Performing the following challenges: http-01 challenge for mail.molsberry.info http-01 challenge for molsberry.info http-01 challenge for www.molsberry.info Using the webroot path /home/user-data/ssl/lets_encrypt/webroot for all unmatched domains. Waiting for verification… Cleaning up challenges Failed authorization procedure. mail.molsberry.info (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up A for mail.molsberry.info, www.molsberry.info (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up A for www.molsberry.info, molsberry.info (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up A for molsberry.info IMPORTANT NOTES: - The following errors were reported by the server: Domain: mail.molsberry.info Type: None Detail: DNS problem: SERVFAIL looking up A for mail.molsberry.info Domain: www.molsberry.info Type: None Detail: DNS problem: SERVFAIL looking up A for www.molsberry.info Domain: molsberry.info Type: None Detail: DNS problem: SERVFAIL looking up A for molsberry.info

This is even with me running a nslookup on the box verifying the dns locally as well as the control panel showing dns is resolving fine


#20

Well you know letsencrypt script goes to let’s encrypts servers to do the DNS look up, if they cannot find a valid A record for your domain then something is wrong here. I’d confirm that the NS (or GLUE depending on registrar) records are actually pointing to your MIAB install.