Letsencrypt certificate expired today, now I’m facing a problem where I cannot update the certificate manually because of the expired cert.
When I run sudo ./ssl_certificates.py -v I get this:
box.nerdycoders.com: DNS isn’t configured properly for this domain: DNS resolution failed (A: All nameservers failed to answer the query box.nerdycoders.com. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL).
Nothing has changed on this box other than the certificate expiration. Because it cannot verify the server (because of the expired certificate), I cannot get a new certificate.
Running Lets Encrypt’s tool is a great way to make modifications to your box that void your warranty.
Would be good to get to the root problem here. The error message is one about DNS, not about SSL certificates. So the first thing to look at is why the box can’t resolve its own hostname. Have firewall settings changed? Does running dig box.nerdycoders.com on the box work? Do the Status Checks on the /admin page come back all green? Is bind running? Do you have DNSSEC turned on (and if so is it properly configured at your registrar)?
Firewall settings have not changed, nothing has changed on this box, only the expired cert. Once the cert expired the following messages now appear.
Nameserver glue records are incorrect. The ns1.box.nerdycoders.com and ns2.box.nerdycoders.com nameservers must be configured at your domain name registrar as having the IP address 184.108.40.206. They currently report addresses of [Not Set]/[Not Set]. It may take several hours for public DNS to update after a change.
I have my DNS pointed to the IP correctly from GoDaddy and this has not changed (perhaps GoDaddy is having an issue?) All other DNS is managed on the MIAB box.
SSL/TLS message: (expired this morning shortly after midnight) box.nerdycoders.com Certificate has a problem: The certificate has expired or is not yet valid. It is valid from 2017-12-20 08:02:01 to 2018-03-20 08:02:01.
I then ran: $ sudo ./management/ssl_certificates.py and it updated the certificate just fine.
All is back to normal. Thank you for your help Josh!
Nameserver glue records are correct at registrar. [ns1/ns2.box.nerdycoders.com ↦ 220.127.116.11]
Domain resolves to box’s IP address. [box.nerdycoders.com ↦ 18.104.22.168]
Reverse DNS is set correctly at ISP. [22.214.171.124 ↦ box.nerdycoders.com]
The DANE TLSA record for incoming mail is correct (_25._tcp.box.nerdycoders.com).
Hostmaster contact address exists as a mail alias. [firstname.lastname@example.org ↦ email@example.com]
Domain’s email is directed to this domain. [box.nerdycoders.com ↦ 10 box.nerdycoders.com]
Postmaster contact address exists as a mail alias. [firstname.lastname@example.org ↦ email@example.com]
Domain is not blacklisted by dbl.spamhaus.org.
TLS (SSL) certificate is signed & valid. The certificate expires in 89 days on 06/18/18.