No TLS certificates could be provisioned at this time

nteractive · March 20, 2018, 4:07pm

Letsencrypt certificate expired today, now I’m facing a problem where I cannot update the certificate manually because of the expired cert.

When I run sudo ./ssl_certificates.py -v I get this:

box.nerdycoders.com: DNS isn’t configured properly for this domain: DNS resolution failed (A: All nameservers failed to answer the query box.nerdycoders.com. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL).

Nothing has changed on this box other than the certificate expiration. Because it cannot verify the server (because of the expired certificate), I cannot get a new certificate.

Does anyone know how to get around this issue?

murgero · March 20, 2018, 4:14pm

Do you have glue records, and can ping box.nerdycoders.com from the server itself?

nteractive · March 20, 2018, 4:41pm

Yes, I can ping box.nerdycoders.com from the box. Literally, this server has run solidly for 2 years without issue until the cert expired this morning.

I’m on Digitalocean, and my DNS runs on the MIAB box. Godaddy DNS points to ns1/ns2 for this box.

Nothing has changed, only the expired cert.

murgero · March 20, 2018, 6:21pm

Can you manually provision one?

sudo letsencrypt and follow the on screen prompts.

nteractive · March 20, 2018, 6:23pm

Do I need to be in a specific directory? sudo letsencrypt brings back “command not found”

JoshData · March 20, 2018, 7:43pm

Running Lets Encrypt’s tool is a great way to make modifications to your box that void your warranty.

Would be good to get to the root problem here. The error message is one about DNS, not about SSL certificates. So the first thing to look at is why the box can’t resolve its own hostname. Have firewall settings changed? Does running dig box.nerdycoders.com on the box work? Do the Status Checks on the /admin page come back all green? Is bind running? Do you have DNSSEC turned on (and if so is it properly configured at your registrar)?

nteractive · March 20, 2018, 8:01pm

Firewall settings have not changed, nothing has changed on this box, only the expired cert. Once the cert expired the following messages now appear.

Nameserver glue records are incorrect. The ns1.box.nerdycoders.com and ns2.box.nerdycoders.com nameservers must be configured at your domain name registrar as having the IP address 107.170.245.211. They currently report addresses of [Not Set]/[Not Set]. It may take several hours for public DNS to update after a change.

I have my DNS pointed to the IP correctly from GoDaddy and this has not changed (perhaps GoDaddy is having an issue?) All other DNS is managed on the MIAB box.

SSL/TLS message: (expired this morning shortly after midnight)
box.nerdycoders.com Certificate has a problem: The certificate has expired or is not yet valid. It is valid from 2017-12-20 08:02:01 to 2018-03-20 08:02:01.

Running dig box.nerdycoders.com

; <<>> DiG 9.9.5-3ubuntu0.17-Ubuntu <<>> box.nerdycoders.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10221
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;box.nerdycoders.com.		IN	A

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Mar 20 14:46:19 CDT 2018
;; MSG SIZE  rcvd: 48

DNSSEC is turned on at GoDaddy and properly configured.

JoshData · March 20, 2018, 8:16pm

The most likely thing then is that DNSSEC is not working. The easy solution would be to turn off DNSSEC at GoDaddy (and wait for DNS caches to clear).

Can you run

tools/dns_update

and post its output?

nteractive · March 20, 2018, 8:23pm

Output

updated DNS: nerdycoders.com,cadenallenmoore.com,channel69.info,digitalnteractive.com,flyshootedit.com,johnallenmoore.com,mooresdomain.com,pixelsfanatics.com,thequickiemart.com

nteractive · March 20, 2018, 8:50pm

That fixed the DNS issue running tools/dns_update

I then ran: $ sudo ./management/ssl_certificates.py and it updated the certificate just fine.

All is back to normal. Thank you for your help Josh!

✓
Nameserver glue records are correct at registrar. [ns1/ns2.box.nerdycoders.com ↦ 107.170.245.211]
✓
Domain resolves to box’s IP address. [box.nerdycoders.com ↦ 107.170.245.211]
✓
Reverse DNS is set correctly at ISP. [107.170.245.211 ↦ box.nerdycoders.com]
✓
The DANE TLSA record for incoming mail is correct (_25._tcp.box.nerdycoders.com).
✓
Hostmaster contact address exists as a mail alias. [hostmaster@box.nerdycoders.com ↦ administrator@box.nerdycoders.com]
✓
Domain’s email is directed to this domain. [box.nerdycoders.com ↦ 10 box.nerdycoders.com]
✓
Postmaster contact address exists as a mail alias. [postmaster@box.nerdycoders.com ↦ administrator@box.nerdycoders.com]
✓
Domain is not blacklisted by dbl.spamhaus.org.
✓
TLS (SSL) certificate is signed & valid. The certificate expires in 89 days on 06/18/18.

JoshData · March 20, 2018, 9:39pm

Great!

Of course, there’s still the question why that was necessary. That script is supposed to run each night to make sure DNSSEC records are updated.

nteractive · March 20, 2018, 11:28pm

True. But I’m a happy camper still.

murgero · March 21, 2018, 1:49pm

Oof, sorry I keep forgetting that my box is modified. Glad it’s working though!