Hi everyone, i got a problem with lets encrypt. When i press “Provision” to create my ssl certificates.
And system give me a log:
system got a problem with : challenges: http-01 challenge for autoconfig.my domain, autodiscover.mydomain, for my domain etc. Using the webroot path /home/user-data/ssl/lets_encrypt/webroot for all unmatched domains. Waiting for verification… Cleaning up challenges Failed authorization procedure. mydomain (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up CAA for mydomain .
Im using namecheap domain and i cant input the CAA record because system says me to change my nameserver config, but if i do this custom dns such as ns1.mydomain, ns2.mydomain will disappear.
Why is there a check for a CAA record?
i dont know , I am just setting things up as shown in the setup guide. And on moment of ssl certificate it start
On the ‘Status Checks’ page in the dashboard, what errors are reported?
system:
The ssh server on this machine permits password-based login
my domain:
mta-sts policy is missing
the ssl certificate for this domain is currently self signed
dnssec record is not set
also input in my custom dns settings [ns1.mydomain] and ns2 … And system tells me that all is correct. But i gote another problem, when i trying to input the dnssec in my namecheap domain system show me problem that my custom dns records isnt created or working
Did you create an keypair for SSH login?
yes, like showed in guide
Are you able to log into the server via SSH using the keypair?
Verify you can log into the server using SSH keypair, then change the following:
sudo nano /etc/ssh/sshd_config
Change or verify:
PermitRootLogin no
PasswordAuthentication no
Restart ssh
:
sudo service ssh restart
Do not log out of the current session.
In a new terminal window from your local computer, create a new ssh
session to verify you can log in with the new sshd
settings. If you can do this successfully, reload the ‘Status Checks’ page and the password-based login error should be cleared.
i dont understand why i need this for now, because i always connect via putty, right now i have a problem with my ssl certificate and CAA records on my sub domains that mailinabox created for me
To clear the DNSSEC related errors, log into Namecheap and navigate to your domain’s ‘Advanced DNS’ page.
Set DNSSEC Status to enabled.
Click ‘ADD NEW DS’.
From the ‘Status Checks’ page of the MiaB dashboard, under box.example.com
there should be an error “This domain’s DNSSEC DS record is not set.” Click ‘show more’ to unhide the key options.
Use the settings from ‘Option 1’.
Copy and paste the ‘Key Tag’ from the dashboard into the new DS record in Namecheap.
Select 13 ECDSA/SHA-256 for the ‘Algorithm’.
Select 2 SHA-256 for the ‘Digest Type’.
Copy the ‘Digest’ long string of characters and paste in to ‘Digest’ box in the Namecheap dashboard.
Click ‘SAVE ALL CHANGES’ and your DNSSEC should now be configured correctly.
yes, but if i do this, system says that my ns1 and ns2.mydomain.com record is ofset or not working …
This is exactly why you need this.
Your server is on the public IP space and will experience huge amounts of brute force password attempts. Once the bots discover your server permits password log in, the flock to it in ever higher numbers.
PuTTY protects you from nothing. What protects you is logging in using a keypair and disabling password log in.
I’m not sure what you mean by this, but you are only enabling DNSSEC and configuring the settings. It has nothing to do with the domain’s name server or anything else.
sometimes i got this problem, i dont know why, maybe because system does not have time to accept changes and show me this problem
I’m afraid I’m not clear on what you mean, but I can tell you I have used Namecheap on many domains, and this is how you configure DNSSEC with Namecheap.
I think you do not actually have an issue related to a CAA record.
What I think might be happening is every certificate issued by Let’s Encrypt requires verification of a CAA record. When no CAA record exists, it is assumed that CAA records are not configured and issues a certificate. When a CAA record exists, it verifies issuing a certificate will conform to the CAA record. However, when the DNS server is broken, Let’s Encrypt cannot verify if a CAA record even should exist, so the check fails.
Your DNS server is currently broken because DNSSEC is configured wrongly.
From letsencrypt.org:
SERVFAIL
One of the most common errors that people encounter is SERVFAIL. Most often this indicates a failure of DNSSEC validation. If you get a SERVFAIL error, your first step should be to use a DNSSEC debugger like dnsviz.net. If that doesn’t work, it’s possible that your nameservers generate incorrect signatures only when the response is empty. And CAA responses are most commonly empty. For instance, PowerDNS had this bug in version 4.0.3 and below.
If you don’t have DNSSEC enabled and get a SERVFAIL, the second most likely reason is that your authoritative nameserver returned NOTIMP, which as described above is an RFC 1035 violation; it should instead return NOERROR with an empty response. If this is the case, file a bug or a support ticket with your DNS provider.
Lastly, SERVFAILs may be caused by outages at your authoritative nameservers. Check the NS records for your nameservers and ensure that each server is available.
I can see that your domain is now signed, but it looks like the digest you entered is not correct because none of the DNS tools are able to verify against it. You can check this using the DNSSEC Debugger link from the DNSViz report on your domain.
In your dashboard domain key options you should see something like:
example.com. 3600 IN DS 85407 13 2
stw3t8avpcgqjap812xzk1fn0rf02owcbkzpemtjfogzx0ht9lvheaagzzptitej
This is the string of characters to enter into the Namecheap ‘Digest’ box.
Its was done already, but when i config the dnssec, my dash bord status said that my custom domain name ns1\ns2.mydomain.com: Nameserver glue records are incorrect. I try to recreate this nameservers but nothing changed at all
The MiaB default name server records are:
ns1.box.example.com
ns2.box.example.com
This what you currently have configured for your domain name server and DNSSEC shows signedDelegation
, which means it is at least configured at the registrar.
You have the correct ports open and they are responding.
Have you done anything other than use a completely fresh install of Ubuntu 18.04 and then run the MiaB install scripts?