Letsencrypt - Could not verify domain

Discussion in 'General' started by seopower, Feb 25, 2023.

Tags:
  1. seopower

    seopower New Member

    Server: Ubuntu 18.04.2 LTS Bionic Beaver

    I am having strange error for one particular website, where Letsencrypt is not able to verify domain due to some reason, things I have tried so far are:

    - Domain correctly resolves to IP address using tools like mxtoolbox etc.
    - DNS settings are correctly pointing to IP's (IPV4 & IPV6) of my hosting (AAAA).
    - When running /usr/local/ispconfig/server/server.sh log, following output comes:
    Code:
    25.02.2023-16:52 - WARNING - Could not verify domain liafi1964.in, so excluding it from letsencrypt request.
    25.02.2023-16:52 - WARNING - Could not verify domain www.liafi1964.in, so excluding it from letsencrypt request.
    25.02.2023-16:52 - WARNING - Let's Encrypt SSL Cert for: liafi1964.in could not be issued.
    - When checked SSL option - "Skip Lets Encrypt Check", following log comes:
    Code:
    Attached as txt file
    
    - Then from one of thread from forum I tried /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/hello.txt
    - And I am able to see content of hello.txt using following URL : http://liafi1964.in/.well-known/acme-challenge/hello.txt

    Now I am lost, don't know whats going wrong with this domain. I have several domains with letsencrypt SSL running smoothly but this domain is not working. Any help please ?
     

    Attached Files:

    • le.txt
      File size:
      32.3 KB
      Views:
      5
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig excluded the domains as they are unreachable, you then told ISPConfig to not check domains but run let#s encrypt and Let#s encrypt was also not able to reach the domains due to missing or wrong DNS records. So ISPConfig was correct to exclude the domains from the LE cert, therefore you should enable the skip letsencrypt check again, as it worked correctly.

    Next step is to fix your DNS records, the reason can also be AAAA Records and not just A records, when your system uses IPv6. Or you did not wait long enough, it may sometimes take up to 24 hours until DNS changes are propagated to all mirrors, especially when you switched to a different DNS server with that zone. You can check DNS e.g. at intodns.com
     
  3. seopower

    seopower New Member

    This domain was transferred from Google Domains to Resellerclub on 15th Feb. Normally NS records gets updated within couple of days but upon checking it seems its still pointing NS records of Google Domains (which I changed before transfer to ns1.linode.com and so on but mistakenly added ns5.linode.com - which does not exist and its still showing ns5, whereas in resellerclub I added till ns4 only).
     
  4. seopower

    seopower New Member

    Is there any way I can manually create SSL certs for my domain?
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Sure, but this will be a self-signed SSL cert then or you have to buy an SSL cert at an SSL certification authority. Self-signed SSL certificates and also SSL certificate requests to buy a SSL cert can be created on the SSL tab of the website, enter the details in the fields at the top of the page, then select create certificate as action in the action field at the bottom and press save, you will then get a self-signed SSL cert after about 60 seconds. This also creates a certificate signing request that you can use to buy an SSL cert.
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    But just to mention it, you can't use the site live anyway before you get the DNS issue fixed as many users will fail to reach your site, in the same way, Let's encrypt failed to reach it. And when DNS is ok, then you can get a Let's encrypt cert too.
     
    ahrasis likes this.
  7. seopower

    seopower New Member

    Its as simple as with any other domain:
    1. Domain was transferred 12 days back
    2. With new registrar I am having NS records as ns1.linode.com, ns2..., ns3..., ns4... showing correctly
    3. In linode domain manager I have created domain mapping my ISPCONFIG server IPs
    4. In ISPCONFIG I have created same domain with all correct details
    5. Hosted my site and site is working very well without https
    6. But when I try LE SSL its says:

      Code:
      Failed authorization procedure. www.liafi1964.in (http-01): urn:ietf:params:acmenctioning; DNS problem: SERVFAIL looking up AAAA for www.liafi1964.in - the doma: SERVFAIL looking up A for liafi1964.in - the domain's nameservers may be malfuoning
    7. Ping to site from any location gives 0 packet loss with IP showing to my ISPCONFIG server
    Now I am lost ... no idea whatsoever about whats going wrong and why LE is not able to verify my domain?
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    You know why it fails. You explained it even to me in post #3. You won't get a LE cert until you have a valid and working DNS setup, meaning that ALL DNS servers must be valid and responding, not just some servers. Look up your domain at intodns.com and fix the errors mentioned there before you try to get a LE cert.
     
  9. remkoh

    remkoh Active Member

    The DNS config is a mess.
    Looks like ns1 and ns2.godaddy.com are listed as dns servers for the domain and they don't contain any records for the domain.
    No wonder LE can't issue a certificate.
     
  10. seopower

    seopower New Member

    Where did you get that info? https://intodns.com/liafi1964.in is now showing everything right.
     
  11. seopower

    seopower New Member

    Not working still even afte more than month of transfer.

    https://intodns.com/liafi1964.in is showing everything correct but LE is not able to verify this domain.
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    Post the debug output for activating LE now (see let's encrypt FAQ post).
     
  13. seopower

    seopower New Member

    Please find DEBUG as attached
     

    Attached Files:

    • log.txt
      File size:
      5.1 KB
      Views:
      2
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    Here is the error:

    The IPv4 and IPv6 records for liafi1964.in and www.liafi1964.in is incorrect or missing. And Let#s encrypt is right about this, just queried for the domains and they do not have valid DNS records.

    Code:
    root@server1:~# dig liafi1964.in
    
    ; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> liafi1964.in
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 50726
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 512
    ;; QUESTION SECTION:
    ;liafi1964.in.                  IN      A
    
    ;; Query time: 121 msec
    ;; SERVER: 8.8.8.8#53(8.8.8.8)
    ;; WHEN: Wed Mar 29 10:55:55 CEST 2023
    ;; MSG SIZE  rcvd: 41
    
    root@server1:~# dig www.liafi1964.in
    
    ; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> www.liafi1964.in
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 15373
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 512
    ;; QUESTION SECTION:
    ;www.liafi1964.in.              IN      A
    
    ;; Query time: 248 msec
    ;; SERVER: 8.8.8.8#53(8.8.8.8)
    ;; WHEN: Wed Mar 29 10:56:01 CEST 2023
    ;; MSG SIZE  rcvd: 45
    So the original problem that you do not have valid DNS records still persists. Fix your DNS and you will get a LE cert.
     
    ahrasis likes this.
  15. seopower

    seopower New Member

    Well Its clear that its a DNS problem but the question is how to fix that ?

    - I have correct DNS records on domain providers panel
    - Correctly created in Linode hosting panel
    - Correct IPV4 and IPV6 are there on Linode panel
    - Website works fine without SSL

    Untitled.jpg
     
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    Your problem is not an ISPConfig issue. Contact the support of your DNS provider and ask them.
     
    ahrasis likes this.

Share This Page