✓ Solved

Not able to setup SSL on linode using certbot?

I have configured DNS and when I do dig www.mydomain.com ANY I am able to see all the records A, AAAA or CAA etc
Now if I do dig mydomain.com ANY I am getting server timeout message. I am able to access website on mydomain.com and www.mydomain.com it is a react app with NGINX server for which I am trying to setup SSL using certbot.

certbot error message:

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: www.mydomain.com
  Type:   caa
  Detail: CAA record for www.mydomain.com prevents issuance

  Domain: mydomain.com
  Type:   dns
  Detail: DNS problem: SERVFAIL looking up A for mydomain.com - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for mydomain.com - the domain's nameservers may be malfunctioning

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

7 Replies

✓ Best Answer

Thank you! :-)

You have two problems:

First, the zone in the Linode DNS manager is named "www.deferapp.com", but it should be named "deferapp.com". As it is, deferapp.com does not resolve, www.deferapp.com resolves, and even www.www.deferapp.com resolves.

I haven't tried it, but I think you can use the "Edit" button in the DNS manager to rename your zone. Failing that, I guess you could clone it and delete the old one.

Second, your CAA records prevent Let's Encrypt from issuing certificates.

www.deferapp.com.       86400   IN      CAA     0 issue "www.deferapp.com"
www.deferapp.com.       86400   IN      CAA     0 issue "deferapp.com"

The domain in the CAA issue record should be the domain of a CA you want to allow to issue certificates, not the domain you want to issue certificates for. For Let's Encrypt, you need:

0 issue "letsencrypt.org"

First, the zone in the Linode DNS manager is named "www.mydomain.com", but it should be named "mydomain.com". As it is, mydomain.com does not resolve, www.mydomain.com resolves, and even www.www.mydomain.com resolves.

Not able to understand how come mydomain.com and www.mydomain.com both working in browser then?

Good question. I don't know.

If you just changed to Linode DNS, you might have cached DNS records from your previous provider.

Your browser might be rewriting deferapp.com to www.deferapp.com.

You might have it in your hosts file or something.

You might have it in your hosts file or something.

I think nginx by default is doing that not sure.

If you just changed to Linode DNS, you might have cached DNS records from your previous provider.

No nothing like that doing everything for the first time :)

@mnordhoff0 If you don't mind can you change domain to mydomain.com Thanks :)

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct