Can't get certificate due to multiple IP addresses for subdomain

Question

Please correct me if I am wrong, since I am a newbie to all things server.

I have a website example.com hosted at host A. I want create subdomain sub.example.com on host B - EC2 instance in this case. Now I did this by changing the A Record on my subdomain, to point at the Elastic IP of this EC2 instance. I visit sub.example.com and it works. Yay.

However when I try to add a SSL certificate using LetsEncrypt I get the error:

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

https://www.whatsmydns.net/ gives me full ticks on all dns servers

https://dnschecker.org/all-dns-records-of-domain.php shows that I have two IP addresses for the same domain name. One is the Ec2 instance, the other is the main domain ip.

https://letsdebug.net/ gives the warning:

WARNING
sub.example.com has multiple IP addresses in its DNS records. While they appear to be accessible on the network, we have detected that they produce differing results when sent an ACME HTTP validation request. This may indicate that some of the IP addresses may unintentionally point to different servers, which would cause validation to fail.
[Address=ec2.ip.addr,Address Type=IPv4,Server=nginx/1.10.3 (Ubuntu),HTTP Status=404] vs [Address=main.domain.ip.addr,Address Type=IPv4,Server=nginx,HTTP Status=301,Number of Redirects=1,Final HTTP Status=404]

Where is my mistake in all of this, am I missing something glaringly obvious? How can I either create the right SSL cert for the subdomain, or remove the incorrect IP address from my subdomain such that it still points to the ec2 instance.

Is this even possible? Many thanks

_"I have to IP addresses for the same domain name"_: in these situations providing your real domain and subdomain name can really help diagnosing your problem. — Piotr P. Karwasz, Mar 17 '20 at 23:25
I guess there isn't much point in keeping it a secret. The real domain is infinitiplatforms.com and the subdomain is demo.infinitiplatforms.com which correctly points to an amazon instance — Yiorgos Makridakis, Mar 17 '20 at 23:33
Currently, there is no A record for demo.infinitiplatforms.com. — ominug, Mar 18 '20 at 00:12
apologies infinitiplatform.com and demo.infinitiplatform.com. — Yiorgos Makridakis, Mar 18 '20 at 00:17

score 0 · Accepted Answer · answered Mar 18 '20 at 06:00

0

There are currently two A records for your subdomain. Let's Encrypt needs to verify both addresses before issuing a new certificate. Just remove the duplicate one, leaving the one of your EC instance.

answered Mar 18 '20 at 06:00

Piotr P. Karwasz

5,748
2
11
21

Wow thank you. Didn't realise it kept the previous a record. Is there any situation when you might want to have 2 ips for one (sub)domain? – Yiorgos Makridakis Mar 18 '20 at 06:57
1

@YiorgodMakridakis There are a fee situations where you might have multiple A records for a domain. Fairly crude but easy to do load balancing, multiple servers serving the same content in different geographical areas (combined with geo-based DNS) are 2 that spring to mind immediately. – davidgo Mar 18 '20 at 08:54

Can't get certificate due to multiple IP addresses for subdomain

1 Answers1