0

I'm hosting a website on AWS. I created SSL certificates through letsencrypt for my domain xxxxx.com as well as www.xxxxx.com. (Throughout this post I'm putting 'xxxx's for potentially sensitive information, but if the information is required to help I can give it).

A week or so ago the certificates expired. I'm trying to renew the certificates and this is what I'm getting:

ubuntu:~$ sudo certbot renew

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/xxxxx.com.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for xxxxx.com
tls-sni-01 challenge for www.xxxxx.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (xxxxx.com) from /etc/letsencrypt/renewal/xxxxx.com.conf produced an unexpected error: Failed authorization procedure. www.xxxxx.com (tls-sni-01): urn:acme:error:dns :: DNS problem: NXDOMAIN looking up A for www.xxxxx.com. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/xxxxx.com/fullchain.pem (failure)



All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/xxxxx.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.xxxxx.com
   Type:   None
   Detail: DNS problem: NXDOMAIN looking up A for www.xxxxx.com

Initial thoughts obviously is that something is wrong with my A records. But doing a dig command finds:

ubuntu:~$ dig xxxxx.com any

xxxxx.com.  60  IN  TXT "MS=msxxxxxx"
xxxxx.com.  60  IN  MX  0 xxxxx.mail.protection.outlook.com.
xxxxx.com.  60  IN  SOA ns-xxxx.awsdns-xx.org. awsdnshostmaster.amazon.com. x xxxx xxxx xxxxx xxxxx
xxxxx.com.  60  IN  NS  ns1.bdm.microsoftonline.com.
xxxxx.com.  60  IN  NS  ns2.bdm.microsoftonline.com.
xxxxx.com.  60  IN  NS  ns3.bdm.microsoftonline.com.
xxxxx.com.  60  IN  NS  ns4.bdm.microsoftonline.com.
xxxxx.com.  60  IN  A   xx.xx.xxx.xxx

And:

ubuntu:~$ dig www.xxxxx.com any

www.xxxxx.com.  60  IN  A   xx.xx.xxx.xxx

So it seems A records are present. Is is that I don't have NS records for the www version of my domain? I'm not sure how to fix this problem. Thanks!

cracka31
  • 1
  • Can you give us the domain? Was the `www` record set up only recently? – ceejayoz Jul 12 '18 at 14:17
  • The domain is fileflorida.com. The www was set up at the same time as the other. Although at some point I had to configure things to set up email, and I may have messed something up. – cracka31 Jul 12 '18 at 14:20
  • I don't get an `A` record for your `www`. That's your problem. Not sure why you're getting one in `dig any www.fileflorida.com`, but I don't see a record in any of your four nameservers. – ceejayoz Jul 12 '18 at 14:21
  • But then why is an A record showing when I run dig www.xxx.com? Also could you help inform me how to get an A record? Thanks! – cracka31 Jul 12 '18 at 14:22
  • I don't know why you're getting one - I don't. You set it up the same way you set up the non-www records - in your DNS provider's control panel. – ceejayoz Jul 12 '18 at 14:22
  • I'm hosting using AWS route 53. I see the 4 NS records for fileflorida.com, an A record for fileflorida.com, and an A record for www.fileflorida.com. Are you saying I need to copy the 4 NS records for www.fileflorida.com as well? – cracka31 Jul 12 '18 at 14:29
  • You are **not** using Route 53. `dig ns fileflorida.com` reports your nameservers are currently `ns1.bdm.microsoftonline.com.`, `ns2.bdm.microsoftonline.com.`, `ns3.bdm.microsoftonline.com.`, and `ns4.bdm.microsoftonline.com.`. If you want to use Route 53, you'll have to put the four Route 53 nameservers they gave you into your registrar's control panel as the nameservers for the domain. At this time, any Route 53 configuration you have done is being ignored entirely. – ceejayoz Jul 12 '18 at 14:31
  • At some point I followed instructions to change the NS records in order to configure with microsoft office 365. I changed the records in route 53. I still want to be configured with microsoft. Can I do this by editing records in route 53? – cracka31 Jul 12 '18 at 14:37
  • If you've pointed the domain at Microsoft's nameservers, you'll have to configure your records there. – ceejayoz Jul 12 '18 at 15:28

0 Answers0