-2

I'm hosting a website on AWS. I created SSL certificates through letsencrypt for my domain xxxxx.com as well as www.xxxxx.com. (Throughout this post I'm putting 'xxxx's for potentially sensitive information, but if the information is required to help I can give it).

A week or so ago the certificates expired. I'm trying to renew the certificates and this is what I'm getting:

ubuntu:~$ sudo certbot renew

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/xxxxx.com.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for xxxxx.com
tls-sni-01 challenge for www.xxxxx.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (xxxxx.com) from /etc/letsencrypt/renewal/xxxxx.com.conf produced an unexpected error: Failed authorization procedure. www.xxxxx.com (tls-sni-01): urn:acme:error:dns :: DNS problem: NXDOMAIN looking up A for www.xxxxx.com. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/xxxxx.com/fullchain.pem (failure)



All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/xxxxx.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.xxxxx.com
   Type:   None
   Detail: DNS problem: NXDOMAIN looking up A for www.xxxxx.com

Initial thoughts obviously is that something is wrong with my A records. But doing a dig command finds:

ubuntu:~$ dig xxxxx.com any

xxxxx.com.  60  IN  TXT "MS=msxxxxxx"
xxxxx.com.  60  IN  MX  0 xxxxx.mail.protection.outlook.com.
xxxxx.com.  60  IN  SOA ns-xxxx.awsdns-xx.org. awsdnshostmaster.amazon.com. x xxxx xxxx xxxxx xxxxx
xxxxx.com.  60  IN  NS  ns1.bdm.microsoftonline.com.
xxxxx.com.  60  IN  NS  ns2.bdm.microsoftonline.com.
xxxxx.com.  60  IN  NS  ns3.bdm.microsoftonline.com.
xxxxx.com.  60  IN  NS  ns4.bdm.microsoftonline.com.
xxxxx.com.  60  IN  A   xx.xx.xxx.xxx

And:

ubuntu:~$ dig www.xxxxx.com any

www.xxxxx.com.  60  IN  A   xx.xx.xxx.xxx

So it seems A records are present. Is is that I don't have NS records for the www version of my domain? I'm not sure how to fix this problem. Thanks!

cracka31
  • 173
  • 2
  • 15
  • I think this would fit better on Server Fault since it’s a server configuration issue and not a programming issue. But check their help section first and do a search if there’s any similar questions already – Sami Kuhmonen Jul 12 '18 at 13:14
  • Well, you are missing an A zone for www.xxxxx.com. – dkasipovic Jul 12 '18 at 13:58
  • Thanks @DamirKasipovic . Can you elaborate on that? How do I go about fixing that? – cracka31 Jul 12 '18 at 14:18
  • What do you gain (besides having less good answers) by (badly) obfuscating the name? – Patrick Mevzek Jul 14 '18 at 03:08
  • Do not use the `ANY` pseudo record type it certainly does not do what you think it does, it is a poor and misleading troubleshooting tool. When you use `dig` always specify with `@` which nameserver you query. You should start by querying the authoritative ones and then only the recursive ones. – Patrick Mevzek Jul 14 '18 at 03:09

1 Answers1

0

You need to add a A record entry for www.

www A xx.xxx.xx.xx
mdeora
  • 4,152
  • 2
  • 19
  • 29
  • No, CNAME is a standard DNS record type, there is only one syntax for it, and it is a mapping between 2 names and not with an IP like your obfuscated `x` seem to imply. – Patrick Mevzek Jul 14 '18 at 03:07
  • Yes you are right corrected the answer. About syntax I meant the Ui of adding Cname record may vary. – mdeora Jul 14 '18 at 04:59