netsq
By:
netsq

Letsencrypt verification failing for naked domain

September 13, 2016 1.2k views
Let's Encrypt Apache Ubuntu 16.04

Domain netsqservice.com served from godaddy.

Setup nameserver to point to DO.

NS1.DIGITALOCEAN.COM
NS2.DIGITALOCEAN.COM
NS3.DIGITALOCEAN.COM 

Setup Forwarding 302 to https://www.netsqservice.com from godaddy.

DO Zone file

$ORIGIN www.netsqservice.com.
$TTL 1800
www.netsqservice.com. IN SOA ns1.digitalocean.com. hostmaster.www.netsqservice.com. 1473723299 10800 3600 604800 1800
www.netsqservice.com. 1800 IN NS ns1.digitalocean.com.
www.netsqservice.com. 1800 IN NS ns2.digitalocean.com.
www.netsqservice.com. 1800 IN NS ns3.digitalocean.com.
www.netsqservice.com. 1800 IN A 162.243.140.9
www.www.netsqservice.com. 1800 IN CNAME www.netsqservice.com.

DO apache conf-

<VirtualHost *:80>
    ServerAlias netsqservice.com
    RedirectMatch permanent ^/(.*) https://www.netsqservice.com/$1
</VirtualHost>


<VirtualHost *:80>
    ServerAdmin admin@netsqservice.com
    ServerName netsqservice.com
    DocumentRoot /var/www/netsqservice.com/public_html
    ErrorLog ${APACHE_LOG_DIR}/netsqservice-error.log
    CustomLog ${APACHE_LOG_DIR}/netsqservice-access.log combined
</VirtualHost>

command -

certbot-auto --apache -d netsqservice.com -d www.netsqservice.com

error -

Failed authorization procedure. netsqservice.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for netsqservice.com

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: netsqservice.com
Type: connection
Detail: DNS problem: SERVFAIL looking up A for netsqservice.com

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

Note:

When I tried with certbot-auto --apache -d www.netsqservice.com , it worked. The naked domain has some problem in verifying with letsencrypt. Any help is highly appreciated.

1 Answer

Look at your DNS zone dump -- your zone is called www.netsqservice.com.. Indeed, you even have an A record for www.www.netsqservice.com.. netsqservice.com. is outside of your zone, and as no separate netsqservice.com. zone currently exists on DigitalOcean's nameservers, queries for netsqservice.com. (or, say, xyz.netsqservice.com.) return an error.

I'm not experienced with how precisely to do it in DigitalOcean's DNS interface, but you need to rename your zone to netsqservice.com., or perhaps create a new zone called netsqservice.com. and delete your current www.netsqservice.com. zone.

Have another answer? Share your knowledge.