Requesting a lets Encrypt SSL certificate fails on Web based validation and DNS based Validation

Hi Guys,

I have stumbled upon another headache from the Lets Encrypt stable of problems.

I have built a new server and have been progressively migrating virtual hosts over to it from an older Debian 8 server.

If I create a new virtual host on the New Debian 9 server it requests and adds SSL certificates virtually instantly, and that is fantastic (No Problem there)

The problem I have is that when I request a new SSL certificate on one of the newly migrated virtual hosts I receive the following error:-

Validating configuration for domain.com ..

.. no problems found

Requesting a certificate for domain.com, www.domain.com, mail.domain.com, autoconfig.domain.com, autodiscover.domain.com from Let's Encrypt ..

.. request failed : Web-based validation failed : Failed to request certificate :

domain.com.au challenge did not pass: unknownHost :: No valid IP addresses found for domain.com.au

DNS-based validation failed : Failed to request certificate :

Gave up waiting for validation

This is however after I have modified the DNS records to contain the

autoconfig.domain.com

autodiscover.domain.com

mail.domain.com

records, as well as modifying the /etc/apache2/sites-available/domain.com.conf to reflect these changes then restarting both the Bind and Apache services.

I also checked to make sure that there was no web redirection set to redirect from http to https

and noticed that the _acme-challenge.autodiscover.domain.com.au. 5 IN TXT Rd3_5WWQnnmgzEZNwxMFtnemV7rwSinJUCipJdrJQbU

appears in the dns zone, which to me would indicate that a successful DNS-based validation should occur

I have tried to look through the log files but have come up empty as I'm not sure what to look for to find the error.

Status: 
Closed (fixed)

Comments

Howdy -- thanks for contacting us!

Could you share the full domain name for that domain where you're seeing these issues?

Also, what should the IP address be?

And just to compare, can you share an example domain that is working properly on this new server?

Thanks!

I am just an end user like you... I would first check DNS propagation, here: http://leafdns.com/ Try to fix any errors with DNS and when there are zero errors try requesting the certificate again.

Hi Guys,

I have worked out what the problem is and a solution for anyone else with the same issue.

It all has to do with DNS

When Lets Encrypt goes to validate the domain names that you are presenting to it for a certificate, it actually does a DNS lookup for each and every one.

Not that it tells you, but that is where its failing.

It would be way too easy for you to fix with that information.

Instead it gives you the error that makes you look in the wrong place.

So my error was actually to do with

domain.com

not actually being in the DNS zone once I put it in and ran the Certificate request again, it was like a miracle had occurred....

Validating configuration for domain.com ..

.. no problems found

Requesting a certificate for domain.com, www.domain.com, mail.domain.com, autoconfig.domain.com, autodiscover.domain.com from Let's Encrypt ..

.. request was successful!

Configuring webserver to use new certificate and key ..

.. done

Applying web server configuration ..

.. done

This Problem is solved

Status: Fixed ยป Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.