In another post, I ran into some challenges with setting up Route 53 for my DNS. That’s been resolved, and now I can add and manage my DNS records on Route 53 from my Virtualmin console. I tested adding a few items from VM, and confirmed they are showing up in R53.
Now, when I try to renew my SSL cert for that domain, I am getting errors. When I try to renew using a Wildcard, I get the following;
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for aiskondns.net and *.aiskondns.net
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: aiskondns.net
Type: dns
Detail: DNS problem: SERVFAIL looking up TXT for _acme-challenge.aiskondns.net - the domain's nameservers may be malfunctioning
Domain: aiskondns.net
Type: dns
Detail: DNS problem: SERVFAIL looking up TXT for _acme-challenge.aiskondns.net - the domain's nameservers may be malfunctioning
Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
When I try to renew for the individual domains w/o a Wildcard, I get the following:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for aiskondns.net and 3 more domains
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: aiskondns.net
Type: dns
Detail: DNS problem: SERVFAIL looking up A for aiskondns.net - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for aiskondns.net - the domain's nameservers may be malfunctioning
Domain: ns1.aiskondns.net
Type: dns
Detail: DNS problem: SERVFAIL looking up A for ns1.aiskondns.net - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for ns1.aiskondns.net - the domain's nameservers may be malfunctioning
Domain: ns2.aiskondns.net
Type: dns
Detail: DNS problem: SERVFAIL looking up A for ns2.aiskondns.net - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for ns2.aiskondns.net - the domain's nameservers may be malfunctioning
Domain: www.aiskondns.net
Type: dns
Detail: DNS problem: SERVFAIL looking up A for www.aiskondns.net - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for www.aiskondns.net - the domain's nameservers may be malfunctioning
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
When I try to enable the TLSA records in DNS, I get the following:
Failed to save DNS options : Failed to update DNS records : An error occurred (InvalidChangeBatch) when calling the ChangeResourceRecordSets operation: [The request contains an invalid set of changes for a resource record set ‘SSHFP aiskondns.net.’, The request contains an invalid set of changes for a resource record set ‘SSHFP www.aiskondns.net.’]
If you moved to 53 should you have there name servers, how are you using custum name servers.
Also it looks like your using DNS not http to get certs. are you using command line?
Have you created TXT record for _acme-challenge
I am using Route 53 for my nameservers. That’s why I am posting here. The Domain is hosted / registered with Route 53, and Virtualmin is using it for DNS / Nameservers.
My understanding is that Virtualmin should be creating the TXT records when it issues the challenge, I should not be creating them manually.
@stefan1959 - I’m using the domain aiskondns.net for my own Nameservers. ns1 & ns2 are pointing to my Virtualmin server, so other domains hosted there can use local DNS. (At least until I can move them all to Route 53, I want to get one working properly before I move the others.)
OK, I think that explains it. I thought Amazon updated the Name Servers when I set up the hosted zone, apparently it left them pointing at the old Registrar. Good to know I need to do it manually for the next few…
Gonna wait for the nameserver update to propagate, and try again.
OK, Nameservers are set. It was a combo of the Domain still using the nameservers from the old Regsitrar, and me messing up the records when I updated them. That’s been resolved, and Nameservers and records for aiskondns.net are now good.
The remaining issue is that when I try to request a cert, I am getting:
Failed to save DNS options : Failed to update DNS records : An error occurred (InvalidChangeBatch) when calling the ChangeResourceRecordSets operation: [The request contains an invalid set of changes for a resource record set ‘SSHFP aiskondns.net.’, The request contains an invalid set of changes for a resource record set ‘SSHFP www.aiskondns.net.’]
OK, canceling this question - after digging some more, Route 53 is both more work, and more expensive, than Namecheap to work with. I’m moving my domains back to Namecheap, so this is moot.
