Topic: Error NXDomain with Letltsencrypt / Install with John Crisp contrib

[john56]

Hi, I am stuck at this step:

db hosts setprop www.mydomain.com letsencryptSSLcert enabled
db domains setprop mydomain.com  letsencryptSSLcert enabled

My subdomain is buzz.kerplouz.com (for https://buzz.kerplouz.com/roundcube/ and others)

What do I write?

Thanks

[janet]

john56

I think you would write:

db hosts setprop buzz.kerplouz.com letsencryptSSLcert enabled
db domains setprop buzz.kerplouz.com letsencryptSSLcert enabled
(Each of the two commands above are on one line each)

To be sure they are activated also do
signal-event post-upgrade
signal-event reboot

[DanB35]

@john56, your post has a title and contents that don't match--are you getting the subject error at some point?  If so, when?

To the text of your post, it's really going to depend on whether (1) buzz.kerplouz.com is the only hostname you want the certificate to cover (because TLS certificates from Let's Encrypt can include up to 100 hostnames), and (2) whether your SME server considers buzz.kerplouz.com to be a hostname or a domain name.  To determine the latter, run 'db hosts show' and 'db domains show', and see which of those commands lists "buzz.kerplouz.com".

[john56]

buzz.kerplouz.com=domain
But www.kerplouz.com exists in another registar (in their panel, i've created buzz.kerplouz.com going to my public ip adress)

[DanB35]

If that's a domain, then you'd run 'db domains setprop buzz.kerplouz.com letsencryptSSLcert enabled'.  If there aren't any other hostnames you want included in the cert, you wouldn't need to set that for any hosts.

[john56]

ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:acme:error:connection",
    "detail": "DNS problem: NXDOMAIN looking up A for www.buzz.kerplouz.com",
    "status": 400
  },
  "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/Xb3Ptx_yFSCwa1FxK4JDUQ48mYk3p9KkhL8YtkJD3II/17009668",
  "token": "r2_RGG8-HhXcA2vXQwbrYWNDXYeEL3uSN8J2qIfr8zc",
  "keyAuthorization": "r2_RGG8-HhXcA2vXQwbrYWNDXYeEL3uSN8J2qIfr8zc.QRGFiL6dAIfkkfegatIKqhQ4uBivliQKBBJwX2YdbEA",
  "validationRecord": [
    {
      "url": "http://www.buzz.kerplouz.com/.well-known/acme-challenge/r2_RGG8-HhXcA2vXQwbrYWNDXYeEL3uSN8J2qIfr8zc",
      "hostname": "www.buzz.kerplouz.com",
      "port": "80",
      "addressesResolved": null,
      "addressUsed": ""
    }
  ]

[DanB35]

Well, that's not the same FQDN.  buzz.kerplouz.com is not the same as www.buzz.kerplouz.com, and though there's an A record for buzz.kerplouz.com, there's no such record for www.buzz.kerplouz.com.  Have you enabled Let's Encrypt for any other hostnames?

Edit:  What's the output of 'db hosts show www.buzz.kerplouz.com'?

[john56]

http://www.buzz.kerplouz.com/ does'nt exist.

buzz.kerplouz.com (subdomain of www.kerplouz.com)have been created in a registar and go to my public ip adress of the sme server.

Buzz.kerplouz.com is also the domain name of the sme server (during the installation).

Sorry not to be very clear but even I am lost ...

http://buzz.kerplouz.com/
https://buzz.kerplouz.com/webftp/
https://buzz.kerplouz.com/roundcube/

[DanB35]

http://www.buzz.kerplouz.com/ does'nt exist.

No, it doesn't.  But your SME server thinks it does and is requesting a certificate for it.  Again, what's the output of 'db hosts show www.buzz.kerplouz.com'?

[john56]

db hosts show and db domains show :

http://pastebin.com/UQA33M6K

[DanB35]

Code: [Select]

www.buzz.kerplouz.com=host
    ExternalIP=
    HostType=Self
    InternalIP=
    MACAddress=
    letsencryptSSLcert=enabled
There's your problem--your system is trying to get a cert for www.buzz.kerplouz.com because you told it to.  Run 'db hosts delprop www.buzz.kerplouz.com letsencryptSSLcert'; 'signal-event console-save', then try obtaining the cert again.

[john56]

It looks great !  Many thanks !  (can you try ?)

[DanB35]

Yep, it's up and running using the Let's Encrypt cert.

[john56]

thanks !  I need to do dehydrated -c every 3 months, is that right ?

[DanB35]

If you're using John Crisp's contrib, it should have that running daily by default--check to see that /etc/cron.daily/letsencrypt is present.  Running daily is not a problem--it will run, check your existing cert, and if your existing cert has more than 30 days' validity remaining, it will exit and do nothing.  When the cert has less than 30 days left, it will automatically renew it and reload all your system's services to use the new cert.